[00:21] <hehehe> good
[00:21] <hehehe> be hungry
[00:26] <hehehe> whats the common danger to give any kind of folder or file permision to public?
[00:26] <hehehe> read is safe
[00:26] <hehehe> write - they can try to load malicious code?
[00:38] <patdk-l2> read is not safe
[00:38] <patdk-l2> not if it contains a config file with your mysql permissions and stuff like that
[00:39] <patdk-l2> write should NEVER be given
[00:39] <sarnold> if you ever grant someone untrusted write access to a directory that basically means there's entire classes of tools that should never be used on that directory again
[00:39] <sarnold> just about everything that traverses directory structures assumes they are operating on safe inputs
[00:40] <sarnold> no tar, no rsync, etc.
[00:40] <sarnold> while it is possible to safely implement tree walking routines in the face of malicious modifications I honestly can't say I know any tool offhand that does it correctly.
[01:06] <hehehe> :)
[01:07] <hehehe> sarnold:  there's entire classes of tools that should never be used on that directory again
[01:07] <hehehe> like what tools and why
[01:08] <sarnold> hehehe: anything that works on directory trees
[01:08] <hehehe> like?
[01:08] <sarnold> no tree, no find, no tar, no ls -R, etc.
[01:08] <sarnold> no du.
[01:09] <hehehe> so if someone have write access how they can use find?
[01:12] <hehehe> i just read open cart golden partner tutorial We recommend setting the permissions of config.php to 444. This will make the file as read-only. :D
[01:12] <hehehe> lol
[01:13] <hehehe> ehehe
[01:13] <sarnold> hehehe: if you give someone else write access to a directory and you don't trust them then _YOU_ and _root_ do not get to use find
[01:13] <patdk-l2> give find u+s rights :)
[01:14] <sarnold> (don't give find setuid rights! :)
[01:14] <patdk-l2> that is like the first thing I do on some of my systems
[01:14] <sarnold> holy hell
[01:14] <patdk-l2> is remove setuid and setgid to everything
[01:14] <sarnold> oh okay
[01:14] <sarnold> you scared me to death man
[01:14] <patdk-l2> as there is no ligit usecase for any of them
[01:14] <patdk-l2> as user management and stuff are on another box
[01:15] <sarnold> "did patdk really forget about -exec? and -delete?" :)
[01:15] <patdk-l2> na :)
[01:15] <patdk-l2> I really don't get apple
[01:16] <patdk-l2> on this order confirmation email
[01:16] <patdk-l2> they **** out my phone number
[01:16] <patdk-l2> but left everything else, my address, and everything
[01:16] <hehehe> remove setuid and setgid to everything - what is everything and how u do it?
[01:16] <hehehe> :D
[01:16] <patdk-l2> I think my phone number is the least of my worry
[01:16] <hehehe> even credit card details?
[01:16] <patdk-l2> use find :)
[01:16] <patdk-l2> lucky, no cc details at all
[01:17] <patdk-l2> if you remove setgid/setuid from everything, you will normally have a very broken system
[01:17] <patdk-l2> sudo won't work, passwd won't work, sendmail won't work, ...
[01:17] <hehehe> not good
[01:18] <patdk-l2> but those are all things I had no issues with
[01:18] <hehehe> ur idea is bad :D
[01:18] <patdk-l2> not if it's a webserver
[01:18] <patdk-l2> and NOTHING else
[01:18] <hehehe> but how do u change pass?
[01:18] <hehehe> without passwd
[01:18] <patdk-l2> why would I?
[01:18] <patdk-l2> passwords won't live on that box
[01:18] <patdk-l2> if someone changed a password from there, it's hacked
[01:18] <patdk-l2> passwords live in ldap
[01:19] <hehehe> is there howto on it?
[01:19] <hehehe> to read more :D
[01:19] <patdk-l2> not really, it's more just knowing how everything works and what you can get away with
[01:19] <patdk-l2> these days people generally use lxd/docker for these type of things
[01:19] <patdk-l2> but I build this like 12years ago
[01:20] <patdk-l2> been moving it to lxc
[01:20] <patdk-l2> but still keep the basics I always do, since no reason not to
[01:22] <hehehe> how many times your server been hacked?
[01:22] <hehehe> :D
[01:22] <hehehe> none?
