/srv/irclogs.ubuntu.com/2018/06/21/#ubuntu-server.txt

* runelind_q upgrades LDS00:31
runelind_qlet's see if it blows up.00:32
=== minipini is now known as Guest67672
cpaelzergood morning05:22
lordievaderGood morning05:56
* Eichu0Ku_ 07:25
V7Hey all09:18
V7How to chroot a user correctly, so it won't move upper path ?09:19
V7Can't login after adding ChrootDirectory to sshd_config for a user09:19
V7Now it looks like: https://hastebin.com/xutizafebu.nginx09:19
V7Ubuntu 18.0409:19
blackflowV7: can you login with sftp?09:27
blackflowV7: also, there are certain rules about chrooted directories. check the ssh logs. Namely, the chroot directory must be owned by root. So it can be something like root:user ownership, and 750 mode, ie. not accessible by others.09:28
ducasseV7: please don't crosspost, it's pretty rude and wastes other people's time09:29
V7ducasse: No answer there in about 15 mins so09:30
V7Thank you blackflow. sftp gives: Couldn't read packet: Connection reset by peer09:31
ducasseV7: you posted in #linux 3-4 minutes before here09:31
blackflowV7: and what do the server logs say?09:31
V7ducasse: Please, sorry.09:32
V7blackflow: YOu're right. Says bad onwership or modes for chroot09:33
blackflowmmmh-hm.09:33
blackflowV7: and btw, that will only allow SFTP access. You can't ssh into that account regularly.09:33
V7You mean, force-command ?09:34
blackflowif you want to ssh regularly, you'll have to populate the chroot dir with some nodes required for interactive session. see the sshd_config manage on ChrootDirectory directive.09:34
blackflowV7: yes, force-command.09:34
V7This is an achievement :)09:34
blackflowbut not just it. like I just said, if you want regular ssh access too, you need some nodes in the chroot dir.09:34
V7This user mustn't use ssh09:35
V7shell *09:35
blackflowV7: it's all explained nicely under the ChrootDirectory option in the sshd_config(5) manpage.09:35
blackflowV7: in that case, this config should suffice, assuming you have proper ownership like explained earlier.09:35
V7I'm actually, already reading09:35
V7Thank you very much blackflow09:36
blackflowyou're welcome.09:36
=== mike-zal is now known as mike-zal-work
jamespagecoreycb: I'm thinking we should move to <agent binpkg> -> python{3}-<module> -> <module>-common as a general pattern09:52
jamespageso all the agent binpkgs do is provide the systemd units09:52
jamespageosa will like that as well09:52
V7blackflow: Oh dear.11:02
V7Now an ownership is okay, isn't it ? https://hastebin.com/ukutogevet.coffeescript11:07
V7Although, it shows an error while trying to authorize with user11:07
blackflowV7: it's not. mustn't be writable by anyone other than root11:11
V7blackflow: somedir or internals ?11:11
blackflowsomedir11:11
V7So, it's not, isn't it ? 75511:12
blackflowtry 75011:12
tomreyn"ChrootDirectory /somedir" for a directory located at /home/user/somedir seems incorrect to me.11:13
V7tomreyn: Why home/somedir ?11:13
V7Oh, I see, because output, I've sent to you11:14
tomreyn"ChrootDirectory %h/somedir" would probably work11:14
blackflowwait, is that /somedir or /.../somedir?11:14
V7tomreyn: A directory is located in root11:14
blackflowthe ChrootDirectory is path outside of the directory of course11:14
V7blackflow: It's in root11:14
blackflowtomreyn: why? just chroot to user's homedir directly.11:15
V7tomreyn: And output which you've seen there is little modified, so there's actually:11:15
V7user@ubuntu:/$11:15
tomreynblackflow: that probbaly works, too.11:16
blackflowV7: make /somedir owned by   root:user   and of mode   75011:16
V7blackflow: The same11:17
blackflowV7: yeah that error is worded as if you can't have a chroot dir straight under root.  Why not just make it /home/user  ?11:17
