/srv/irclogs.ubuntu.com/2017/06/15/#ubuntu-server.txt

hehehegood00:21
hehehebe hungry00:21
hehehewhats the common danger to give any kind of folder or file permision to public?00:26
heheheread is safe00:26
hehehewrite - they can try to load malicious code?00:26
patdk-l2read is not safe00:38
patdk-l2not if it contains a config file with your mysql permissions and stuff like that00:38
patdk-l2write should NEVER be given00:39
sarnoldif you ever grant someone untrusted write access to a directory that basically means there's entire classes of tools that should never be used on that directory again00:39
sarnoldjust about everything that traverses directory structures assumes they are operating on safe inputs00:39
sarnoldno tar, no rsync, etc.00:40
sarnoldwhile it is possible to safely implement tree walking routines in the face of malicious modifications I honestly can't say I know any tool offhand that does it correctly.00:40
hehehe:)01:06
hehehesarnold:  there's entire classes of tools that should never be used on that directory again01:07
hehehelike what tools and why01:07
sarnoldhehehe: anything that works on directory trees01:08
hehehelike?01:08
sarnoldno tree, no find, no tar, no ls -R, etc.01:08
sarnoldno du.01:08
heheheso if someone have write access how they can use find?01:09
hehehei just read open cart golden partner tutorial We recommend setting the permissions of config.php to 444. This will make the file as read-only. :D01:12
hehehelol01:12
heheheehehe01:13
sarnoldhehehe: if you give someone else write access to a directory and you don't trust them then _YOU_ and _root_ do not get to use find01:13
patdk-l2give find u+s rights :)01:13
sarnold(don't give find setuid rights! :)01:14
patdk-l2that is like the first thing I do on some of my systems01:14
sarnoldholy hell01:14
patdk-l2is remove setuid and setgid to everything01:14
sarnoldoh okay01:14
sarnoldyou scared me to death man01:14
patdk-l2as there is no ligit usecase for any of them01:14
patdk-l2as user management and stuff are on another box01:14
sarnold"did patdk really forget about -exec? and -delete?" :)01:15
patdk-l2na :)01:15
patdk-l2I really don't get apple01:15
patdk-l2on this order confirmation email01:16
patdk-l2they **** out my phone number01:16
patdk-l2but left everything else, my address, and everything01:16
heheheremove setuid and setgid to everything - what is everything and how u do it?01:16
hehehe:D01:16
patdk-l2I think my phone number is the least of my worry01:16
heheheeven credit card details?01:16
patdk-l2use find :)01:16
patdk-l2lucky, no cc details at all01:16
patdk-l2if you remove setgid/setuid from everything, you will normally have a very broken system01:17
patdk-l2sudo won't work, passwd won't work, sendmail won't work, ...01:17
hehehenot good01:17
patdk-l2but those are all things I had no issues with01:18
heheheur idea is bad :D01:18
patdk-l2not if it's a webserver01:18
patdk-l2and NOTHING else01:18
hehehebut how do u change pass?01:18
hehehewithout passwd01:18
patdk-l2why would I?01:18
patdk-l2passwords won't live on that box01:18
patdk-l2if someone changed a password from there, it's hacked01:18
patdk-l2passwords live in ldap01:18
heheheis there howto on it?01:19
heheheto read more :D01:19
patdk-l2not really, it's more just knowing how everything works and what you can get away with01:19
patdk-l2these days people generally use lxd/docker for these type of things01:19
patdk-l2but I build this like 12years ago01:19
patdk-l2been moving it to lxc01:20
patdk-l2but still keep the basics I always do, since no reason not to01:20
hehehehow many times your server been hacked?01:22
hehehe:D01:22
hehehenone?01:22
patdk-l2that depends01:22
patdk-l2atleast multible times a day01:22
patdk-l2but never rooted01:22
patdk-l2I can't really secure customers stuff01:22
patdk-l2but as long as they stay contained to the customer01:22
heheheso you offer hostin?01:23
patdk-l2yes01:23
hehehefiles hotel or motel01:23
hehehe:D01:23
hehehewell this app opencart - uses some dirs like images etc to write and read, I set folder to 770 - however  images wont show in checkout and also some ajax functions like menu dont work01:24
hehehemost does work01:24
hehehemaybe faulty code a bit?01:24
patdk-l2you probably just need to make it group owned and set the group to writable01:25
patdk-l2by whatever it runs under01:25
patdk-l2likely php, and that is likely defaulted to www-data unless you changed it01:25
heheheI have done that01:25
hehehe but set to group to writable hmm I done some of it01:26
patdk-l2only folders it needs write access01:26
patdk-l2like your images/tmp/... folders01:26
patdk-l2770 would be fine01:26
patdk-l2as that is read+write+execute01:26
heheheyes01:29
