Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On 02/14/2017 08:40 PM, Alice Wonder wrote: Well CentOS 7 doesn't use that, and trying to figure out where in the mess of /etc/sysconfig/network-scripts the problem is occurring has caused me much frustration. DHCPv6 is really unusual. IPv6 addressing and routing is set up almost entirely in the kernel, unless you're using static addresses. IPv6 is neither harder nor easier with NetworkManager, in my experience. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On 2/15/2017 12:04 AM, Gordon Messmer wrote: DHCPv6 is really unusual. IPv6 addressing and routing is set up almost entirely in the kernel, unless you're using static addresses. IPv6 is neither harder nor easier with NetworkManager, in my experience. It was my understanding that most ipv6 networks don't need DHCPv6, they normally self-configure with 'stateless address autoconfiguration', http://www.ietf.org/rfc/rfc2462.txt -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] (re)build sssd-client.i686 for x86_64
hi all, i'm trying to rebuild the current sssd-client.i686 rpm that is part of the x86_64 repo, but i fail to do so. rebuilding the sssd.src.rpm on x86_64 does not produce this rpm. i can rebuild sssd.src.rpm with --target=i686, but that sssd-client rpm has conflicts and a whole bunch of i686 deps that the rpm from the centos repo doesn't have. tips/help welcome stijn ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] (re)build sssd-client.i686 for x86_64
On 02/15/2017 02:39 AM, Stijn De Weirdt wrote: > hi all, > > i'm trying to rebuild the current sssd-client.i686 rpm that is part of > the x86_64 repo, but i fail to do so. rebuilding the sssd.src.rpm on > x86_64 does not produce this rpm. > > i can rebuild sssd.src.rpm with --target=i686, but that sssd-client rpm > has conflicts and a whole bunch of i686 deps that the rpm from the > centos repo doesn't have. > > tips/help welcome I'll assume CentOS-7 as you don't really say which version. This works for CentOS-6 as well though. RHEL-7 does not contain a full i686 tree, only some of that tree in the form of multilib packages. However to BUILD those i686 packages, you need a full i686 repo in your build system. CentOS-7 does actually have an AltArch i686 SIG that produces a fully installable i686 arch. You could use this arch and mock to build i686 packages on an x86_64 CentOS-7 machine. You always want to build SRPMs in mock instead of using rpmbuild on a normal system because when building the configure files look for things to link against .. if it finds extra things installed on your system (like desktop files or extra repository packages) it can link against those files and then require things you don't want. Mock creates a separate minimal chroot and adds only requirements of the specific SRPM to that minimal root. The RPMs produced are then only linked against that very controlled build root. There are mock configs for both CentOS-6 i386 and CentOS-7 i386 that will work to build packages in mock and use the CentOS Base and Updates repos by default. You can also see all the mock configs we use on CentOS-7 here: https://git.centos.org/tree/sig-core!bld-seven.git/37012c4fe4f69aa649fdb3e9b1ec002aafd2054f/mock signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] (re)build sssd-client.i686 for x86_64
On 02/15/2017 03:41 AM, Johnny Hughes wrote: > On 02/15/2017 02:39 AM, Stijn De Weirdt wrote: >> hi all, >> >> i'm trying to rebuild the current sssd-client.i686 rpm that is part of >> the x86_64 repo, but i fail to do so. rebuilding the sssd.src.rpm on >> x86_64 does not produce this rpm. >> >> i can rebuild sssd.src.rpm with --target=i686, but that sssd-client rpm >> has conflicts and a whole bunch of i686 deps that the rpm from the >> centos repo doesn't have. >> >> tips/help welcome > > I'll assume CentOS-7 as you don't really say which version. This works > for CentOS-6 as well though. > > RHEL-7 does not contain a full i686 tree, only some of that tree in the > form of multilib packages. However to BUILD those i686 packages, you > need a full i686 repo in your build system. > > CentOS-7 does actually have an AltArch i686 SIG that produces a fully > installable i686 arch. You could use this arch and mock to build i686 > packages on an x86_64 CentOS-7 machine. > > You always want to build SRPMs in mock instead of using rpmbuild on a > normal system because when building the configure files look for things > to link against .. if it finds extra things installed on your system > (like desktop files or extra repository packages) it can link against > those files and then require things you don't want. Mock creates a > separate minimal chroot and adds only requirements of the specific SRPM > to that minimal root. The RPMs produced are then only linked against > that very controlled build root. > > There are mock configs for both CentOS-6 i386 and CentOS-7 i386 that > will work to build packages in mock and use the CentOS Base and Updates > repos by default. > > You can also see all the mock configs we use on CentOS-7 here: > > https://git.centos.org/tree/sig-core!bld-seven.git/37012c4fe4f69aa649fdb3e9b1ec002aafd2054f/mock I forgot to say that we have a mock in centos extras for CentOS-7. You can get it with: yum install mock signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] (re)build sssd-client.i686 for x86_64
Johnny, https://git.centos.org/blob/sig-core! bld-seven.git/37012c4fe4f69aa649fdb3e9b1ec002aafd2054f/mock! c7-epel-i686.cfg needs update to 1611 Sincerely Andy ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] (re)build sssd-client.i686 for x86_64