V7/home/user doesn't exist11:17
blackflowwhy not11:17
V7Also, this /somedir is for mounted device11:17
V7This /somedir musn't be changed11:18
blackflowwell I don't know about chrooting to dirs straight under root, but that error message seems to imply you can't11:18
blackflowmount it under /mnt/somedir11:18
V7Okay, I've changed it to /mnt/somedir11:18
V7Copied stuff and now it's: https://hastebin.com/goriqazime.coffeescript11:21
V7The same11:21
blackflowV7: please pastebin the output of ls -la /mnt/somedir  .   I especially want to see  . and ..11:22
tomreynand ChrootDirectory is /mnt/somedir now? (i dont think it follows symlinks if you have any)11:23
V7blackflow: https://hastebin.com/ifaqotosib.rb11:24
blackflowgreat, and the ChrootDirectory is /mnt/somedir/   as tomreyn asked?  And you restarted sshd of course?11:25
V7tomreyn: Yes, sshd_config: https://hastebin.com/wiyoguweso.nginx11:26
blackflowV7: ugh, why password auth.....   just say no! :)11:26
V7blackflow: For testing11:26
V7Yes, sshd was resarted11:27
blackflowV7: so, you restarted sshd (ssh.service) just to make sure, and it still throws the same mode/ownership error? can you pastebin the error? it lists the path element it dislikes11:27
tomreynls -la would not output this with trailing slashes, so you must have run something else there: https://hastebin.com/ifaqotosib.rb11:27
V7It says: sshd[1387]: fatal: bad ownership or modes for chroot directory component "/"11:27
V7tomreyn: Yes, dir1 and dir2 has data11:28
blackflowuh, can you pastebin the output of    stat /   ?11:28
V7blackflow: https://hastebin.com/higetamagi.http11:29
blackflowhow did that happen :)11:29
blackflowyour root is owned by "user"11:30
V7oh dear11:30
jamespagecoreycb: working ceilometer py3 (needed it for networking-odl)11:30
V7root is owned.11:30
blackflowwell according to that pastebin, your root (/) is owned by "user"11:30
blackflowtht ain't gonna work.11:30
V7of course11:30
V7I'll reset it now11:30
blackflowhow did that happen.... what's the ownership on other dirs under /  ?11:31
blackflowlike /bin, /usr, /etc, /root/, .... ?11:31
V7Already reset all stuff11:31
V7Give it some time to reboot11:31
blackflowdidn't have to reboot tho'11:32
V7blackflow: This will reset all changes11:32
blackflowhow? btrfs/zfs snapshot?11:33
V7Just a little tar archive of root11:35
Ussatjust a little tar archive.......11:40
V7Interesting11:40
V7I've rebooted and the same. /'s owned by user.11:40
V7This might be because of /etc/fstab11:41
V7I'll check this now11:41
V7blackflow: So, all directoried before chrooted one should be not writeable for a user which should be chrooted ?11:47
V7s/sdirectoried/directories11:47
V7So, /dir1/dir2/dir3/dir4 all should be 755 ?11:48
blackflowit really is all neatly explained in the frist few sentences of the ChrootDirectory option in the manpage :)11:48
V7If chrooting to dir411:48
V7Yes, I've seen11:48
V7aufs / aufs defaults 0 011:48
blackflow"all components of the pathname are root-owned directories which are not writeable by any other user or group".   That's the second sentence of the paragraph.11:49
V7All components of the pathname must be root-owned directories that are not writable by any other user or group.11:49
V7All components of pathname11:49
blackflowso.... ALL compnents of the path..... ROOT owned...... not writeable by any other user or group.11:49
V7This is what it mean, all units of pathname11:49
V7means *11:49
blackflowso that answers your question. :)11:49
blackflowso, of the chroot dir. NOT the dirs UNDER the chroot.11:50
V7Yup, thank you very much blackflow11:50
V7oh11:50
V7You mean, dir1 can be 777, but dir1/chroot should be 755 ?11:50