[01:22] <patdk-l2> that depends
[01:22] <patdk-l2> atleast multible times a day
[01:22] <patdk-l2> but never rooted
[01:22] <patdk-l2> I can't really secure customers stuff
[01:22] <patdk-l2> but as long as they stay contained to the customer
[01:23] <hehehe> so you offer hostin?
[01:23] <patdk-l2> yes
[01:23] <hehehe> files hotel or motel
[01:23] <hehehe> :D
[01:24] <hehehe> well this app opencart - uses some dirs like images etc to write and read, I set folder to 770 - however  images wont show in checkout and also some ajax functions like menu dont work
[01:24] <hehehe> most does work
[01:24] <hehehe> maybe faulty code a bit?
[01:25] <patdk-l2> you probably just need to make it group owned and set the group to writable
[01:25] <patdk-l2> by whatever it runs under
[01:25] <patdk-l2> likely php, and that is likely defaulted to www-data unless you changed it
[01:25] <hehehe> I have done that
[01:26] <hehehe>  but set to group to writable hmm I done some of it
[01:26] <patdk-l2> only folders it needs write access
[01:26] <patdk-l2> like your images/tmp/... folders
[01:26] <patdk-l2> 770 would be fine
[01:26] <patdk-l2> as that is read+write+execute
[01:29] <hehehe> yes
[01:30] <hehehe> so I need to use setgid?
[01:30] <patdk-l2> no
[01:30] <hehehe> chmod g+s /image stuff like?
[01:30] <patdk-l2> chmod g+w
[01:30] <patdk-l2> and I hope you don't use /
[01:30] <patdk-l2> that would be a very strange location for a image folder
[01:31] <hehehe> its app/image :D
[01:32] <hehehe> change mode to make it group writeable right?
[01:33] <hehehe> like chmod g+w /app/image or /app/image/ ?
[01:35] <hehehe> and how I can check existing things like that if any
[01:35] <hehehe> ls -l does not seems to show them :D
[01:45] <hehehe> patdk-l2: anyway I did run chmod g+s image etc etc
[01:45] <hehehe> same story
[01:46] <hehehe> dun
[01:46] <hehehe> 770 means its writeable by group
[01:46] <hehehe> why I need to use chmod g+w?
[06:13] <lordievader> Good morning
[07:11] <a_z0_9823> Hello, testing, first time IRC user..
[07:13] <lordievader> o/
[07:14] <a_z0_9823> anyone here familiar with email hosting?
[10:04] <lms> Hello all. I'm having some issues setting up a simple kerberos environment. I've posted a serverfault question about it: https://serverfault.com/questions/855859/mit-kerberos-keeps-asking-for-password-when-authenticating-to-openssh . I'd really appreciate if anyone here could shed some light.
[10:36] <sadsheep> hi$
[10:36] <sadsheep> I would like generate an .po file from old but this old po file is in subfolder
[10:37] <sadsheep> i using this cli
[10:37] <sadsheep> msgmerge --no-wrap  --directory="../locales" -o ../locales/new.po  messages.po ./testersclub.pot
[10:38] <sadsheep> but this, no run ! OUTPUT : msgmerge: Erreur lors de l'ouverture de « messages.po » en lecture: Aucun fichier ou dossier de ce type
[10:38] <sadsheep> please ?
[11:34] <hehehe> hey hey
[11:34] <hehehe> :D
[11:37] <lordievader> o/
[11:38] <hehehe> hi lordievader  :)
[11:38] <lordievader> Hey hehehe
[11:38] <lordievader> How are you?
[11:39] <hehehe> I nearly managed to wrestle all I want from a server - 1 thing left app writeable dirs like /images yet to work, and it was working on the other box (but I forgot how I made it work) , using chmod 770
[11:39] <hehehe> and I am fine
[11:39] <hehehe> any idea how I can check whats the issue is?
[11:40] <lordievader> Is the party trying to write to that folder the owner or in the group?
[11:40] <hehehe> in the group, not an owner
[11:40] <hehehe> its root:www-data
[11:40] <hehehe> and party writing is www-data
[11:41] <lordievader> What I usually do is open a shell as that user and see if I can do it manually.
[11:41] <hehehe> lordievader: like simply su as that user and copy file into dir in question?
[11:42] <lordievader> For example, touch would be sufficient ;)
[11:43] <hehehe>  su www-data This account is currently not available.
