[00:08] <kinghat> can someone here help me wrap my head around apache2 usr/grp/permissions?
[00:09] <teward> kinghat: depends on what exactly you're trying to achieve?
[00:10] <kinghat> im trying to set up this php server software that is like a self hosted image host.
[00:10] <kinghat> i think permissions and users and groups is making the install of it fail.
[00:11] <teward> set ownership for the web root/dir to www-data for both user and group
[00:11] <teward> recursively
[00:11] <teward> the web server should be able to write configs then
[00:11] <sarnold> (as well as the executables :( )
[00:11] <kinghat> well i created a group `web-content` and added the only user there is on the machine to it.
[00:12] <kinghat> also added `www-data` to it as well.
[00:13] <kinghat> i basically did this at the bottom: https://wiki.apache.org/httpd/FileSystemPermissions
[00:13] <kinghat> but instead of `apache` i used `www-data`
[00:14] <kinghat> but used 644 and 755
[00:14] <teward> probably helps to ask what happens when you *try* to install?
[00:14] <teward> because such info is useful :P
[00:16] <kinghat> the guy who made the software says 'Not a bug, because thats mean that the directory is not writable by the user'
[00:16] <kinghat> im basically starting from scratch here.
[00:17] <teward> i'd need to see the softwarew then because something undocumented like that or not clearly written means that they don't know muhc.
[00:17] <teward> and i didn't ask you waht **that guy** said
[00:17] <teward> i asked you **what you witnessed**
[00:18] <teward> I.E. the exact error messages you are seeing
[00:18] <kinghat> https://github.com/SergiX44/XBackBone
[00:19] <kinghat> ya i think it was a 500 error after it tries to install. and i think it has to do with creating a db.
[00:19] <sarnold> hint: pastebin what happened.
[00:19] <kinghat> this was the error: https://cdn.discordapp.com/attachments/514330611742277635/519616960741244930/unknown.png
[00:19] <kinghat> sarnold: sorry im starting from scratch so i dont have them anymore.
[00:20] <kinghat> actually i may be able to dig it up if i posted it to a bin. one sec.
[00:21] <kinghat> http://paste.debian.net/hidden/9e9e1d42/
[00:22] <sarnold> I hate this software already
[00:22] <kinghat> but i was trying all different configs at the time so
[00:22] <sarnold> why doesn't it give a precise error message? sigh
[00:22] <sarnold> anyway try namei -l /var/www/html/xbackbone/app/Database/DB.php and see if that gives you any hints
[00:22] <kinghat> its pretty new
[00:23] <kinghat> well i dont even have the software on the server anymore. like i said im starting from scratch with permissions and the user groups.
[00:25] <kinghat> should `www-data` own everything? or what happens when i ssh or sftp in to add the server files, then it becomes owned by the user.
[00:25] <kinghat> they are both part of the group `web-content`
[00:26] <kinghat> cant the software be owned by the group instead?
[00:32] <sarnold> I strongly dislike www-data owning the executables but whatever works
[00:36] <kinghat> sarnold: you mean `chown -R www-data:www-data /var/www/html`
[00:36] <kinghat> ?
[00:36] <sarnold> kinghat: I also think it's a bad idea for www-data to own the data, since I don't think a compromised web server should be able to make persistent changes
[00:37] <kinghat> i mean i obv have no idea how it should be i cant get it to work
[00:38] <kinghat> let alone security implications of the different configurations.
[00:45] <kinghat> is it possible to have all files chmodded a default way for a certain dir and recursively?
[00:46] <sarnold> not really
[00:46] <kinghat> maybe it just was automagically done in ftp clients that i used to use.
[00:46] <kinghat> if i transfer files over via sftp you have to change them every time
[01:15] <kinghat> huh. if i set everything to `www-data:www-data` it seems to be working.
[01:18] <teward> kinghat: not really, FTP clients are just as stupid as SFTP is - they'd have the same permissions problems.  (SOrry I disappeared and sarnold took over I got busy)
[01:19] <kinghat> np
[01:25] <kinghat> teward: so you think its ok to `www-data:www-data` everything?
[01:26] <teward> no i have my reservations about it too
[01:26] <teward> but I typically am "OK" for that from an *installation* perspective then change the ownership to group only with write access to only what exactly is needed
[01:27] <teward> i'm a strict it security guy so I do rigorous tests and stuff along those lines to make sure permissions are as restrictive as they can be on any webapp i use
[01:27] <fishcooker> on ubuntu 16.04.5i tried to change priority and nicelevel of a service using start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --nicelevel 13 --iosched 'idle' --exec $DAEMON but it won't change the prio and nice level https://paste.ubuntu.com/p/MzgznDnn6C/
[01:30] <sarnold> is uid 0 also correct? (can it run as non-root?)
[01:30] <kinghat> teward: you mean write access to `www-data` or user?
[01:30] <sarnold> fishcooker: is there a systemd unit file that's being used instead of a sysv-init script?