blackflowyes, you can have whatever under it, but naturally, accessible/writable-where-needed to the "user" that's logging into that chroot.11:50
blackflowV7: it can be anything, under the chroot.11:51
V7Understood11:51
V7Hope you'll be okay there blackflow11:51
blackflowbut chroot iself, the directory turned into "/" for that login session (aka the chroot), must be root owned, not writable by anyone else.11:51
blackflowwhy wouldn't I :)11:51
HyP3rHello I'm searching for Ubuntu server a good tool which is auto remounting samba shares. I have the problem that our Windows File Server sometimes reboots and then my mounted shares are not mounted anymore. Last time I had the problem that the Ubuntu server booted and the Windows File Server was not running. In this case it would be cool if the server is retrying to mount the share consistently12:14
ahasenackmorning12:20
V7Interesting12:21
HyP3rlel12:21
V7Now all works. SSHD is diabled. SFTP works well, but when I'm trying to authorize via SSH it says: "Could not chdir to home directory /mnt/somedir/: No such file or directory"12:21
V7ssh is diabled *12:22
V7disabled **12:22
V7... but a directory exists: https://hastebin.com/opowupehiy.scala12:24
ahasenackrbasak: hey, question about git ubuntu merge workflow12:31
ahasenackcpaelzer: you too are welcomed to chime in :)12:31
rbasako/12:31
V7So ChrootDirectory tries to chroot into $h/chroot rather then /chroot firstly ?12:33
V7Even if ChrootDirectory /chroot is set12:33
ahasenackoh, sorry, left you hanging12:35
ahasenackok12:35
ahasenackrbasak: what if our delta includes an upstream version bump?12:35
ahasenackrbasak: when I'm in the phase where I git reset HEAD^ and deconstruct the update into individual commits,12:36
ahasenackrbasak: I will have a lot of non-debian/ files and directories in there, reflecting the version bump12:36
ahasenackshould I put all of those under "New upstream version: x.y.z"?12:36
ahasenackor just leave that particular commit as is, without deconstructing it?12:36
rbasakLet me check the definitions to give you an answer that's consistent with documentation12:37
ahasenackI might have used "deconstruct" incorrectly, maybe it's "reconstruct". I'm never sure12:39
ahasenackit's the first old/debian rebase you do after merge start12:39
rbasakahasenack: which numbered step is that at https://wiki.ubuntu.com/UbuntuDevelopment/Merging/GitWorkflow please?12:42
cpaelzerahasenack: reading backlog ...12:43
ahasenackrbasak: 3.1.3-512:43
rbasakGot it, thanks.12:44
rbasakYour suggestion is right12:45
rbasak"should I put all of those under "New upstream version: x.y.z"?"12:45
blackflowV7: "no such file or directory" probably refers to the shell binary which doesn't exist in the chroot12:45
rbasakYes - stuff all changes not in debian/ into one commit (assuming 3.0 (quilt))12:45
ahasenackrbasak: the new upstream version fixed two bugs12:45
cpaelzeror is it really a version bump  and not a quilt patch?12:45
ahasenackrbasak: group that all together12:46
ahasenackcpaelzer: rbasak it's a real version bump, we went ahead of debian12:46
rbasakYes12:46
ahasenack  * New upstream version:12:46
ahasenack    - Fix database corruption bug when upgrading from samba 4.6 or lower12:46
ahasenack      AD controllers (LP: #1755057)12:46
ahasenack    - Fix security issues: CVE-2018-1050 and CVE-2018-1057 (LP: #1755059)12:46
rbasakPer upload, that is12:46
ubottuLaunchpad bug 1755057 in samba (Ubuntu) "Samba 4.7.4 should not be shipped as an AD DC" [High,Fix released] https://launchpad.net/bugs/175505712:46
ubottuLaunchpad bug 1755059 in samba (Ubuntu Bionic) "Samba [Bug 13272] [SECURITY] CVE-2018-1057" [High,Fix released] https://launchpad.net/bugs/175505912:46
ahasenackso stash non-debian diff under that commit?12:46
