[01:48] <MrCorvid> Hello! So, I want to make a script that, when called runs the "screen" command, which then upon creation runs the "optirun" command (from bumblebee, for controlling nvidia GPUs) which then runs the java command to run a program under optirun within the screen.
[01:50] <MrCorvid> The issue I am having now is that when this happens, the java program crashes because it attempts to modify files that it cannot because it needs root permissions. So, I need to A) find a way to have the script give ONLY  either that optirun command OR that java command sudo privaleges (that initial script is being run with root privileges due to it being owned by the root folder, and also being accessed by systemd)
[01:51] <MrCorvid> or B) make it so that jar can access all the files it needs without root without enabling ANYONE to modify or run those files other than root and this jar
[01:59] <DWSR> Hey all, just curious how to do a completely unattended install of Ubuntu 18.04 Server. It looks like the installer has changed away from d-i.
[09:36] <sacarde> hi
[09:37] <sacarde> is true that: networkd contains its own in-built DHCP client implementation ?
[09:38] <sacarde> can I disable? or set static IP ?
[09:39] <blackflow> sacarde: yes, and of course.
[09:39] <blackflow> it only means you don't need dhclient or similar, if you want dhcp.
[09:39] <sacarde> I have a proble, I set in "interfaces" only a static ip
[09:40] <sacarde> but when system start it get a dhcp ip too
[09:40] <blackflow> which Ubuntu?
[09:40] <sacarde> ubuntuserver1804
[09:41] <sacarde> I remove dhcpcd dhclient pkgs
[09:41] <blackflow> 18.04 no longer uses /etc/network/interfaces,  which is part of "ifupdown" package. It uses netplan, which is configuration abstraction tool that works with backend: networkd on servers, and NetworkManager on desktops.
[09:41] <blackflow> But you don't have to use neplan either, you can configure a .network unit directly, for networkd.
[09:41] <blackflow> !netplan
[09:41] <ubottu> Netplan is a network configuration abstraction renderer which uses YAML descriptions of a network to work with either a NetworkManager or Systemd-networkd "renderer". More information at https://netplan.io/
[09:42] <sacarde> can you show me an example? static ip without dhcp
[09:42] <blackflow> sacarde: click that link
[09:42] <sacarde> ah ok
[09:47] <SlowJimmy> is nfs the only way to mount a drivepartition from the server  on my client machine? or can this be done in ext4?
[09:49] <blackflow> SlowJimmy: ext4 is on-disk filesystem, nfs is network "filesystem" that works with any underlying on-disk one. One alternative to nfs is samba.
[09:51] <SlowJimmy> blackflow can i convert ext4 to nfs without harming the preexisting data?
[09:52] <blackflow> SlowJimmy: no, nfs does not exist as an on-disk format. there's no mkfs.nfs. nfs is a system that allows you to export one directory, over the network, mountable as if it was local, onto another machine
[09:53] <blackflow> it's actually more than one directory, so called "exports", but the gist is it works like that.
[09:54] <SlowJimmy> so it is similar to samba but just for real computers not just windows?
[09:55] <SlowJimmy> i see, i dont have a man page but i will just read up on nfs somewhere they are bound to talk about how i can share the ext4 partition
[09:55] <blackflow> smb/cifs and nfs are protocols similar in functionality, yes.
[09:55] <SlowJimmy> i mean if i understand right, then i can just follow some procedure or list of steps and use nfs to make the partition available
[09:55] <blackflow> pretty much, yes.
[09:55] <SlowJimmy> man you cant imagine how invaluable your help has been
[09:56] <blackflow> you don't have to convert anything, you just export some directories, over the network, to anotehr machine.
[09:56] <SlowJimmy> that will do wonders for my backups
[09:56] <ducasse> !nfs | SlowJimmy see this
[09:56] <ubottu> SlowJimmy see this: nfs is the network file system. See https://help.ubuntu.com/community/SettingUpNFSHowTo for information on installing and configuring NFS.
[09:56] <blackflow> SlowJimmy: note, however, there's no TLS or encryption involved, so if you're doing it over the public network, you'll need to take additional steps.