[06:23] <cpaelzer> jamespage: see mail from justin, do we cancel or postpone todays meeting then?
[07:59] <jamespage> cpaelzer: I'll cancel for today
[08:23] <kstenerud> I just got this error from launchpad when uploading a ppa: Source/binary (i.e. mixed) uploads are not allowed.
[08:24] <kstenerud> But I built using git ubuntu build like always. Why did it upload a mixed (?) package?
[08:24] <kstenerud> and what does that even mean?
[08:28] <cpaelzer> ok, thanks jamespage
[10:51] <lordievader> Good morning
[11:13] <ahasenack> good morning
[12:49] <Mr_Pan> hrllo i need a GUI for Amavis Qauarantined File ...any  ideas?
[13:06] <jamespage> coreycb: seeing some autopkgtest failures in disco proposed - cinder, nova - looks like a migrate + sqlite type issue
[13:06] <coreycb> jamespage: hmm ok i can take a look
[13:07] <jamespage> coreycb: might be easier to just switch to using mysql - its a pretty simple setup (see neutron)
[13:07] <coreycb> jamespage: good point, ok
[14:31] <Greyztar> is there a way to change vi text editor edit mode key from insert to something else?my keyboard got insert on numpad/generally scuffed keyboard
[14:35] <rbasak> Greyztar: uh, the "i" key?
[14:36] <Greyztar> rbasak: hmm doesnt take me to edit mode though :/
[14:37] <Greyztar> rbasak: ahh now it works ,time to buy new keyboard haha
[14:37] <rbasak> Greyztar: you might want to give "vimtutor" a go.
[14:38] <rbasak> Greyztar: with vim installed, run "vimtutor". It'll take about half an hour and you'll know your way around vim/vi much better then.
[14:39] <Greyztar> rbasak: the problem was partially that i thought i was supposed to work also ,but when it didnt i thought it changed with some update or so,its they "i" button on keyboard itself which is scuffed amongst other keys
[14:39] <Greyztar> rbasak: thanks for the tip ill check it out (,")
[14:39] <rbasak> "a" will also work (but subtly differently - the tutorial will explain :-)
[14:39] <Greyztar> rbasak: good stuff!
[20:05] <leftyfb> Can anyone point me to some documentation for customizing an initrd booted over PXE to dd an image to the local drive ?
[20:06] <leftyfb> I find it hard to believe people haven't already done this, though I'm having trouble finding any information on it
[20:08] <sarnold> I suspect folks start with something simple and then keep building on it until they've got a system like maas or fai :)
[20:14] <lordcirth> leftyfb, why was it you needed raw dd images specifically?  I forget
[20:15] <leftyfb> lordcirth: as opposed to? This is to lay down an image into bare metal
[20:16] <lordcirth> as opposed to pxe booting a preseeded ubuntu, for example
[20:16] <leftyfb> Regardless, whatever is chosen for the disk image type, I'll still need to lay this down onto the bare metal during some running environment booted to from PXE
[20:16] <leftyfb> ah
[20:16] <leftyfb> we want images to keep every device standard
[20:17] <lordcirth> Like, when I deploy machines, I PXE boot the ubuntu server iso with a preseed, the preseed late_command installs salt-minion and connects to the master on first boot.
[20:17] <leftyfb> We're doing d-i installs now and have issues with versions of packages changing and causing issues
[20:17] <lordcirth> Then salt 'minion' state.apply
[20:17] <leftyfb> I know all about that, I do those installs now. We want images
[20:18] <leftyfb> an image will be a lot quicker to deploy 10 or more at a time regularly
[20:18] <leftyfb> The image will be created in a CI environment
[20:20] <leftyfb> this is coming as a surprise to me that this isn't documented somewhere already. Customizing an initrd(initramfs?) to lay a disk image down onto bare metal.
[20:21] <leftyfb> as sarnold said, this is the basis of projects like fai and maas
[20:21] <lordcirth> I'm pretty sure it's not documented under that search because they didn't do it in the initrd
[20:21] <lordcirth> but I could be wrong
[20:22] <sarnold> leftyfb: hmm, would it be as simple as booting with init=/bin/dd ... ?
[20:23] <lordcirth> lol
[20:23] <lordcirth> You'd need to mount first, though
[20:23] <leftyfb> sarnold: unlikely since we'll need network to pull down the image to be dd'd
[20:23] <leftyfb> we'll need some minimal OS running
[20:24] <lordcirth> I'm setting up test VM's now, because I'm bored
[20:26] <leftyfb> I'm digging into an initrd now, but there's got to be a more methodical way of doing this
[20:26] <sarnold> sorry, I got a phone call while typing that
[20:27] <sarnold> but if you'v;e already booted into an initrd, you've *got* some amount of OS running and available
[20:36] <lordcirth> leftyfb, I'm pretty sure DRBL / Clonezilla SE do this.