heheheso I need to use setgid?01:30
patdk-l2no01:30
hehehechmod g+s /image stuff like?01:30
patdk-l2chmod g+w01:30
patdk-l2and I hope you don't use /01:30
patdk-l2that would be a very strange location for a image folder01:30
heheheits app/image :D01:31
hehehechange mode to make it group writeable right?01:32
hehehelike chmod g+w /app/image or /app/image/ ?01:33
heheheand how I can check existing things like that if any01:35
hehehels -l does not seems to show them :D01:35
hehehepatdk-l2: anyway I did run chmod g+s image etc etc01:45
hehehesame story01:45
hehehedun01:46
hehehe770 means its writeable by group01:46
hehehewhy I need to use chmod g+w?01:46
=== hehehe is now known as hehehe_offline
lordievaderGood morning06:13
a_z0_9823Hello, testing, first time IRC user..07:11
lordievadero/07:13
a_z0_9823anyone here familiar with email hosting?07:14
lmsHello all. I'm having some issues setting up a simple kerberos environment. I've posted a serverfault question about it: https://serverfault.com/questions/855859/mit-kerberos-keeps-asking-for-password-when-authenticating-to-openssh . I'd really appreciate if anyone here could shed some light.10:04
sadsheephi$10:36
sadsheepI would like generate an .po file from old but this old po file is in subfolder10:36
sadsheepi using this cli10:37
sadsheepmsgmerge --no-wrap  --directory="../locales" -o ../locales/new.po  messages.po ./testersclub.pot10:37
sadsheepbut this, no run ! OUTPUT : msgmerge: Erreur lors de l'ouverture de « messages.po » en lecture: Aucun fichier ou dossier de ce type10:38
sadsheepplease ?10:38
hehehehey hey11:34
hehehe:D11:34
lordievadero/11:37
hehehehi lordievader  :)11:38
lordievaderHey hehehe11:38
lordievaderHow are you?11:38
heheheI nearly managed to wrestle all I want from a server - 1 thing left app writeable dirs like /images yet to work, and it was working on the other box (but I forgot how I made it work) , using chmod 77011:39
heheheand I am fine11:39
heheheany idea how I can check whats the issue is?11:39
lordievaderIs the party trying to write to that folder the owner or in the group?11:40
hehehein the group, not an owner11:40
heheheits root:www-data11:40
heheheand party writing is www-data11:40
lordievaderWhat I usually do is open a shell as that user and see if I can do it manually.11:41
hehehelordievader: like simply su as that user and copy file into dir in question?11:41
lordievaderFor example, touch would be sufficient ;)11:42
hehehe su www-data This account is currently not available.11:43
hehehewhy is that .. :)11:43
lordievaderBecause it is disabled ;)11:44
lordievaderBut there are ways around that: sudo -u www-data bash11:44
hehehebash: /root/.bashrc: Permission denied11:45
heheheok it worked11:47
hehehelordievader: yes I was able to copy file to /images and create a file there11:51
heheheweird11:51
lordievaderIs the app running as some other user?11:52
heheheit should run via nginx as www-data, anyways to double check?11:52
lordievaderI don't know what you are running.11:53
heheheopencart a php app11:55
heheheits simply uses nginx and php fpm11:55
lordievaderOh, but php-fpm runs as a different user, I though.11:57
lordievaderthought*11:57
heheheI checked php-fpm config - user www-data, group www-data11:58
lordievaderHmmm11:58
heheheis that a right way to do it?11:58
lordievaderThen I do not really know what the problem is.11:58
lordievaderYes11:58
heheheand in sockets owners listen mode 066011:59
heheheok I will check more :D12:01
hehehelordievader: PHP Warning:  fwrite() expects parameter 1 to be resource12:20
hehehehehe12:20
heheheI am getting closer to it12:20
lordievaderThat sound like an error in the program.12:21
hehehehttps://pastebin.com/ufV76bda12:21
lordievaderCould be a mismatch between target php version and installed php version.12:21
SlimGIs it possible to stop mysql from creating the default files in the datadir when they are missing?12:22
hehehelordievader: many say delete cache12:26
heheheI googled the error12:26
=== JanC is now known as Guest53242
=== JanC_ is now known as JanC
hehehei think that can fix it :D12:33
DirtyCajunso, NFS mount. If a single mount and moving files within that mount then there is no loss in speed over the lan. But 2 mounts that go to the same server would require the information to pass from mount a to mount be causing lan slowdown correct?14:00
=== MAbeeTT_ is now known as MAbeeTT
lordievaderMost likely, yes.14:05
DirtyCajunlordievader,  e.g. /parent/folder1  /parent/folder2   mount /parent as /parent  and symlink folder1 and folder2 as /folder1 /folder2.  then you can move files from folder1 to folder 2 with no loss of lan speed though right?14:13
DirtyCajun***from /folder1 to /folder214:14
lordievaderYes, they move stuff from the same mount.14:16