[09:56] <SlowJimmy> didnt have a man page for nfs on sys
[09:57] <blackflow> (nfsv4 can do some encryption with kerberos, but what I mean is, it's not there by default)
[09:57] <SlowJimmy> how do i protect against somebody somehow sitting on my internal network?
[09:58] <SlowJimmy> or what if one of the clients is infected?
[09:58] <SlowJimmy> then all my data is fair game?
[09:58] <SlowJimmy> can you tell with the network conenctions and so forth if somebody is accessing your network who shouldnt be?
[09:59] <blackflow> if you don't trust your network then treat it like public internet
[10:00] <blackflow> SlowJimmy: that's why you set up authentication and encrypt connections. NFSv4 is capable of that.
[10:00] <blackflow> or use something like VPN tunneling
[10:00] <SlowJimmy> i have a question regarding authentication, if you use keypair authentication for ssh and a password is the password still cleartext?
[10:00] <SlowJimmy> oh ok i will try to set everything up that way
[10:01] <SlowJimmy> better safe than sorry
[10:01] <SlowJimmy> also if you got a keypair set up... how do you prevent your privatekey falling into the wrong hands?
[10:02] <SlowJimmy> i mean if it just sits on a client wont it be a risk because once that client is compromised then basically the server and withit the whole network?
[10:02] <blackflow> you're asking overly broad questions. with ssh keys you have private and public keys. you can share the public one freely, and you protect the private one with a passphrase.
[10:03] <blackflow> you keep that private as protected as possible, and teh passphrase is there in case of it being stolen or compromised, teh attacker would still need to know the passphrase to use that key.
[10:03] <SlowJimmy> blackflow but wont that be useless if the computer you use to conect with to the server has been compromised? i mean wouldnt they be able to just copy the private key and key log the pasphrase?
[10:03] <blackflow> so public keys are form of 2FA in itself. something you know (the passphrase to even use the key) and something you have (the key itself).
[10:04] <blackflow> "log the passphrase"? only if they somehow see you type it in.
[10:05] <SlowJimmy> so if they got my system compromised with a trojan wotn they be able to use keylogging functions of that malware to basically record the keystrokes?
[10:05] <blackflow> in theory, yes.
[10:05] <SlowJimmy> i mean if one of the clients i use to ssh in is compromised isnt then the whole system gone?
[10:05] <SlowJimmy> i mean server and all other clients?
[10:05] <blackflow> but they'll also need to get that key in order to use it.
[10:05] <SlowJimmy> but wouldnt that be easily done with a keylogger?
[10:06] <blackflow> no. like I said, you give public keys to the machines you log into. public keys work only in conjunction with your private key, so if the public key is stolen, nothing bad happens.
[10:07] <blackflow> pubkey auth is a form of asymmetric encryption. it takes one key to encrypt and another key to decypt. one key cannot be used for both. in this particular case, the private key you keep to yourself,  protected, and the public key is given out to machines you ssh into.
[10:07] <SlowJimmy> no i know, i just am not clear how the private keys sittig on the clients isnt a huge security risk?
[10:08] <blackflow> the private keys shouldn't be "sitting on the clients", if "clients" are machines you SSH into.
[10:09] <SlowJimmy> no i mean the clients is what i use to ssha into the server
[10:09] <SlowJimmy> the server has the public key
[10:09] <SlowJimmy> and the client has the private key
[10:09] <blackflow> you can even do this. put your private key on usb. with ssh-agent running on your local machine, you instert the usb stick once, unlock the key (ssh agent remembers it), and you can remove the USB. that machine can now use the ssh-agent to access remote machines with that private-public key pair.
[10:10] <SlowJimmy> basically my lapto ruig ubuntu has a pricvage key and my server has the public key but if somebody takes over my desktop with the private key isnt then the whole system lost?
[10:10] <blackflow> but yes, if tha "client" is compromised, if the ssh private key is stolen, if the passphrase for the private key is easy to guess or tortured out of you,    ur dun goof'd.