cpaelzerso it is not keeping debians tarball and adding a qduilt patch and instead really bumped the versions12:46
rbasakSo for each upload, you may have up to one commit containing all non-debian/ changes12:46
rbasakPlus the other usual ones12:46
ahasenackyes, it's a new orig tarball12:46
cpaelzeryep I'd still group into one12:46
cpaelzerwhich shoud match the diff of the two orig tarballs12:47
ahasenacky12:47
rbasakYou could split it further in theory. It wouldn't cause a problem for the workflow, but it'd be additional work to do and you don't need to go to that depth.12:47
cpaelzerin case you have it split already ...12:48
rbasakYou'll be throwing away this one commit in the next step anyway12:48
coreycbjamespage: seems to make sense. is there a package done i can look at?12:48
cpaelzerlike when the bump was made not from tarball but from git12:48
cpaelzerthen you could keep it if you want12:48
rbasakThe only purpose in keeping it now is that it means that the result of the deconstruct step can easily be checked.12:48
cpaelzerbut I also see coming that you'll drop it anyway ont he merge12:48
ahasenackok, thanks guys12:49
cpaelzerthe only pain would be if this was bumped via git-commits and Debian moved with the upstream tarball - sometimes  git!=tarball12:49
cpaelzerso ensure the orig tarball matches12:49
ahasenackthis is one of those fun tarballs, with an empty directory12:49
cpaelzeryay12:49
ahasenackwhy make it easy, heh12:49
cpaelzerahasenack: are you moving even further by the merge12:50
cpaelzerso if Debian was 1, we moved to 2 and he merge is now 3 ?12:50
coreycbjamespage: i'm thinking about not merging congress. congress bundles antlr3 which is not ideal, and there's a bug  open upstream. zigo modifies the orig tarball to drop all of the antlr3 code, but i'd prefer to just use the published orig tarball.12:50
cpaelzerthen the concerns on matching tarballs don't matter12:50
ahasenackcpaelzer: no, this one has a debian tarball12:50
ahasenackgoing from 4.7.x to 4.8.x12:50
ahasenackdebian never released a 4.7.6, and told me they never would12:50
ahasenackthey went from 4.7.4 to 4.8.x12:51
cpaelzerahasenack: but that is fine, you will now move to 4.8.x and use theirs12:51
ahasenackright12:51
cpaelzergood12:51
ahasenackso the actual merge is normal12:51
ahasenackit's the deconstruct phase that had this oddball12:51
cpaelzerhonestly, it doesn't matter too much12:51
cpaelzeras rbasak said, it is mostly to check if old/new match what they should12:52
cpaelzerand later in logical to compare if all commits are retained12:52
ahasenackand exercise some muscles12:52
cpaelzerbut since this one will be dropped it doesn't matter if it is one or 2k12:52
ahasenackit will be a huge commit indeed12:52
cpaelzerahasenack: when I'm done with my current merge you can exercise some review msucles :-P12:52
rbasakYou can add everything and then reset out just the debian/ directory12:53
rbasakSaves typing12:53
cpaelzerrbasak: I added plenty of updates to your merge list12:54
cpaelzerall that I thought worth discussing is added as comment's so it can be discussed as needed12:54
rbasakThanks :)12:54
hehsecbeep boop13:40
hehsecHow do you guys go about hardening new server installs?13:41
hehsecand managing logs13:41
hehsecOther than the usual use keys not passwords, change the ssh port to nonstandard to keep from logs getting flooded with crap13:41
rbasakahasenack, cpaelzer: what does Monday triage mean? Sat-Sun inclusive?13:42
rbasakOr Mon also?13:42
cpaelzerFr/Sat/Sun13:43
rbasakOK thanks13:43
cpaelzerDefinition; up to including the last workday13:43
cpaelzerthat works for any day13:43
cpaelzerrbasak: also see check_dates in /snap/ustriage/current/lib/python3.5/site-packages/ustriage/ustriage.py13:46
