| kinghat | can someone here help me wrap my head around apache2 usr/grp/permissions? | 00:08 |
|---|---|---|
| teward | kinghat: depends on what exactly you're trying to achieve? | 00:09 |
| kinghat | im trying to set up this php server software that is like a self hosted image host. | 00:10 |
| kinghat | i think permissions and users and groups is making the install of it fail. | 00:10 |
| teward | set ownership for the web root/dir to www-data for both user and group | 00:11 |
| teward | recursively | 00:11 |
| teward | the web server should be able to write configs then | 00:11 |
| sarnold | (as well as the executables :( ) | 00:11 |
| kinghat | well i created a group `web-content` and added the only user there is on the machine to it. | 00:11 |
| kinghat | also added `www-data` to it as well. | 00:12 |
| kinghat | i basically did this at the bottom: https://wiki.apache.org/httpd/FileSystemPermissions | 00:13 |
| kinghat | but instead of `apache` i used `www-data` | 00:13 |
| kinghat | but used 644 and 755 | 00:14 |
| teward | probably helps to ask what happens when you *try* to install? | 00:14 |
| teward | because such info is useful :P | 00:14 |
| kinghat | the guy who made the software says 'Not a bug, because thats mean that the directory is not writable by the user' | 00:16 |
| kinghat | im basically starting from scratch here. | 00:16 |
| teward | i'd need to see the softwarew then because something undocumented like that or not clearly written means that they don't know muhc. | 00:17 |
| teward | and i didn't ask you waht **that guy** said | 00:17 |
| teward | i asked you **what you witnessed** | 00:17 |
| teward | I.E. the exact error messages you are seeing | 00:18 |
| kinghat | https://github.com/SergiX44/XBackBone | 00:18 |
| kinghat | ya i think it was a 500 error after it tries to install. and i think it has to do with creating a db. | 00:19 |
| sarnold | hint: pastebin what happened. | 00:19 |
| kinghat | this was the error: https://cdn.discordapp.com/attachments/514330611742277635/519616960741244930/unknown.png | 00:19 |
| kinghat | sarnold: sorry im starting from scratch so i dont have them anymore. | 00:19 |
| kinghat | actually i may be able to dig it up if i posted it to a bin. one sec. | 00:20 |
| kinghat | http://paste.debian.net/hidden/9e9e1d42/ | 00:21 |
| sarnold | I hate this software already | 00:22 |
| kinghat | but i was trying all different configs at the time so | 00:22 |
| sarnold | why doesn't it give a precise error message? sigh | 00:22 |
| sarnold | anyway try namei -l /var/www/html/xbackbone/app/Database/DB.php and see if that gives you any hints | 00:22 |
| kinghat | its pretty new | 00:22 |
| kinghat | well i dont even have the software on the server anymore. like i said im starting from scratch with permissions and the user groups. | 00:23 |
| kinghat | should `www-data` own everything? or what happens when i ssh or sftp in to add the server files, then it becomes owned by the user. | 00:25 |
| kinghat | they are both part of the group `web-content` | 00:25 |
| kinghat | cant the software be owned by the group instead? | 00:26 |
| sarnold | I strongly dislike www-data owning the executables but whatever works | 00:32 |
| kinghat | sarnold: you mean `chown -R www-data:www-data /var/www/html` | 00:36 |
| kinghat | ? | 00:36 |
| sarnold | kinghat: I also think it's a bad idea for www-data to own the data, since I don't think a compromised web server should be able to make persistent changes | 00:36 |
| kinghat | i mean i obv have no idea how it should be i cant get it to work | 00:37 |
| kinghat | let alone security implications of the different configurations. | 00:38 |
| kinghat | is it possible to have all files chmodded a default way for a certain dir and recursively? | 00:45 |