[10:11] <SlowJimmy> wait but if the desktop is just in any way compromised then the private key is bound to be just simply copied by the attacker and they can easily isntall a keylogger to capture my passphrase, no?
[10:12] <blackflow> in fact, a few years ago there was an attack on servers noted on webhostingtalk forums, servers with tight security and pubkey auth were being compromised. the conclusion was (and I don't know if it was every 100% confirmed)  that there was a trojan that stole those private keys, the admins were windows users, and itw as in conjunction with how they used putty.
[10:12] <SlowJimmy> so in this keypair authentication it all hinges on the assumption that your desktop runing ubuntu is not compromised or has a trojan or whaterver they use
[10:12] <blackflow> SlowJimmy: yes, but..... balance of probabilities.
[10:13] <blackflow> in fact, this is ONE reason why I run custom AppArmor profiles that forbid any app with network access, from touching ~/.ssh/
[10:13] <SlowJimmy> and the usb thing does not help since once compromised they do not need to have access to the usb costatly only once woudl be enough...
[10:13] <SlowJimmy> and they would not have to be connected to do that either
[10:14] <SlowJimmy> blackflow› that is excellent
[10:14] <blackflow> and that is why security is hard.
[10:14] <SlowJimmy> you prevent any connectable services from acces to the privatekey
[10:14] <SlowJimmy> what though if one app that has no internet touches your private key and then hands it to the other buddy app that has internet
[10:15] <blackflow> then I'm compromised.
[10:15] <SlowJimmy> so does your apparmor increase security then?
[10:15] <SlowJimmy> i mean it seams like there is a way around it
[10:15] <blackflow> it does. any intrusion vector shut down, even if not 100%, is increased security. security is not black and white, never 100%. it's a process.
[10:16] <blackflow> given enough time and money, there's always a "way around", even the best security in the world.    https://xkcd.com/538/
[10:16] <SlowJimmy> cant one reduce any ssh activity to a life cd?
[10:17] <blackflow> "life cd"?
[10:17] <SlowJimmy> like make a custom live cd of ubuntu make sure it is md5 checksumed and all, and then put the private key on that, bur it to disk and then onyl physical access will grant them access to the private key
[10:17] <SlowJimmy> who ever them is...
[10:18] <SlowJimmy> liek you only ssh into the server with this live cd and have noother copies of the private key than on the livecd itself
[10:18] <blackflow> that's one way to make it more secure, yes
[10:18] <SlowJimmy> does this aproach have security holes too?
[10:18] <blackflow> but then... openssh itself could be found (and has been in the past) vulnerable.
[10:18] <SlowJimmy> i see that if your original copy has been tempered with yes...
[10:18] <SlowJimmy> but you can md5 checksum to make sure
[10:18] <SlowJimmy> somewhat...
[10:19] <SlowJimmy> oh
[10:19] <blackflow> so your remote machine is compromised, an openssh vuln exist, you connect to that machine, poof your keys are stolen. (hypothetically, if such vuln existed)
[10:19] <SlowJimmy> i mean you cant run a server off of a livecd
[10:19] <SlowJimmy> or can you?
[10:20] <blackflow> so the bottom line is, you cover as many vectors as you can, but it's never 100%. there will alwys be something, somewhere, lurking, that can potentially compromise you.   a visit from the attacker with a $5 wrench, included.
[10:20] <blackflow> you can run read-only stateless servers yes.
[10:20] <SlowJimmy> wait why the live cd in the first place? cant you basically write a script that md5 checksum the system and asks you to sign off on any changes and maybe show those changes to you, sort of liek a firewall for making changes to the system
[10:20] <blackflow> which may or may not be feasible depending on what they do
[10:20] <andol> Not to mention, that there are all kinds of precautions you could take, but wouldn't neccesdarily be practical, since they would make your server less useful.
[10:21] <SlowJimmy> and if there is an unallowed change it reverts the system back with rsync
[10:21] <blackflow> andol: indeed.