[11:43] <hehehe> why is that .. :)
[11:44] <lordievader> Because it is disabled ;)
[11:44] <lordievader> But there are ways around that: sudo -u www-data bash
[11:45] <hehehe> bash: /root/.bashrc: Permission denied
[11:47] <hehehe> ok it worked
[11:51] <hehehe> lordievader: yes I was able to copy file to /images and create a file there
[11:51] <hehehe> weird
[11:52] <lordievader> Is the app running as some other user?
[11:52] <hehehe> it should run via nginx as www-data, anyways to double check?
[11:53] <lordievader> I don't know what you are running.
[11:55] <hehehe> opencart a php app
[11:55] <hehehe> its simply uses nginx and php fpm
[11:57] <lordievader> Oh, but php-fpm runs as a different user, I though.
[11:57] <lordievader> thought*
[11:58] <hehehe> I checked php-fpm config - user www-data, group www-data
[11:58] <lordievader> Hmmm
[11:58] <hehehe> is that a right way to do it?
[11:58] <lordievader> Then I do not really know what the problem is.
[11:58] <lordievader> Yes
[11:59] <hehehe> and in sockets owners listen mode 0660
[12:01] <hehehe> ok I will check more :D
[12:20] <hehehe> lordievader: PHP Warning:  fwrite() expects parameter 1 to be resource
[12:20] <hehehe> hehe
[12:20] <hehehe> I am getting closer to it
[12:21] <lordievader> That sound like an error in the program.
[12:21] <hehehe> https://pastebin.com/ufV76bda
[12:21] <lordievader> Could be a mismatch between target php version and installed php version.
[12:22] <SlimG> Is it possible to stop mysql from creating the default files in the datadir when they are missing?
[12:26] <hehehe> lordievader: many say delete cache
[12:26] <hehehe> I googled the error
[12:33] <hehehe> i think that can fix it :D
[14:00] <DirtyCajun> so, NFS mount. If a single mount and moving files within that mount then there is no loss in speed over the lan. But 2 mounts that go to the same server would require the information to pass from mount a to mount be causing lan slowdown correct?
[14:05] <lordievader> Most likely, yes.
[14:13] <DirtyCajun> lordievader,  e.g. /parent/folder1  /parent/folder2   mount /parent as /parent  and symlink folder1 and folder2 as /folder1 /folder2.  then you can move files from folder1 to folder 2 with no loss of lan speed though right?
[14:14] <DirtyCajun> ***from /folder1 to /folder2
[14:16] <lordievader> Yes, they move stuff from the same mount.
[14:17] <lordievader> As long as they do not traverse the boundary of the mount, you should be fine.
[14:17] <DirtyCajun> wonderful.
[14:49] <DirtyCajun> lordievader, nope. No cigar. Looks like if folder1 and folder2 are their own filesystems on the host server then nfs cannot traverse the subdirectoreis
[14:50] <DirtyCajun> guess im gonna use SMB -,-
[14:57] <Aison> can I define some default user and password for "mysqladmin"?
[15:08] <DirtyCajun> Aison, what do you mean by default... its a tool
[15:08] <DirtyCajun> you just want to be able to type in mysqladmin without typing a u or p?
[15:18] <yeeve> Aison, a nice way of making the mysql tools easier to use is 'login paths'. Have you used .ssh/config file before?
[15:19] <yeeve> Aison, I think by default it may already try `-uroot -p -hlocalhost` but I'm not 100% sure
[15:35] <Aison> yeeve, DirtyCajun eg. when I try to install zoneminder, mysqladmin is used to create some database
[15:35] <Aison> and because there is no username password defined, I get the error
[15:36] <Aison> mysqladmin: connect to server at 'localhost' failed
[15:36] <Aison> error: 'Access denied for user 'root'@'localhost' (using password: NO)'
[15:36] <Aison> during apt-get install
[15:39] <Aison> brb
[15:49] <yeeve> Aison, by default it could be that MySQL is locked down so root cannot login. You need to change your MySQL setup so root without password can login to localhost.
[15:52] <jamespage> anyone know whether the s390x autopkgtests run under LXD or under KVM?
[15:58] <xnox> jamespage, lxd
[15:58] <xnox> jamespage, or actually lxc.
[15:58] <jamespage> xnox: oh
[15:58] <xnox> jamespage, both armhf and s390x are containers, one is lxc the other is lxd.
[15:59] <xnox> hence the two are "different" from everyone else, and between each other.