| sarnold | not really | 00:46 |
| kinghat | maybe it just was automagically done in ftp clients that i used to use. | 00:46 |
| kinghat | if i transfer files over via sftp you have to change them every time | 00:46 |
| kinghat | huh. if i set everything to `www-data:www-data` it seems to be working. | 01:15 |
| teward | kinghat: not really, FTP clients are just as stupid as SFTP is - they'd have the same permissions problems. (SOrry I disappeared and sarnold took over I got busy) | 01:18 |
| kinghat | np | 01:19 |
| kinghat | teward: so you think its ok to `www-data:www-data` everything? | 01:25 |
| teward | no i have my reservations about it too | 01:26 |
| teward | but I typically am "OK" for that from an *installation* perspective then change the ownership to group only with write access to only what exactly is needed | 01:26 |
| teward | i'm a strict it security guy so I do rigorous tests and stuff along those lines to make sure permissions are as restrictive as they can be on any webapp i use | 01:27 |
| fishcooker | on ubuntu 16.04.5i tried to change priority and nicelevel of a service using start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --nicelevel 13 --iosched 'idle' --exec $DAEMON but it won't change the prio and nice level https://paste.ubuntu.com/p/MzgznDnn6C/ | 01:27 |
| sarnold | is uid 0 also correct? (can it run as non-root?) | 01:30 |
| kinghat | teward: you mean write access to `www-data` or user? | 01:30 |
| sarnold | fishcooker: is there a systemd unit file that's being used instead of a sysv-init script? | 01:30 |
| cpaelzer | jamespage: see mail from justin, do we cancel or postpone todays meeting then? | 06:23 |
| jamespage | cpaelzer: I'll cancel for today | 07:59 |
| kstenerud | I just got this error from launchpad when uploading a ppa: Source/binary (i.e. mixed) uploads are not allowed. | 08:23 |
| kstenerud | But I built using git ubuntu build like always. Why did it upload a mixed (?) package? | 08:24 |
| kstenerud | and what does that even mean? | 08:24 |
| cpaelzer | ok, thanks jamespage | 08:28 |
| lordievader | Good morning | 10:51 |
| ahasenack | good morning | 11:13 |
| Mr_Pan | hrllo i need a GUI for Amavis Qauarantined File ...any ideas? | 12:49 |
| jamespage | coreycb: seeing some autopkgtest failures in disco proposed - cinder, nova - looks like a migrate + sqlite type issue | 13:06 |
| coreycb | jamespage: hmm ok i can take a look | 13:06 |
| jamespage | coreycb: might be easier to just switch to using mysql - its a pretty simple setup (see neutron) | 13:07 |
| coreycb | jamespage: good point, ok | 13:07 |
| Greyztar | is there a way to change vi text editor edit mode key from insert to something else?my keyboard got insert on numpad/generally scuffed keyboard | 14:31 |
| rbasak | Greyztar: uh, the "i" key? | 14:35 |
| Greyztar | rbasak: hmm doesnt take me to edit mode though :/ | 14:36 |
| Greyztar | rbasak: ahh now it works ,time to buy new keyboard haha | 14:37 |
| rbasak | Greyztar: you might want to give "vimtutor" a go. | 14:37 |
| rbasak | Greyztar: with vim installed, run "vimtutor". It'll take about half an hour and you'll know your way around vim/vi much better then. | 14:38 |
| Greyztar | rbasak: the problem was partially that i thought i was supposed to work also ,but when it didnt i thought it changed with some update or so,its they "i" button on keyboard itself which is scuffed amongst other keys | 14:39 |
| Greyztar | rbasak: thanks for the tip ill check it out (,") | 14:39 |
| rbasak | "a" will also work (but subtly differently - the tutorial will explain :-) | 14:39 |
| Greyztar | rbasak: good stuff! | 14:39 |
| leftyfb | Can anyone point me to some documentation for customizing an initrd booted over PXE to dd an image to the local drive ? | 20:05 |