[10:21] <blackflow> SlowJimmy: sure, check out AIDE
[10:21] <blackflow> !info aid
[10:21] <blackflow> !info aide
[10:21] <ubottu> Package aid does not exist in bionic
[10:21] <ubottu> aide (source: aide): Advanced Intrusion Detection Environment - static binary. In component main, is optional. Version 0.16-3 (bionic), package size 706 kB, installed size 1986 kB
[10:21] <SlowJimmy> blackflow well i just want to be reasonably secure the guy who made the effort to physically visit me at that point i am beate
[10:21] <SlowJimmy> beate
[10:22] <SlowJimmy> beaten
[10:22] <SlowJimmy> literally
[10:22] <SlowJimmy> this AIDE does add all kinds of paranoid security measures?
[10:22] <SlowJimmy> nice!
[10:23] <SlowJimmy> blackflow what book can i read to get on top of this?
[10:23] <blackflow> no, it's essentially a database of checksums and various other file properties, and then you do frequent runs and it reports what changed about the files in the db.
[10:23] <SlowJimmy> liek to know where the weakess of my system are liek what you said earlier with the openssh vulnerabilites and such
[10:23] <blackflow> like that md5 script you mentioned above, md5 being just one thing it does.
[10:23] <SlowJimmy> black omg that is sweet!!!
[10:24] <blackflow> SlowJimmy: for THAT though, check out Snort.
[10:24] <blackflow> !info snort
[10:24] <ubottu> snort (source: snort): flexible Network Intrusion Detection System. In component universe, is optional. Version 2.9.7.0-5build1 (bionic), package size 678 kB, installed size 2148 kB
[10:24] <SlowJimmy> couldnt you combine this with your current ssh protection?
[10:24] <blackflow> sure
[10:24] <SlowJimmy> check for any file changes evertime your ssh folder is accessed
[10:24]  * andol thinks SlowJimmy would benefit more from general sysadmin understanding, and less from specific tools.
[10:25] <blackflow> Snort goes as far as monitoring traffic in real time and detecting patterns of known or potential malicious behavior
[10:25]  * blackflow agrees with andol 
[10:43] <SlowJimmy> it is very soothing to lear about these tools though
[10:44] <SlowJimmy> to know there already is a way to deal with these issues
[10:44] <SlowJimmy> i am i the process of readig several gnu/linux server adming /network administration books
[10:45] <tomreyn> for any complex problem, there is always a more complex partial or full solution. ;)
[10:45] <tomreyn> or rather multiple, so you can spend more time on finding out which one is the least bad one.
[10:46] <SlowJimmy> lol
[10:46] <SlowJimmy> keeping you perpetually busy in the process
[10:47] <tomreyn> unless you notice you are and break the loop. so how long have you spent on these thoughts today? ;)
[10:59] <RoyK> SlowJimmy: https://debian-handbook.info/ <-- good reading - you'll probably learn a lot - debian isn't ubuntu, but then, they're about the same (ubuntu is based on debian after all)
[11:03] <andol> Yepp, great book!
[11:03] <SlowJimmy> RoyK yeah they all are so similar
[11:04] <SlowJimmy> thansk man i really apreciate your help
[11:04] <SlowJimmy> thanks blackflow thanks andol thanks tomreyn  thansk RoyK
[11:05] <tomreyn> :)
[16:17] <MrCrow> Hey, I need some help - I want to run a script from systemd, which either operates with root privileges and has a password on it, or runs a single command with sudo
[16:17] <MrCrow> or remove the need to run that command with sudo
[21:34] <Zahovay> hello guys i need a little help. Just got a vps with 15.10. trying to install 16.04 through ssh but cant install update-manager-core
[21:34] <Zahovay> any suggestion on  it?
[21:35] <Zahovay> the main problem during installing update-manager-core that it says "unmet dependecies: python3-update-manager
[21:35] <Zahovay> is not going to be installed"
[21:35] <blackflow> !eolupgrades | Zahovay
[21:35] <ubottu> Zahovay: End-Of-Life is the time when security updates and support for an Ubuntu release stop, see https://wiki.ubuntu.com/Releases for more information. Looking to upgrade from an EOL release? See https://help.ubuntu.com/community/EOLUpgrades
[21:36] <blackflow> Zahovay: so the hosting company has no modern ubuntu images?