lordievaderAs long as they do not traverse the boundary of the mount, you should be fine.14:17
DirtyCajunwonderful.14:17
DirtyCajunlordievader, nope. No cigar. Looks like if folder1 and folder2 are their own filesystems on the host server then nfs cannot traverse the subdirectoreis14:49
DirtyCajunguess im gonna use SMB -,-14:50
Aisoncan I define some default user and password for "mysqladmin"?14:57
DirtyCajunAison, what do you mean by default... its a tool15:08
DirtyCajunyou just want to be able to type in mysqladmin without typing a u or p?15:08
yeeveAison, a nice way of making the mysql tools easier to use is 'login paths'. Have you used .ssh/config file before?15:18
yeeveAison, I think by default it may already try `-uroot -p -hlocalhost` but I'm not 100% sure15:19
Aisonyeeve, DirtyCajun eg. when I try to install zoneminder, mysqladmin is used to create some database15:35
Aisonand because there is no username password defined, I get the error15:35
Aisonmysqladmin: connect to server at 'localhost' failed15:36
Aisonerror: 'Access denied for user 'root'@'localhost' (using password: NO)'15:36
Aisonduring apt-get install15:36
Aisonbrb15:39
yeeveAison, by default it could be that MySQL is locked down so root cannot login. You need to change your MySQL setup so root without password can login to localhost.15:49
jamespageanyone know whether the s390x autopkgtests run under LXD or under KVM?15:52
xnoxjamespage, lxd15:58
xnoxjamespage, or actually lxc.15:58
jamespagexnox: oh15:58
xnoxjamespage, both armhf and s390x are containers, one is lxc the other is lxd.15:58
xnoxhence the two are "different" from everyone else, and between each other.15:59
jamespagexnox: I'm trying to reproduce a s390x failure15:59
xnoxshould be possible with local amd64 lxc / lxd runners.15:59
jamespagehave a lxd container on an s390x; can get test to fail...15:59
jamespage:(15:59
jamespagecan't rather15:59
xnoxwhich package / test?15:59
jamespagexnox: gnocchi16:01
jamespageits been failing pretty consistently on that architecture16:01
jamespagexnox: hmm when not running with security.privledged=True, I see alot of systemd unit startup issues - "status=237/KEYRING"16:18
* jamespage scratches his head16:20
xnoxjamespage, that one is a known regression in artful, yet to be fixed.16:38
jamespagexnox: ah16:38
hallynrharper: cpaelzer: any plans on keeping https://launchpad.net/~ubuntu-virt/+archive/ubuntu/virt-daily-upstream updated?16:43
hallyn(I don't have any, at least for now, sorry)16:43
hallyn(wouldn'tmind doing a rotating schedule for handling it if we want to do it as a team)16:44
cpaelzerhallyn: to be honest I didn't even know it existed16:47
cpaelzerhallyn: but if it is a no commitment as good as possible thing we could try to get it back to live again16:47
cpaelzerhallyn: it is also nnot so daily anymore since a long time16:48
hallyncpaelzer: right, someone just complained aobut htat which is why i bring it up16:50
cpaelzerhallyn: I'm actually not here today (public holidy), but I added a card to not forget looking into it more seriously at https://trello.com/c/RdKlRFk216:50
cpaelzerhallyn: I'd reach out to you once I have taken a deeper look - ok ?16:50
hallynwtf is that - trello :)16:51
hallynsure.  ttyl :)16:51
dpb1hallyn: welcome to 201716:51
hallyn(I'm actually on vacation too :) - see you on relaxation island)16:51
dpb1:)16:51
cpaelzerhallyn: the Team is now "planning in the public space"16:51
hallynwe used to do that on lp with blueprints :)16:51
hallynanyway - \o16:51
cpaelzerhallyn: it is world readable like the blueprints were, yet more featureful16:51
dpb1have a good vacation hallyn16:51
cpaelzerhallyn: if you want to write dpb1can make you an external  Team member16:51
hallynsure why not16:52
hallyncan see how it compares to atlassian and lp.  maybe it rocks16:52
dpb1will do16:53
* cpaelzer is hiding again16:54
dpb1yay https://github.com/boto/boto/issues/373918:49
dpb1now I just need to figure out how to get a change to the 2.44.0 upload re-uploaded...18:50
CapprenticeWhat to use for DNS ad filtering for a Metro ISP ?18:59
sarnoldCapprentice: I'd probably start with powerdns recursor and rpz https://blog.powerdns.com/2016/06/28/response-policy-zone-support-in-powerdns-recursor/19:00
jellywhere does one get an anti-advertising rbl anyway19:07
=== bleepy_ is now known as bleepy
drabre21:19
adv-tHello all!22:18
adv-tHow do you do?22:18
adv-tWondering:  How much space do you guys leave for your Ubuntu server installs?22:19
adv-tI only have a 120GB SSD, and I'm planning to do some virtualization, so...22:19
dpb1ya, virt is what takes up the room for sure22:20
