[00:21] good [00:21] be hungry [00:26] whats the common danger to give any kind of folder or file permision to public? [00:26] read is safe [00:26] write - they can try to load malicious code? [00:38] read is not safe [00:38] not if it contains a config file with your mysql permissions and stuff like that [00:39] write should NEVER be given [00:39] if you ever grant someone untrusted write access to a directory that basically means there's entire classes of tools that should never be used on that directory again [00:39] just about everything that traverses directory structures assumes they are operating on safe inputs [00:40] no tar, no rsync, etc. [00:40] while it is possible to safely implement tree walking routines in the face of malicious modifications I honestly can't say I know any tool offhand that does it correctly. [01:06] :) [01:07] sarnold: there's entire classes of tools that should never be used on that directory again [01:07] like what tools and why [01:08] hehehe: anything that works on directory trees [01:08] like? [01:08] no tree, no find, no tar, no ls -R, etc. [01:08] no du. [01:09] so if someone have write access how they can use find? [01:12] i just read open cart golden partner tutorial We recommend setting the permissions of config.php to 444. This will make the file as read-only. :D [01:12] lol [01:13] ehehe [01:13] hehehe: if you give someone else write access to a directory and you don't trust them then _YOU_ and _root_ do not get to use find [01:13] give find u+s rights :) [01:14] (don't give find setuid rights! :) [01:14] that is like the first thing I do on some of my systems [01:14] holy hell [01:14] is remove setuid and setgid to everything [01:14] oh okay [01:14] you scared me to death man [01:14] as there is no ligit usecase for any of them [01:14] as user management and stuff are on another box [01:15] "did patdk really forget about -exec? and -delete?" :) [01:15] na :) [01:15] I really don't get apple [01:16] on this order confirmation email [01:16] they **** out my phone number [01:16] but left everything else, my address, and everything [01:16] remove setuid and setgid to everything - what is everything and how u do it? [01:16] :D [01:16] I think my phone number is the least of my worry [01:16] even credit card details? [01:16] use find :) [01:16] lucky, no cc details at all [01:17] if you remove setgid/setuid from everything, you will normally have a very broken system [01:17] sudo won't work, passwd won't work, sendmail won't work, ... [01:17] not good [01:18] but those are all things I had no issues with [01:18] ur idea is bad :D [01:18] not if it's a webserver [01:18] and NOTHING else [01:18] but how do u change pass? [01:18] without passwd [01:18] why would I? [01:18] passwords won't live on that box [01:18] if someone changed a password from there, it's hacked [01:18] passwords live in ldap [01:19] is there howto on it? [01:19] to read more :D [01:19] not really, it's more just knowing how everything works and what you can get away with [01:19] these days people generally use lxd/docker for these type of things [01:19] but I build this like 12years ago [01:20] been moving it to lxc [01:20] but still keep the basics I always do, since no reason not to [01:22] how many times your server been hacked? [01:22] :D [01:22] none? [01:22] that depends [01:22] atleast multible times a day [01:22] but never rooted [01:22] I can't really secure customers stuff [01:22] but as long as they stay contained to the customer [01:23] so you offer hostin? [01:23] yes [01:23] files hotel or motel [01:23] :D [01:24] well this app opencart - uses some dirs like images etc to write and read, I set folder to 770 - however images wont show in checkout and also some ajax functions like menu dont work [01:24] most does work [01:24] maybe faulty code a bit? [01:25] you probably just need to make it group owned and set the group to writable [01:25] by whatever it runs under [01:25] likely php, and that is likely defaulted to www-data unless you changed it [01:25] I have done that [01:26] but set to group to writable hmm I done some of it [01:26] only folders it needs write access [01:26] like your images/tmp/... folders [01:26] 770 would be fine [01:26] as that is read+write+execute [01:29] yes [01:30] so I need to use setgid? [01:30] no [01:30] chmod g+s /image stuff like? [01:30] chmod g+w [01:30] and I hope you don't use / [01:30] that would be a very strange location for a image folder [01:31] its app/image :D [01:32] change mode to make it group writeable right? [01:33] like chmod g+w /app/image or /app/image/ ? [01:35] and how I can check existing things like that if any [01:35] ls -l does not seems to show them :D [01:45] patdk-l2: anyway I did run chmod g+s image etc etc [01:45] same story [01:46] dun [01:46] 770 means its writeable by group [01:46] why I need to use chmod g+w? === hehehe is now known as hehehe_offline [06:13] Good morning [07:11] Hello, testing, first time IRC user.. [07:13] o/ [07:14] anyone here familiar with email hosting? [10:04] Hello all. I'm having some issues setting up a simple kerberos environment. I've posted a serverfault question about it: https://serverfault.com/questions/855859/mit-kerberos-keeps-asking-for-password-when-authenticating-to-openssh . I'd really appreciate if anyone here could shed some light. [10:36] hi$ [10:36] I would like generate an .po file from old but this old po file is in subfolder [10:37] i using this cli [10:37] msgmerge --no-wrap --directory="../locales" -o ../locales/new.po messages.po ./testersclub.pot [10:38] but this, no run ! OUTPUT : msgmerge: Erreur lors de l'ouverture de « messages.po » en lecture: Aucun fichier ou dossier de ce type [10:38] please ? [11:34] hey hey [11:34] :D [11:37] o/ [11:38] hi lordievader :) [11:38] Hey hehehe [11:38] How are you? [11:39] I nearly managed to wrestle all I want from a server - 1 thing left app writeable dirs like /images yet to work, and it was working on the other box (but I forgot how I made it work) , using chmod 770 [11:39] and I am fine [11:39] any idea how I can check whats the issue is? [11:40] Is the party trying to write to that folder the owner or in the group? [11:40] in the group, not an owner [11:40] its root:www-data [11:40] and party writing is www-data [11:41] What I usually do is open a shell as that user and see if I can do it manually. [11:41] lordievader: like simply su as that user and copy file into dir in question? [11:42] For example, touch would be sufficient ;) [11:43] su www-data This account is currently not available. [11:43] why is that .. :) [11:44] Because it is disabled ;) [11:44] But there are ways around that: sudo -u www-data bash [11:45] bash: /root/.bashrc: Permission denied [11:47] ok it worked [11:51] lordievader: yes I was able to copy file to /images and create a file there [11:51] weird [11:52] Is the app running as some other user? [11:52] it should run via nginx as www-data, anyways to double check? [11:53] I don't know what you are running. [11:55] opencart a php app [11:55] its simply uses nginx and php fpm [11:57] Oh, but php-fpm runs as a different user, I though. [11:57] thought* [11:58] I checked php-fpm config - user www-data, group www-data [11:58] Hmmm [11:58] is that a right way to do it? [11:58] Then I do not really know what the problem is. [11:58] Yes [11:59] and in sockets owners listen mode 0660 [12:01] ok I will check more :D [12:20] lordievader: PHP Warning: fwrite() expects parameter 1 to be resource [12:20] hehe [12:20] I am getting closer to it [12:21] That sound like an error in the program. [12:21] https://pastebin.com/ufV76bda [12:21] Could be a mismatch between target php version and installed php version. [12:22] Is it possible to stop mysql from creating the default files in the datadir when they are missing? [12:26] lordievader: many say delete cache [12:26] I googled the error === JanC is now known as Guest53242 === JanC_ is now known as JanC [12:33] i think that can fix it :D [14:00] so, NFS mount. If a single mount and moving files within that mount then there is no loss in speed over the lan. But 2 mounts that go to the same server would require the information to pass from mount a to mount be causing lan slowdown correct? === MAbeeTT_ is now known as MAbeeTT [14:05] Most likely, yes. [14:13] lordievader, e.g. /parent/folder1 /parent/folder2 mount /parent as /parent and symlink folder1 and folder2 as /folder1 /folder2. then you can move files from folder1 to folder 2 with no loss of lan speed though right? [14:14] ***from /folder1 to /folder2 [14:16] Yes, they move stuff from the same mount. [14:17] As long as they do not traverse the boundary of the mount, you should be fine. [14:17] wonderful. [14:49] lordievader, nope. No cigar. Looks like if folder1 and folder2 are