[21:36] <Zahovay> hosting company is old as hell, its also awful but its the cheapest by far
[21:37] <blackflow> I'd still drop them if they don't support modern images. plenty of cheap but quality providers
[21:38] <Zahovay> anyway its already payed we didnt know its like that..
[21:38] <Zahovay> which server version u suggest?
[21:39] <blackflow> Zahovay: 18.04, latest LTS
[21:39] <Zahovay> does it have any drawbacks?
[21:41] <blackflow> Zahovay: well personally I don't like the netplan NIH but it's nothing you can't remove/ignore/not use
[21:41] <blackflow> or use it if you like it.
[21:42] <Zahovay> blackflow: and when i edit sources.list do I use old-releases with 18.04?
[21:42] <Zahovay> or archive?
[21:43] <Zahovay> oh that question is stupid im sorry
[21:43] <blackflow> not with 18.04, you use that in your existing 15.10 in order to be able to upgrade
[21:44] <blackflow> but if I were you, and that hoster had a "rescue mode", even if debian, I'd use that and install with debootstrap. in fact that's how I alwys install remotely because of encryption.
[21:52] <Zahovay> it says kernel version not supported. (upgrading with update-manager-core) any ideas?
[21:52] <blackflow> well, rescue mode, debootstrap
[21:52] <blackflow> Zahovay: how much are you paying for that thing?
[21:53] <Zahovay> half a dollar / month
[21:54] <blackflow> well, pay peanuts, get monkeys :) the "cheap but quality" providers really start at around few €/mo
[21:54] <Zahovay> I know and I told my manager that this was the worst possible choices of all
[21:54] <blackflow> "manager"? so this is for business purposes?
[21:55] <Zahovay> actually this is kind of a research labor of IOT and nobody has server side experience at all
[21:56] <Zahovay> I thought that I will try to setup the server by myself since I know c/cpp programming this setup could not take much work
[21:57] <Zahovay> shoud*
[21:57] <blackflow> programmers are usually the worst sysadmins :
[21:58] <blackflow> jokes aside, y'all should really consider hiring some help.
[21:59] <Zahovay> well I want to learn this part of the life too. I want to become kind of a security expert of the IOT part of IT
[21:59] <Zahovay> learning some server part should help me
[21:59] <blackflow> that's perfectly fine. local VMs are best used for that.
[22:00] <Zahovay> agreed but the manager said that our work would be tracked through a website's database with visual diagrams etc.. so he choose this .. I accepted server side so i learn from it
[22:01] <blackflow> welp, that's what grinds my gears. people wiht no experience running public servers that get compromised and turned into gbps UDP cannons for a botnet.
[22:02] <Zahovay> actually it is not going to be public server
[22:02] <Zahovay> i already restricted all ports and connections except my ssh which is not the default ssh
[22:02] <Zahovay> and database will be set to be used only from local access. (so the server program)
[22:02] <blackflow> and I hope you disabled password auth in sshd_config?
[22:02] <Zahovay> i mean publicly available but only auth users will use it
[22:03] <blackflow> wait, a db listening on public IP?
[22:03] <Zahovay> let me have a smoke and will continue
[22:03] <Zahovay> im courius about these
[22:08] <Zahovay> can i pm you?
[22:09] <blackflow> please don't.
[22:10] <Zahovay> okey, so I would have a mysql database restricted to local access only with a pubic ip running a nodejs server serving connections
[22:10] <Zahovay> is this a bad idea?
[22:11] <blackflow> not per se
[22:17] <Zahovay> after upgrading i've been dropped from sudoers file. Can I resolve it?