| leftyfb | I find it hard to believe people haven't already done this, though I'm having trouble finding any information on it | 20:06 |
| sarnold | I suspect folks start with something simple and then keep building on it until they've got a system like maas or fai :) | 20:08 |
| lordcirth | leftyfb, why was it you needed raw dd images specifically? I forget | 20:14 |
| leftyfb | lordcirth: as opposed to? This is to lay down an image into bare metal | 20:15 |
| lordcirth | as opposed to pxe booting a preseeded ubuntu, for example | 20:16 |
| leftyfb | Regardless, whatever is chosen for the disk image type, I'll still need to lay this down onto the bare metal during some running environment booted to from PXE | 20:16 |
| leftyfb | ah | 20:16 |
| leftyfb | we want images to keep every device standard | 20:16 |
| lordcirth | Like, when I deploy machines, I PXE boot the ubuntu server iso with a preseed, the preseed late_command installs salt-minion and connects to the master on first boot. | 20:17 |
| leftyfb | We're doing d-i installs now and have issues with versions of packages changing and causing issues | 20:17 |
| lordcirth | Then salt 'minion' state.apply | 20:17 |
| leftyfb | I know all about that, I do those installs now. We want images | 20:17 |
| leftyfb | an image will be a lot quicker to deploy 10 or more at a time regularly | 20:18 |
| leftyfb | The image will be created in a CI environment | 20:18 |
| leftyfb | this is coming as a surprise to me that this isn't documented somewhere already. Customizing an initrd(initramfs?) to lay a disk image down onto bare metal. | 20:20 |
| leftyfb | as sarnold said, this is the basis of projects like fai and maas | 20:21 |
| lordcirth | I'm pretty sure it's not documented under that search because they didn't do it in the initrd | 20:21 |
| lordcirth | but I could be wrong | 20:21 |
| sarnold | leftyfb: hmm, would it be as simple as booting with init=/bin/dd ... ? | 20:22 |
| lordcirth | lol | 20:23 |
| lordcirth | You'd need to mount first, though | 20:23 |
| leftyfb | sarnold: unlikely since we'll need network to pull down the image to be dd'd | 20:23 |
| leftyfb | we'll need some minimal OS running | 20:23 |
| lordcirth | I'm setting up test VM's now, because I'm bored | 20:24 |
| leftyfb | I'm digging into an initrd now, but there's got to be a more methodical way of doing this | 20:26 |
| sarnold | sorry, I got a phone call while typing that | 20:26 |
| sarnold | but if you'v;e already booted into an initrd, you've *got* some amount of OS running and available | 20:27 |
| lordcirth | leftyfb, I'm pretty sure DRBL / Clonezilla SE do this. | 20:36 |
| lordcirth | leftyfb, https://wiki.gentoo.org/wiki/Custom_Initramfs/Examples | 20:52 |
| sdeziel | wow, https://wiki.gentoo.org/wiki/Custom_Initramfs/Examples#Self-Decrypting_Server is dangerous | 20:58 |
| leftyfb | hm, I kinda like it actually | 21:02 |
| leftyfb | gives me an idea for my encrypted backups | 21:02 |
| sdeziel | leftyfb: if the CPU's clock changes, the dynamic key to unlock the LUKS volume changes. Sounds risky to depend on something that volatile ;) | 21:05 |
| lordcirth | leftyfb, http://www.evanjones.ca/software/pxeimager-scratch.html | 21:05 |
| TJ- | leftyfb: how big is userspace FS in these systems? | 21:05 |
| leftyfb | TJ-: ~120G SSDs | 21:06 |
| leftyfb | 10G images | 21:06 |
| TJ- | leftyfb: ahhh, so we can't embed it in the kernel image initrd then!! | 21:06 |
| leftyfb | sorry, make that 15, with just a raw dd image pulled with no thought into cache size | 21:07 |
| leftyfb | nope, not at all | 21:07 |
| leftyfb | lordcirth: that might be exactly what I'm looking for ... going to spend the rest of this week going through it and see if it'll work the way we want | 21:09 |