their own filesystems on the host server then nfs cannot traverse the subdirectoreis [14:50] guess im gonna use SMB -,- [14:57] can I define some default user and password for "mysqladmin"? [15:08] Aison, what do you mean by default... its a tool [15:08] you just want to be able to type in mysqladmin without typing a u or p? [15:18] Aison, a nice way of making the mysql tools easier to use is 'login paths'. Have you used .ssh/config file before? [15:19] Aison, I think by default it may already try `-uroot -p -hlocalhost` but I'm not 100% sure [15:35] yeeve, DirtyCajun eg. when I try to install zoneminder, mysqladmin is used to create some database [15:35] and because there is no username password defined, I get the error [15:36] mysqladmin: connect to server at 'localhost' failed [15:36] error: 'Access denied for user 'root'@'localhost' (using password: NO)' [15:36] during apt-get install [15:39] brb [15:49] Aison, by default it could be that MySQL is locked down so root cannot login. You need to change your MySQL setup so root without password can login to localhost. [15:52] anyone know whether the s390x autopkgtests run under LXD or under KVM? [15:58] jamespage, lxd [15:58] jamespage, or actually lxc. [15:58] xnox: oh [15:58] jamespage, both armhf and s390x are containers, one is lxc the other is lxd. [15:59] hence the two are "different" from everyone else, and between each other. [15:59] xnox: I'm trying to reproduce a s390x failure [15:59] should be possible with local amd64 lxc / lxd runners. [15:59] have a lxd container on an s390x; can get test to fail... [15:59] :( [15:59] can't rather [15:59] which package / test? [16:01] xnox: gnocchi [16:01] its been failing pretty consistently on that architecture [16:18] xnox: hmm when not running with security.privledged=True, I see alot of systemd unit startup issues - "status=237/KEYRING" [16:20] * jamespage scratches his head [16:38] jamespage, that one is a known regression in artful, yet to be fixed. [16:38] xnox: ah [16:43] rharper: cpaelzer: any plans on keeping https://launchpad.net/~ubuntu-virt/+archive/ubuntu/virt-daily-upstream updated? [16:43] (I don't have any, at least for now, sorry) [16:44] (wouldn'tmind doing a rotating schedule for handling it if we want to do it as a team) [16:47] hallyn: to be honest I didn't even know it existed [16:47] hallyn: but if it is a no commitment as good as possible thing we could try to get it back to live again [16:48] hallyn: it is also nnot so daily anymore since a long time [16:50] cpaelzer: right, someone just complained aobut htat which is why i bring it up [16:50] hallyn: I'm actually not here today (public holidy), but I added a card to not forget looking into it more seriously at https://trello.com/c/RdKlRFk2 [16:50] hallyn: I'd reach out to you once I have taken a deeper look - ok ? [16:51] wtf is that - trello :) [16:51] sure. ttyl :) [16:51] hallyn: welcome to 2017 [16:51] (I'm actually on vacation too :) - see you on relaxation island) [16:51] :) [16:51] hallyn: the Team is now "planning in the public space" [16:51] we used to do that on lp with blueprints :) [16:51] anyway - \o [16:51] hallyn: it is world readable like the blueprints were, yet more featureful [16:51] have a good vacation hallyn [16:51] hallyn: if you want to write dpb1can make you an external Team member [16:52] sure why not [16:52] can see how it compares to atlassian and lp. maybe it rocks [16:53] will do [16:54] * cpaelzer is hiding again [18:49] yay https://github.com/boto/boto/issues/3739 [18:50] now I just need to figure out how to get a change to the 2.44.0 upload re-uploaded... [18:59] What to use for DNS ad filtering for a Metro ISP ? [19:00] Capprentice: I'd probably start with powerdns recursor and rpz https://blog.powerdns.com/2016/06/28/response-policy-zone-support-in-powerdns-recursor/ [19:07] where does one get an anti-advertising rbl anyway === bleepy_ is now known as bleepy [21:19] re [22:18] Hello all! [22:18] How do you do? [22:19] Wondering: How much space do you guys leave for your Ubuntu server installs? [22:19] I only have a 120GB SSD, and I'm planning to do some virtualization, so... [22:20] ya, virt is what takes up the room for sure [22:20] Yeah, I've got some more hard drives in there that I can "give" to the VMs, but I want all of the OSes/apps to be running off of the SSD, ideally. [22:21] I personally like to segregate my VM disk