[15:59] <jamespage> xnox: I'm trying to reproduce a s390x failure
[15:59] <xnox> should be possible with local amd64 lxc / lxd runners.
[15:59] <jamespage> have a lxd container on an s390x; can get test to fail...
[15:59] <jamespage> :(
[15:59] <jamespage> can't rather
[15:59] <xnox> which package / test?
[16:01] <jamespage> xnox: gnocchi
[16:01] <jamespage> its been failing pretty consistently on that architecture
[16:18] <jamespage> xnox: hmm when not running with security.privledged=True, I see alot of systemd unit startup issues - "status=237/KEYRING"
[16:20]  * jamespage scratches his head
[16:38] <xnox> jamespage, that one is a known regression in artful, yet to be fixed.
[16:38] <jamespage> xnox: ah
[16:43] <hallyn> rharper: cpaelzer: any plans on keeping https://launchpad.net/~ubuntu-virt/+archive/ubuntu/virt-daily-upstream updated?
[16:43] <hallyn> (I don't have any, at least for now, sorry)
[16:44] <hallyn> (wouldn'tmind doing a rotating schedule for handling it if we want to do it as a team)
[16:47] <cpaelzer> hallyn: to be honest I didn't even know it existed
[16:47] <cpaelzer> hallyn: but if it is a no commitment as good as possible thing we could try to get it back to live again
[16:48] <cpaelzer> hallyn: it is also nnot so daily anymore since a long time
[16:50] <hallyn> cpaelzer: right, someone just complained aobut htat which is why i bring it up
[16:50] <cpaelzer> hallyn: I'm actually not here today (public holidy), but I added a card to not forget looking into it more seriously at https://trello.com/c/RdKlRFk2
[16:50] <cpaelzer> hallyn: I'd reach out to you once I have taken a deeper look - ok ?
[16:51] <hallyn> wtf is that - trello :)
[16:51] <hallyn> sure.  ttyl :)
[16:51] <dpb1> hallyn: welcome to 2017
[16:51] <hallyn> (I'm actually on vacation too :) - see you on relaxation island)
[16:51] <dpb1> :)
[16:51] <cpaelzer> hallyn: the Team is now "planning in the public space"
[16:51] <hallyn> we used to do that on lp with blueprints :)
[16:51] <hallyn> anyway - \o
[16:51] <cpaelzer> hallyn: it is world readable like the blueprints were, yet more featureful
[16:51] <dpb1> have a good vacation hallyn
[16:51] <cpaelzer> hallyn: if you want to write dpb1can make you an external  Team member
[16:52] <hallyn> sure why not
[16:52] <hallyn> can see how it compares to atlassian and lp.  maybe it rocks
[16:53] <dpb1> will do
[16:54]  * cpaelzer is hiding again
[18:49] <dpb1> yay https://github.com/boto/boto/issues/3739
[18:50] <dpb1> now I just need to figure out how to get a change to the 2.44.0 upload re-uploaded...
[18:59] <Capprentice> What to use for DNS ad filtering for a Metro ISP ?
[19:00] <sarnold> Capprentice: I'd probably start with powerdns recursor and rpz https://blog.powerdns.com/2016/06/28/response-policy-zone-support-in-powerdns-recursor/
[19:07] <jelly> where does one get an anti-advertising rbl anyway
[21:19] <drab> re
[22:18] <adv-t> Hello all!
[22:18] <adv-t> How do you do?
[22:19] <adv-t> Wondering:  How much space do you guys leave for your Ubuntu server installs?
[22:19] <adv-t> I only have a 120GB SSD, and I'm planning to do some virtualization, so...
[22:20] <dpb1> ya, virt is what takes up the room for sure
[22:20] <adv-t> Yeah, I've got some more hard drives in there that I can "give" to the VMs, but I want all of the OSes/apps to be running off of the SSD, ideally.
[22:21] <dpb1> I personally like to segregate my VM disk usage in some way
[22:21] <adv-t> I was thinking 10GB pretty much each
[22:21] <adv-t> Oh, yeah, ideally that'd be great.
[22:21] <adv-t> And I may end up doing that, but I think that what I'm looking to do with my server + vms isn't really super disk intensive.
[22:22] <sarnold> I see our is guys having to clean up space on vms due to being short on space from time to time; I think they grumbly about 10g roots
[22:22] <drab> adv-t: about 10GB for a basic install of roots and then I export disks for data
[22:22] <adv-t> This is why I asked!  :D
[22:23] <sarnold> if you're religious about the 'disks for data' then probably 10 gigs does work okay
[22:23] <drab> it also depends what you're doing...