[22:19] <blackflow> if root has password, try     su -l      and use root's password
[22:22] <RoyK> usually root doesn't have a password on ubuntu, try "sudo -i"
[22:24] <blackflow> RoyK: "dropped from sudoers file"
[22:28] <Zahovay> Well the guy who pays the vps is not active, i could not solved this.. Thanks for you help guys
[22:29] <RoyK> blackflow: login on the console or use an usb thing
[22:29] <blackflow> Zahovay: check if you have sudo priv anyway, maybe through %sudo group? or %wheel
[22:30] <Zahovay> I had sudo before upgrading. Now when I type "%sudo group" it says no such job
[22:30] <Zahovay> for wheel it says the same
[22:30] <blackflow> Zahovay: lol... %sudo   is notation for the "sudo" group in sudoers file
[22:31] <blackflow> it's not a command
[22:31] <Zahovay> I cannot "cat" the sudoers file
[22:31] <Zahovay> permission denied
[22:31] <blackflow> right. but can you sudo anything?  sudo -i   for example?
[22:31] <Zahovay> it asks for my pw then it says im not in the sudoers file
[22:32] <Zahovay> and "its going to be reported"
[22:32] <blackflow> lol yeah, that's sudo the little snitch. you're lucky sudo on ubuntu is not compiled with insults.
[22:32] <blackflow> anyway, does that hosting company have a rescue env? if you can mount the disk in the rescue env, you can change the sudoers file or assign root pass
[22:33] <RoyK> Zahovay: is this a vm somewhere out in the cloud?
[22:33] <Zahovay> Well probably has, i have to wait 'til the guy who paid and have the access to everything wakes up and give me some login infos for the vps company's site
[22:35] <Zahovay> Can I check somehow the usernames on this vm ?
[22:35] <Zahovay> i mean on the ubuntu
[22:36] <RoyK> Zahovay: check /etc/passwd
[22:37] <RoyK> don't pastebinit
[22:37] <Zahovay> command worked but didnt help
[22:38] <RoyK> Zahovay: it's a text file, /etc/passwd - it lists the users on the system
[22:39] <RoyK> Zahovay: I won't help you to hack a system, just saying how things work
[22:40] <Zahovay> Actually this our own vps where I had root password on 15.10 and after upgrading to 16.04.5 (was 3 hours of work due to messed up sources.list) i lost my root priv
[22:40] <Zahovay> but I understand your point and I do not ask you to help me in such a thing
[22:40] <RoyK> then 'su -' should give you root acesss
[22:41] <Zahovay> well it says auth failure
[22:41] <Zahovay> dunno why
[22:41] <RoyK> or you may have to ask the supplier of the VPS
[22:41] <Zahovay> I will have to.. tomorrow when the guy who paid woke up..
[22:43] <Zahovay> wait
[22:43] <Zahovay> im dumb
[22:43] <Zahovay> and it worked
[22:43] <Zahovay> thanks lol
[22:43] <RoyK> fine :)
[22:43] <blackflow> for that money, I doubt the hoster would even laugh. :)
[22:43] <Zahovay> i had to wrote my username after the su
[22:43] <Zahovay> ah thanks guys
[22:43] <blackflow> uh... that just started a new shell as ..... you.
[22:44] <blackflow> `whoami` will confirm
[22:44] <RoyK> or "who am i"
[22:44] <RoyK> like looking into a mirror
[22:44] <Zahovay> lol so it did not work
[22:45] <blackflow> nope. `su -l`  is to become root with root's pass.   `sudo -i` the same but with your, sudoers, pass.
[22:45] <RoyK> blackflow: or just "su -"
[22:45] <blackflow> (it essentially being the same as `sudo su -l`)
[22:46] <blackflow> RoyK: I like being explicit.
[22:46] <blackflow> but, yes.
[22:48] <Zahovay> not sure if I understand but "su username" then pw it runs fine without error but I do not get any root priv. (I've alsod done "su username" then pw then whoami
[22:48] <RoyK> Zahovay: "su" means "switch user" - if you don't give it a username, it means root
[22:49] <Zahovay> oh lol
[22:49] <RoyK> https://xkcd.com/149/
[22:50] <Zahovay> :DDDDDDDDDDDDD
=== havenstance1 is now known as havenstance