blackflowhehsec: apparmor all the things, modify services to run unprivileged wherever possible, take advantage of systemd's security features for services13:53
hehsecSystemd comes with security features for services?13:54
hehsecO.o?13:54
blackflowhehsec: https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04     and then some13:56
hehsecblackflow: damn13:59
hehsecblackflow: I never knew I could use systemd to manage appamarmour and selinux profiles on services14:05
hehsecWhy do people hate systemd again?14:05
geniiProbably mostly because systemd-networkd14:08
hehsecgenii: blackflow Any suggestions for learning to automate configuration of linux machines?14:08
hehsecI'm learning to work with tools like osquery14:09
blackflowhehsec: ansible!14:11
geniimssh sometimes is useful14:13
hehsecblackflow: gah14:15
hehsecgenii: neat14:15
* leosilva lunch14:43
lahlforsOn an ubuntu server with no MTA currently installed, I'd like to arrange it so that regular users cannot send or receive mail, but UIDs < 1000 can send email to root (and only to root) which will be forwarded to an external address via a specified SMTP relay.  What MTA would make this easiest to achieve?14:49
rbasaklahlfors: I prefer exim for that kind of level of customisation. I'm not sure about restricting sendmail by uid though. I'd check if that is possible first.14:59
rbasaklahlfors: I have a standard exim configuration I use for stub servers for which I only want root email sent to me and nothing else.15:00
rbasaklahlfors: https://paste.ubuntu.com/p/TBNgvPnnfP/ is what I use15:01
rbasaklahlfors: that should be trivial to adjust to use an SMTP relay. Not sure about the uid restriction.15:02
rbasakThat doesn't stop users from sending out via SMTP directly.15:02
lahlforsrbasak, thanks, this looks very helpful!15:02
rbasakI think it might send _everything_ to me regardless of target address15:03
lahlforsI don't want to attempt to stop users from making outgoing SMTP connections.  But I would like it to be difficult for users to arrange for any daemon on this machine to make an outgoing SMTP connection on their behalf15:03
sdeziellahlfors: to prevent users from sending to SMTP directly: iptables -A OUTPUT -m owner --uid-owner 1000-65535 -p tcp --dport 25 -j REJECT15:03
lahlforssdeziel, thanks, but that's not exactly what I want.  I want to prevent local users from sending or receiving mail using the local MTA.  Receiving should be easy (some config option).  But sending?15:05
sdeziellahlfors: that was only to prevent bypassing the MTA15:06
sdeziellahlfors: for the MTA part, with postfix you'd use http://www.postfix.org/postconf.5.html#authorized_submit_users15:06
lahlforssdeziel, now we're talking!  That config option should do what I need if I use postfix.  Thanks.15:07
sdeziellahlfors: for other MTA, a hack would be to use to use file ACLs to prevent executing the sendmail binary itself15:08
lahlforsIs postfix a good "lightweight" option in general?  I have configured lots of servers but stopped installing MTAs long ago and only ever used sendmail and qmail15:08
sdeziellahlfors: beware that most MTA will let someone directly talk to 127.0.0.1:25 and let you relay with it15:08
lahlforssdeziel, I'll handle that with iptables restrictions on the loopback interface.  Not sure if I need to worry about a unix socket file somewhere, too15:09
sdeziellahlfors: postfix is pretty light IMHO. You can tune it even more if you disable inet services15:09
runelind_qoh hey Landscape upgraded cleanly from 17.03 to 18.0415:11
rbasaklahlfors: looks like exim has $originator_uid and you can set up an ACL on that15:15
rbasaksdeziel: I would just grab a copy of the sendmail binary from somewhere else and run that :)15:16