[20:52] <lordcirth> leftyfb, https://wiki.gentoo.org/wiki/Custom_Initramfs/Examples
[20:58] <sdeziel> wow, https://wiki.gentoo.org/wiki/Custom_Initramfs/Examples#Self-Decrypting_Server is dangerous
[21:02] <leftyfb> hm, I kinda like it actually
[21:02] <leftyfb> gives me an idea for my encrypted backups
[21:05] <sdeziel> leftyfb: if the CPU's clock changes, the dynamic key to unlock the LUKS volume changes. Sounds risky to depend on something that volatile ;)
[21:05] <lordcirth> leftyfb, http://www.evanjones.ca/software/pxeimager-scratch.html
[21:05] <TJ-> leftyfb: how big is userspace FS in these systems?
[21:06] <leftyfb> TJ-: ~120G SSDs
[21:06] <leftyfb> 10G images
[21:06] <TJ-> leftyfb: ahhh, so we can't embed it in the kernel image initrd then!!
[21:07] <leftyfb> sorry, make that 15, with just a raw dd image pulled with no thought into cache size
[21:07] <leftyfb> nope, not at all
[21:09] <leftyfb> lordcirth: that might be exactly what I'm looking for ... going to spend the rest of this week going through it and see if it'll work the way we want
[21:09] <TJ-> leftyfb: so, semi-easy way: install dropbear-initramfs, PXE boot the image and on the PXE host have it trigger a dd if=disk.img | ssh target.robot dd of=/dev/sda" ?
[21:09] <lordcirth> It looks pretty simple...
[21:10] <leftyfb> TJ-: got documentation on how to set something like that up?
[21:10] <TJ-> leftyfb: in my head, sure :D
[21:10] <leftyfb> TJ-: "on the PXE host have it trigger" what does that look like?
[21:11] <TJ-> leftyfb: the only hackish part would be triggering the ssh, but i'd guess watching the PXE network connection could do that
[21:11] <TJ-> leftyfb: the other option would be to reverse that and have the initrd have an ssh client that connects back to the host
[21:12] <leftyfb> TJ-: I don't follow the idea of:   the client booted the dropbear-initramfs image, the host realizes the client is booted and somehow dd's an image to the clients local storage
[21:17] <TJ-> leftyfb: in that case, the PXE/TFTP host 'knows' a client has fetched the boot image, so it can use that knowledge to trigger an ssh connection to the target, where the target is running dropbear-initramfs SSH server. The command is simply a dd through the SSH link
[21:17] <leftyfb> ah
[21:18] <TJ-> leftyfb: but doing it the other way (outbound connection from initrd to host) is probably easier, and is the procedure used for things like fetching a remote LUKS encryption key. For scripts examples see e.g. http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/
[21:18] <leftyfb> very hacky though
[21:18] <TJ-> Everything is 'hacky' until it works, then it's standard procedure!
[21:22] <TJ-> Even better examples with hook scripts here https://www.quora.com/Debian-GNU-Linux-How-can-I-add-an-SSH-active-client-in-the-initramfs-image-to-get-data-remotely
[21:30] <leftyfb> damn, I wanted to try that first article you posted on my laptop but can't seem to find the rsa key pair for it
[21:30] <leftyfb> There's no /etc/initramfs-tools/root
[21:30] <leftyfb> unless I'm supposed just make that all myself
[21:31] <TJ-> the initramfs script tools auto-create paths to files when the directories don't exist
[21:32] <leftyfb> so.... what do I run?
[21:32] <leftyfb> 2) Install the required packages:
[21:32] <leftyfb> apt-get install openssh-server dropbear busybox
[21:32] <leftyfb> 3) Copy the SSH key that has been generated automatically
[21:32] <leftyfb> scp root@my.server.ip.addr:/etc/initramfs-tools/root/.ssh/id_rsa ~/id_rsa.initramfs
[21:32] <leftyfb> step 3 is invalid
[21:34] <TJ-> the quora article is much better; it even has an initramfs hook for installing ssh and so on using copy_exec
[21:35] <leftyfb> the quora article seems like a lot more manual work compared to the first one where it assumes everything just works out of the box
[21:37] <leftyfb> it looks like I can just create the root myself and use my own keys
[21:38] <TJ-> quora is three steps; 1) create the keys in /etc/initramfs-toosl/root/ 2) create the hook script /etc/initramfs-tools/hooks/ssh-remote  3) create the initrd.img script /etc/initramfs-tools/scripts/XXXXX where XXXX is the stage of the initrd you want it to run at
[21:39] <TJ-> for copying a disk image it needs the network up but it I'd think it could be done at local-premount
[21:40] <TJ-> so the correct network modules need adding, and the network configured, first
[21:54] <leftyfb> welp, tomorrow is another day. Thanks for the suggestions guys. I've got some reading and tinkering to do tomorrow.
=== Chunkz2 is now known as ChunkzZ