hi johnny, apologies, yes this is centos7 on x86_64. i had to set PKGCONFIG_DIR, but that looked like the only thing. i'll give mock a try and see what comes out. thanks a lot stijn On 02/15/2017 10:44 AM, Johnny Hughes wrote: > On 02/15/2017 03:41 AM, Johnny Hughes wrote: >> On 02/15/2017 02:39 AM, Stijn De Weirdt wrote: >>> hi all, >>> >>> i'm trying to rebuild the current sssd-client.i686 rpm that is part of >>> the x86_64 repo, but i fail to do so. rebuilding the sssd.src.rpm on >>> x86_64 does not produce this rpm. >>> >>> i can rebuild sssd.src.rpm with --target=i686, but that sssd-client rpm >>> has conflicts and a whole bunch of i686 deps that the rpm from the >>> centos repo doesn't have. >>> >>> tips/help welcome >> >> I'll assume CentOS-7 as you don't really say which version. This works >> for CentOS-6 as well though. >> >> RHEL-7 does not contain a full i686 tree, only some of that tree in the >> form of multilib packages. However to BUILD those i686 packages, you >> need a full i686 repo in your build system. >> >> CentOS-7 does actually have an AltArch i686 SIG that produces a fully >> installable i686 arch. You could use this arch and mock to build i686 >> packages on an x86_64 CentOS-7 machine. >> >> You always want to build SRPMs in mock instead of using rpmbuild on a >> normal system because when building the configure files look for things >> to link against .. if it finds extra things installed on your system >> (like desktop files or extra repository packages) it can link against >> those files and then require things you don't want. Mock creates a >> separate minimal chroot and adds only requirements of the specific SRPM >> to that minimal root. The RPMs produced are then only linked against >> that very controlled build root. >> >> There are mock configs for both CentOS-6 i386 and CentOS-7 i386 that >> will work to build packages in mock and use the CentOS Base and Updates >> repos by default. >> >> You can also see all the mock configs we use on CentOS-7 here: >> >> https://git.centos.org/tree/sig-core!bld-seven.git/37012c4fe4f69aa649fdb3e9b1ec002aafd2054f/mock > > I forgot to say that we have a mock in centos extras for CentOS-7. You > can get it with: > > yum install mock > > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems with latest Firefox update -- can't install new extensions
On 02/12/2017 03:15 PM, Kay Schenk wrote: > Since the latest Firefox update to 45.7.0 on my CentOS 6.8 system, I can > no longer install add-ons/extensions. Things LOOK like they're working > but the extensions don't get stored in my normal area and they don't > appear in my Add-Ons menu. Is anyone else having this issue? > > It has been a while since I added any new extensions so I can't say WHEN > exactly this problem happened but :( I don't have any CentOS-6 desktops anymore, but I did a desktop install into a VM and installed firefox and the flash plugin from adobe.. seemed to work OK. I also installed firessh extension as a test. That also worked fine. This extension was installed in my home directory under: /.mozilla/extensions/ signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] vsftp problem C7
Hi list, I've a problem with vsftpd on C7.3. This is a dedicated server protected by a Zywall5. SELINUX is disabled. This is my vsftpd configuration: anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES idle_session_timeout=600 data_connection_timeout=120 ftpd_banner=Welcome listen=YES listen_port=21 pasv_enable=YES pasv_min_port=5 pasv_max_port=50100 pasv_address=public-ip port_enable=YES pasv_addr_resolve=NO listen_ipv6=NO pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES Connecting from localhost to the local ip with ftp command, I've no problems. If I try to connect from remote host to the ftp server I got some problems. Connecting from my workstation I can log in with user and pwd but when listing I get: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (188,213,172,158,206,207) ftp: connect: Connection refused ftp> Seems to be a firewall (zywall5) problem. On server firewalld is disabled and there are not iptables rules. So I've open port 20,21,5:50100 from my ip to server ip. The problem persists. I've tried to open all ports (Using Any TCP and Any UDP) but the problem persists. I've tried with another local server with the same vsftpd configuration and I've reproduced the problem by closing all ports with iptables. I get the same messages but after enabling specified ports with iptables on server the issue is solved. How I can solve this issue on remote server? THanks in advance. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vsftp problem C7