adv-tYeah, I've got some more hard drives in there that I can "give" to the VMs, but I want all of the OSes/apps to be running off of the SSD, ideally.22:20
dpb1I personally like to segregate my VM disk usage in some way22:21
adv-tI was thinking 10GB pretty much each22:21
adv-tOh, yeah, ideally that'd be great.22:21
adv-tAnd I may end up doing that, but I think that what I'm looking to do with my server + vms isn't really super disk intensive.22:21
sarnoldI see our is guys having to clean up space on vms due to being short on space from time to time; I think they grumbly about 10g roots22:22
drabadv-t: about 10GB for a basic install of roots and then I export disks for data22:22
adv-tThis is why I asked!  :D22:22
sarnoldif you're religious about the 'disks for data' then probably 10 gigs does work okay22:23
drabit also depends what you're doing...22:23
adv-tI think I'm pretty religious about disks for data.22:24
drabfor example, if you are doing qemu/kvm and you'll mostly use static images, then using a shared root + incrementals could dramatically reduce your data usage22:24
drabsame with lxd and something like overlayfs22:24
drabbut generally speaking everybody recommends against using snaps/immutables for prod because sooner or later things will drift enough you'll regret it22:24
sarnoldoh?22:25
drabhowever ime if you know your workload well that can be really advantageous22:25
adv-tI have a 120GB SSD that I wanted to use as the boot drive, and then I've got three VM's that I plan to build:  One for my own files (SMB and such which will be located on a separate disk), one for an ethereum stratum proxy (I will store the full blockchain on a separate disk), and one for a web server for me to play around with.22:26
adv-tAgain, I figured that for the most part, it'd just be the OS and applications that "run" off of the SSD - data would be stored on separate disks.22:27
adv-tThis means I need to reinstall Ubuntu and redo my Xen VM.  T_T22:27
drabfor that use case I think you've got plenty if you don't need to save up SSD space for future usage22:27
drabif data is always on another disk for each VM, then 15GB is prolly safer22:28
adv-tYeah, I don't think I do.  I figured 10GB partitions JUST to be extra conservative, but, shoot, it's not like I can't get a bigger SSD if I need.22:28
adv-tI could do 15GB.22:28
adv-tI just had this 120GB laying around, figured I'd put her to use.22:28
drabmost of my / start at about 4GB with all my22:29
drab"basic sw" installed22:29
drabso to my use case, 10GB is plenty22:29
drabbut I've ran into some cases where it got tight22:29
drabespeciallyif you need to keep multiple kernels or source code around for some reason22:29
adv-ti do like to tinker though.22:30
adv-ti might need an ubuntu 16.04.2 vm just for that.22:30
adv-tso i can blow that one up, and not nuke all my services.22:30
drabfwiw, depending on your taste, I've moved 99% of my thinkering to lxd instead of VMs22:31
drabbut I'm also stubborn and refuse to use libvirt which would have made sticking with VMs probably a lot easier :P22:32
drabso like I said, it's partly a taste thing22:32
drabthe real physical limit is how many "VMs" you need to thinker with and if you can pack those on the machien you have or not22:32
drabcontainers will obviously pack a lot more22:33
jushuryou want to keep 20% of the drive free at all times, so it has good space to use for rewrites.22:34
adv-tBecause it's an SSD?  Or just in general?22:35
jushurdue to SSD22:35
adv-tGotcha, yeah.  Good idea.22:35
drablol22:35
jushurperformance will drop realy fast if you fill it upp22:35
adv-tDoes Ubuntu Server 16.04.2 do TRIM?22:35
drabthere was just a massive thread^Wflame about that on ZOL list22:36
adv-tLike, automagically?  Or do I need to set that up via cron?22:36
trippehon consumer ssds this is good advice.22:36
adv-tIt should be obvious by now that I am... learning... am nub22:36
jushuractually "small" ssds in particular22:36
jushurif you have a 240gb or bigger its less of an issue. as you tend to not actually fill them. while a 120 you easily fill22:37
trippehenterprise ssds tend to have like 40% unaddressable flash set off for spare/gc management so "filling up" is much less of an issue on those.22:38
jushuryep22:38
jushuris also why they seem faster then consumer ones22:38
jushurand cost more22:39
drabhttp://list.zfsonlinux.org/pipermail/zfs-discuss/2017-June/028440.html22:39
drabjust for reference22:39
drabthere's some good comments and myth busting22:40
draband I think people overall agree with the above, especially the distinction between enterprise vs consumer SSDs regarding overprosioning22:40
sarnoldadv-t: if you use a filesystem that supports the fstrim ioctls crontab up fstrim..23:38

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!