| TJ- | leftyfb: so, semi-easy way: install dropbear-initramfs, PXE boot the image and on the PXE host have it trigger a dd if=disk.img | ssh target.robot dd of=/dev/sda" ? | 21:09 |
| lordcirth | It looks pretty simple... | 21:09 |
| leftyfb | TJ-: got documentation on how to set something like that up? | 21:10 |
| TJ- | leftyfb: in my head, sure :D | 21:10 |
| leftyfb | TJ-: "on the PXE host have it trigger" what does that look like? | 21:10 |
| TJ- | leftyfb: the only hackish part would be triggering the ssh, but i'd guess watching the PXE network connection could do that | 21:11 |
| TJ- | leftyfb: the other option would be to reverse that and have the initrd have an ssh client that connects back to the host | 21:11 |
| leftyfb | TJ-: I don't follow the idea of: the client booted the dropbear-initramfs image, the host realizes the client is booted and somehow dd's an image to the clients local storage | 21:12 |
| TJ- | leftyfb: in that case, the PXE/TFTP host 'knows' a client has fetched the boot image, so it can use that knowledge to trigger an ssh connection to the target, where the target is running dropbear-initramfs SSH server. The command is simply a dd through the SSH link | 21:17 |
| leftyfb | ah | 21:17 |
| TJ- | leftyfb: but doing it the other way (outbound connection from initrd to host) is probably easier, and is the procedure used for things like fetching a remote LUKS encryption key. For scripts examples see e.g. http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/ | 21:18 |
| leftyfb | very hacky though | 21:18 |
| TJ- | Everything is 'hacky' until it works, then it's standard procedure! | 21:18 |
| TJ- | Even better examples with hook scripts here https://www.quora.com/Debian-GNU-Linux-How-can-I-add-an-SSH-active-client-in-the-initramfs-image-to-get-data-remotely | 21:22 |
| leftyfb | damn, I wanted to try that first article you posted on my laptop but can't seem to find the rsa key pair for it | 21:30 |
| leftyfb | There's no /etc/initramfs-tools/root | 21:30 |
| leftyfb | unless I'm supposed just make that all myself | 21:30 |
| TJ- | the initramfs script tools auto-create paths to files when the directories don't exist | 21:31 |
| leftyfb | so.... what do I run? | 21:32 |
| leftyfb | 2) Install the required packages: | 21:32 |
| leftyfb | apt-get install openssh-server dropbear busybox | 21:32 |
| leftyfb | 3) Copy the SSH key that has been generated automatically | 21:32 |
| leftyfb | scp root@my.server.ip.addr:/etc/initramfs-tools/root/.ssh/id_rsa ~/id_rsa.initramfs | 21:32 |
| leftyfb | step 3 is invalid | 21:32 |
| TJ- | the quora article is much better; it even has an initramfs hook for installing ssh and so on using copy_exec | 21:34 |
| leftyfb | the quora article seems like a lot more manual work compared to the first one where it assumes everything just works out of the box | 21:35 |
| leftyfb | it looks like I can just create the root myself and use my own keys | 21:37 |
| TJ- | quora is three steps; 1) create the keys in /etc/initramfs-toosl/root/ 2) create the hook script /etc/initramfs-tools/hooks/ssh-remote 3) create the initrd.img script /etc/initramfs-tools/scripts/XXXXX where XXXX is the stage of the initrd you want it to run at | 21:38 |
| TJ- | for copying a disk image it needs the network up but it I'd think it could be done at local-premount | 21:39 |
| TJ- | so the correct network modules need adding, and the network configured, first | 21:40 |
| leftyfb | welp, tomorrow is another day. Thanks for the suggestions guys. I've got some reading and tinkering to do tomorrow. | 21:54 |
| === Chunkz2 is now known as ChunkzZ | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!