Hi list, I've an update: I've changed listen_port from 21 to 10021 restarted again vsftpd and problem is solved. I can't understand whats happened. Any ideas? Il 15/02/2017 13:37, Alessandro Baggi ha scritto: Hi list, I've a problem with vsftpd on C7.3. This is a dedicated server protected by a Zywall5. SELINUX is disabled. This is my vsftpd configuration: anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES idle_session_timeout=600 data_connection_timeout=120 ftpd_banner=Welcome listen=YES listen_port=21 pasv_enable=YES pasv_min_port=5 pasv_max_port=50100 pasv_address=public-ip port_enable=YES pasv_addr_resolve=NO listen_ipv6=NO pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES Connecting from localhost to the local ip with ftp command, I've no problems. If I try to connect from remote host to the ftp server I got some problems. Connecting from my workstation I can log in with user and pwd but when listing I get: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (188,213,172,158,206,207) ftp: connect: Connection refused ftp> Seems to be a firewall (zywall5) problem. On server firewalld is disabled and there are not iptables rules. So I've open port 20,21,5:50100 from my ip to server ip. The problem persists. I've tried to open all ports (Using Any TCP and Any UDP) but the problem persists. I've tried with another local server with the same vsftpd configuration and I've reproduced the problem by closing all ports with iptables. I get the same messages but after enabling specified ports with iptables on server the issue is solved. How I can solve this issue on remote server? THanks in advance. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
Too much temptation to resist, I don't know which one of us is older but I have a feeling it's a "horse race". Like you, I still have a land line, WiFi is too slow and "WiFi security" seems to be an oxymoronic phrase. Why people text (or IM for that matter) anything other than a one-liner is beyond me. Now for the real issue, what happens when Network Manager (Systemd, journald, etc.) breaks? Who is going to fix it? Hiding the complexity in software effectively dumbs us down leaving us helpless when problems surface. Anyone who has worked with Microsoft understands - give me the command prompt any day rather than layers of GUI hiding those possibly cryptic but also possibly useful messages. - Original Message - From: "m roth" To: "CentOS mailing list" Sent: Tuesday, February 14, 2017 10:07:55 AM Subject: Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my Johnny Hughes wrote: > I get it .. but no one needed a hand held cell phone before 1973 and no > one needed a smart phone before 2007. Now, almost everyone has a smart > cell and land lines are dying. Technology moves forward. People want > integrated cloud, container, SDN technology, etc. Used a VCR or > Cassette Player lately? I have no intention of *ever* getting an annoyaphone - I'm online all day at work, before I go to work, and most evenings, in front of a *real* computer. My cell's a flipphone, and I *LOATHE* texts... because the protocol was developed for freakin' pagers, and after a job 20 years ago, I don't EVER want that again. And my land line phone has *much* better voice quality than any cell/mobile.* And yes, I very happily have my VCR, for all the tapes I have, and a good dual cassette deck (OK, I do want to burn them to disk... along with my 200-300 vinyl records...oh, that's right, vinyl's coming back. mark, who's older than a lot of you ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On 02/15/2017 07:34 AM, Leroy Tennison wrote: > Too much temptation to resist, I don't know which one of us is older but I > have a feeling it's a "horse race". Like you, I still have a land line, WiFi > is too slow and "WiFi security" seems to be an oxymoronic phrase. Why people > text (or IM for that matter) anything other than a one-liner is beyond me. > > Now for the real issue, what happens when Network Manager (Systemd, journald, > etc.) breaks? Who is going to fix it? Hiding the complexity in software > effectively dumbs us down leaving us helpless when problems surface. Anyone > who has worked with Microsoft understands - give me the command prompt any > day rather than layers of GUI hiding those possibly cryptic but also possibly > useful messages. > The people who are going to fix it are people who have RHCE certs and/or computer science degrees who work for the companies running Linux. And I am a few years old myself. > - Original Message - > From: "m roth" > To: "CentOS mailing list" > Sent: Tuesday, February 14, 2017 10:07:55 AM > Subject: Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my > > Johnny Hughes wrote: > >> I get it .. but no one needed a hand held cell phone before 1973 and no >> one needed a smart phone before 2007. Now, almost everyone has a smart >> cell and land lines are dying. Technology moves forward. People want >> integrated cloud, container, SDN technology, etc. Used a VCR or >> Cassette Player lately? > > I have no intention of *ever* getting an annoyaphone - I'm online all day > at work, before I go to work, and most evenings, in front of a *real* > computer. My cell's a flipphone, and I *LOATHE* texts... because the > protocol was developed for freakin' pagers, and after a job 20 years ago, > I don't EVER want that again. > > And my land line phone has *much* better voice quality than any cell/mobile.* > > And yes, I very happily have my VCR, for all the tapes I have, and a good > dual cassette deck (OK, I do want to burn them to disk... along with my > 200-300 vinyl records...oh, that's right, vinyl's coming back. > signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
Once upon a time, Gordon Messmer said: > DHCPv6 is really unusual. IPv6 addressing and routing is set up > almost entirely in the kernel, unless you're using static addresses. > IPv6 is neither harder nor easier with NetworkManager, in my > experience. Not sure about the version in CentOS, but in Fedora, NM disables kernel IPv6 autoconfiguration and "handles" it itself. This means that when I wake up my desktop from sleep, it can take 10-60 seconds to get working IPv6 (vs. the second or so it took the kernel). Progress... -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] SOLVED - Re: Centos7 and old Bind bug
Thanks Gordon...