[22:24] <adv-t> I think I'm pretty religious about disks for data.
[22:24] <drab> for example, if you are doing qemu/kvm and you'll mostly use static images, then using a shared root + incrementals could dramatically reduce your data usage
[22:24] <drab> same with lxd and something like overlayfs
[22:24] <drab> but generally speaking everybody recommends against using snaps/immutables for prod because sooner or later things will drift enough you'll regret it
[22:25] <sarnold> oh?
[22:25] <drab> however ime if you know your workload well that can be really advantageous
[22:26] <adv-t> I have a 120GB SSD that I wanted to use as the boot drive, and then I've got three VM's that I plan to build:  One for my own files (SMB and such which will be located on a separate disk), one for an ethereum stratum proxy (I will store the full blockchain on a separate disk), and one for a web server for me to play around with.
[22:27] <adv-t> Again, I figured that for the most part, it'd just be the OS and applications that "run" off of the SSD - data would be stored on separate disks.
[22:27] <adv-t> This means I need to reinstall Ubuntu and redo my Xen VM.  T_T
[22:27] <drab> for that use case I think you've got plenty if you don't need to save up SSD space for future usage
[22:28] <drab> if data is always on another disk for each VM, then 15GB is prolly safer
[22:28] <adv-t> Yeah, I don't think I do.  I figured 10GB partitions JUST to be extra conservative, but, shoot, it's not like I can't get a bigger SSD if I need.
[22:28] <adv-t> I could do 15GB.
[22:28] <adv-t> I just had this 120GB laying around, figured I'd put her to use.
[22:29] <drab> most of my / start at about 4GB with all my
[22:29] <drab> "basic sw" installed
[22:29] <drab> so to my use case, 10GB is plenty
[22:29] <drab> but I've ran into some cases where it got tight
[22:29] <drab> especiallyif you need to keep multiple kernels or source code around for some reason
[22:30] <adv-t> i do like to tinker though.
[22:30] <adv-t> i might need an ubuntu 16.04.2 vm just for that.
[22:30] <adv-t> so i can blow that one up, and not nuke all my services.
[22:31] <drab> fwiw, depending on your taste, I've moved 99% of my thinkering to lxd instead of VMs
[22:32] <drab> but I'm also stubborn and refuse to use libvirt which would have made sticking with VMs probably a lot easier :P
[22:32] <drab> so like I said, it's partly a taste thing
[22:32] <drab> the real physical limit is how many "VMs" you need to thinker with and if you can pack those on the machien you have or not
[22:33] <drab> containers will obviously pack a lot more
[22:34] <jushur> you want to keep 20% of the drive free at all times, so it has good space to use for rewrites.
[22:35] <adv-t> Because it's an SSD?  Or just in general?
[22:35] <jushur> due to SSD
[22:35] <adv-t> Gotcha, yeah.  Good idea.
[22:35] <drab> lol
[22:35] <jushur> performance will drop realy fast if you fill it upp
[22:35] <adv-t> Does Ubuntu Server 16.04.2 do TRIM?
[22:36] <drab> there was just a massive thread^Wflame about that on ZOL list
[22:36] <adv-t> Like, automagically?  Or do I need to set that up via cron?
[22:36] <trippeh> on consumer ssds this is good advice.
[22:36] <adv-t> It should be obvious by now that I am... learning... am nub
[22:36] <jushur> actually "small" ssds in particular
[22:37] <jushur> if you have a 240gb or bigger its less of an issue. as you tend to not actually fill them. while a 120 you easily fill
[22:38] <trippeh> enterprise ssds tend to have like 40% unaddressable flash set off for spare/gc management so "filling up" is much less of an issue on those.
[22:38] <jushur> yep
[22:38] <jushur> is also why they seem faster then consumer ones
[22:39] <jushur> and cost more
[22:39] <drab> http://list.zfsonlinux.org/pipermail/zfs-discuss/2017-June/028440.html
[22:39] <drab> just for reference
[22:40] <drab> there's some good comments and myth busting
[22:40] <drab> and I think people overall agree with the above, especially the distinction between enterprise vs consumer SSDs regarding overprosioning
[23:38] <sarnold> adv-t: if you use a filesystem that supports the fstrim ioctls crontab up fstrim..