lahlforsrbasak, great, you beat me to it.  (Was looking for exim analogue of authorized_submit_users)15:17
sdezielrbasak: ouch :)15:17
lahlforsgeeze exim ACLs are complicated.  I guess mail is just fundamentally complicated.  ugh15:20
tewardyes mail is complicated15:21
tewardit has its own set of chaos tied to it, especially from a security perspective.15:21
lahlforsBasically, I don't want get in the mail business anyway.  But it would be nice to aggregate cron emails and other problem reports at an external address15:22
lahlforsRight now problems detected in cron jobs are just ignored because no MTA is installed.  A few manually send their output via amazon SES, but I don't want to be forced to configure that on each job, so I am looking into a very restrictive MTA config15:23
rbasakThe main security issues with mail are spam and open relays15:28
rbasakMy exim config attempts to avoid that by overriding everything to me, so it shouldn't be possible for someone to route anything anywhere else. exim's router mechanism is quite clear about the outcome there so hopefully no confusion. And I turn off listening on public interfaces, so I don't have to worry about SMTP ACLs.15:29
rbasak(even if someone did manage to get to my exim's SMTP all they'd be able to do is send emails to me since everything redirects to me)15:29
rbasakIMHO this is the most minimal and perfectly acceptable config for servers that aren't supposed to have users logged in.15:30
tewardrbasak: +1.  But getting everything to behave can still be tricky, when it comes to interaction with other mail servers and such16:49
tewardwhether the config is 'perfect' or not.16:49
rbasakteward: the point of my arrangement is that it doesn't really talk to other mail servers. Only my one :)17:30
rbasakWell, not even "really". It just doesn't!17:30
tewardindeed.17:31
madLyfeso when i did a fresh install of server 18.04 and did a second reboot(had to reboot again after i left the installer usb attached. shouldnt this be aware and pass over it?) it booted up and didnt show 'server login:' it was just a blinking line. i ran 'sudo reboot now' and it then asked me to login. what im getting at is it wasnt very clear where it was at after the boot up.19:08
madLyfehttps://usercontent.irccloud-cdn.com/file/VOeccHM5/image.png19:08
madLyfenot sure if that is a bug or feature request?19:09
sarnoldprobably not much to be done about it19:13
madLyfepretty sure it used to just land you at a login prompt. not just empty blinking cursor.19:14
sarnoldit did19:14
sarnoldlook up at the tty1 line ..19:14
sarnoldthere's your login: prompt19:14
sarnoldasync tasks run during boot may emit content nearly forever..19:15
madLyfehmm19:15
ahasenackhow do I link debian merge bugs with the report in http://reqorts.qa.ubuntu.com/reports/ubuntu-server/merges.html ?19:40
ahasenackan example is dovecot's entry there, it's pointing at https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/177152419:40
ubottuLaunchpad bug 1771524 in dovecot (Ubuntu) "Merge dovecot 2.3.x for Cosmic" [Undecided,Incomplete]19:41
ahasenackbut that bug has no special tag about it19:41
loptaRight, let's see how big this Ubuntu Server thing is.21:48
lopta1,162 MB (i386, 16.04.4).  That's great.21:59
loptaI'll try 18.04 next.21:59
tomreyn?22:01
dpb1he's downloading over carrier pigeon22:07
tomreyn:)22:11
geniiRFC 114922:11
JanCcarrier pigeons can transport quite a lot more than that at impressive speeds   :)22:37
JanCe.g. if you let them carry some 256GB (and bigger capacity?) micro-SD cards22:39
* sarnold wonders what the airspeed velocity of RAICP carrying a RAID array is..22:39

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!