usage in some way [22:21] I was thinking 10GB pretty much each [22:21] Oh, yeah, ideally that'd be great. [22:21] And I may end up doing that, but I think that what I'm looking to do with my server + vms isn't really super disk intensive. [22:22] I see our is guys having to clean up space on vms due to being short on space from time to time; I think they grumbly about 10g roots [22:22] adv-t: about 10GB for a basic install of roots and then I export disks for data [22:22] This is why I asked! :D [22:23] if you're religious about the 'disks for data' then probably 10 gigs does work okay [22:23] it also depends what you're doing... [22:24] I think I'm pretty religious about disks for data. [22:24] for example, if you are doing qemu/kvm and you'll mostly use static images, then using a shared root + incrementals could dramatically reduce your data usage [22:24] same with lxd and something like overlayfs [22:24] but generally speaking everybody recommends against using snaps/immutables for prod because sooner or later things will drift enough you'll regret it [22:25] oh? [22:25] however ime if you know your workload well that can be really advantageous [22:26] I have a 120GB SSD that I wanted to use as the boot drive, and then I've got three VM's that I plan to build: One for my own files (SMB and such which will be located on a separate disk), one for an ethereum stratum proxy (I will store the full blockchain on a separate disk), and one for a web server for me to play around with. [22:27] Again, I figured that for the most part, it'd just be the OS and applications that "run" off of the SSD - data would be stored on separate disks. [22:27] This means I need to reinstall Ubuntu and redo my Xen VM. T_T [22:27] for that use case I think you've got plenty if you don't need to save up SSD space for future usage [22:28] if data is always on another disk for each VM, then 15GB is prolly safer [22:28] Yeah, I don't think I do. I figured 10GB partitions JUST to be extra conservative, but, shoot, it's not like I can't get a bigger SSD if I need. [22:28] I could do 15GB. [22:28] I just had this 120GB laying around, figured I'd put her to use. [22:29] most of my / start at about 4GB with all my [22:29] "basic sw" installed [22:29] so to my use case, 10GB is plenty [22:29] but I've ran into some cases where it got tight [22:29] especiallyif you need to keep multiple kernels or source code around for some reason [22:30] i do like to tinker though. [22:30] i might need an ubuntu 16.04.2 vm just for that. [22:30] so i can blow that one up, and not nuke all my services. [22:31] fwiw, depending on your taste, I've moved 99% of my thinkering to lxd instead of VMs [22:32] but I'm also stubborn and refuse to use libvirt which would have made sticking with VMs probably a lot easier :P [22:32] so like I said, it's partly a taste thing [22:32] the real physical limit is how many "VMs" you need to thinker with and if you can pack those on the machien you have or not [22:33] containers will obviously pack a lot more [22:34] you want to keep 20% of the drive free at all times, so it has good space to use for rewrites. [22:35] Because it's an SSD? Or just in general? [22:35] due to SSD [22:35] Gotcha, yeah. Good idea. [22:35] lol [22:35] performance will drop realy fast if you fill it upp [22:35] Does Ubuntu Server 16.04.2 do TRIM? [22:36] there was just a massive thread^Wflame about that on ZOL list [22:36] Like, automagically? Or do I need to set that up via cron? [22:36] on consumer ssds this is good advice. [22:36] It should be obvious by now that I am... learning... am nub [22:36] actually "small" ssds in particular [22:37] if you have a 240gb or bigger its less of an issue. as you tend to not actually fill them. while a 120 you easily fill [22:38] enterprise ssds tend to have like 40% unaddressable flash set off for spare/gc management so "filling up" is much less of an issue on those. [22:38] yep [22:38] is also why they seem faster then consumer ones [22:39] and cost more [22:39] http://list.zfsonlinux.org/pipermail/zfs-discuss/2017-June/028440.html [22:39] just for reference [22:40] there's some good comments and myth busting [22:40] and I think people overall agree with the above, especially the distinction between enterprise vs consumer SSDs regarding overprosioning [23:38] adv-t: if you use a filesystem that supports the fstrim ioctls crontab up fstrim..