On 02/12/2017 03:15 PM, Gordon Messmer wrote:
On 02/12/2017 10:56 AM, Robert Moskowitz wrote: >>> It's probably safe to specify some range of higher numbered >>>
ports: >>> >>> use-v4-udp-ports { range 10240 65535; }; use-v6-udp-ports
{ range >>> 10240 65535; }; >> >> But that is not the ports that I am
seeing in logwatch: > > > Yes, I know. The work-around in the bug
report specifies which ports > to exclude, but it doesn't include some
of the ports you saw in your > logs, so it won't solve the problem
entirely. If you instead specify > the ports that are allowed, and use
a higher range of ports, the > work-around should be more reliable.
No more port messages in logwatch.
Now to learn about GeoIP and what all those failures are that show up in
logwatch!
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] Unable to see Desktop folder and file
Dear Cent OS User Today my Mendeley Reference Manager was crash. To recover freshly I deleted Mendeley file from my system from two place, 1) from share folder and 2) from cache folder by using this command. Copy from history 730 ls -a 731 cd .Mendeley\ Desktop/ 732 ls 733 ll 734 cd ../ 735 mv .Mendeley\ Desktop/ mendelyDestop 736 ll 737 rm -rf mendelyDestop 738 locate Mende 739 rm -rf /home/chinmai/.local/share/data/Mendeley Ltd./Mendeley Desktop/Downloaded* 740 locate Mende 741 rm -rf /home/chinmai/.local/share/data/Mendeley Ltd./Mendeley Desktop* 742 locate Mende 743 clear 744 locate Mende 745 rm -rf /home/chinmai/.local/share/data/Mendeley Ltd./Mendeley Desktop/www.mendeley.com/rajanik...@gmail.com-1a4c 746 rm -rf /home/chinmai/.local/share/data/Mendeley Ltd./Mendeley Desktop/www.mendeley.com/* 747 locate Mende 748 df -h 749 cd .local/share/data 750 ll 751 rm -rf Mendeley\ Ltd./ 752 ll 753 locate Mende 754 cd ../ 755 ls -a 756 cd .cache/ 757 ll 758 rm -rf Mendeley\ Ltd./ 759 ll 760 top 761 clear 762 ls 763 cd 764 ls -a 765 cd .local/share/ 766 ll 767 cd 768 cd .cache/ 769 ll After deletion, my Mendeley start working but my all folder and file from Desktop are missing. When I am locating the file and folder from desktop it showing their name but I ma unable to see that file or folder. Any guidance regarding how to recover is very helpful to me. Thanks & regards Rahman ' *M*d* H*omaidur* R**ahman *( Research Scholar ) Lab No. 510, Computational Biophysics Lab. Department of Biotechnology Indian Institute of Technology-Madras Chennai-600 036, India *Mobile No = +91- 7845991785* ' ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On 02/15/2017 12:23 AM, John R Pierce wrote: DHCPv6 is really unusual. IPv6 addressing and routing is set up almost entirely in the kernel, unless you're using static addresses. IPv6 is neither harder nor easier with NetworkManager, in my experience. It was my understanding that most ipv6 networks don't need DHCPv6, they normally self-configure Yes, that's what I was saying. :) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On 02/15/2017 07:41 AM, Johnny Hughes wrote: On 02/15/2017 07:34 AM, Leroy Tennison wrote: Too much temptation to resist, I don't know which one of us is older but I have a feeling it's a "horse race". Like you, I still have a land line, WiFi is too slow and "WiFi security" seems to be an oxymoronic phrase. Why people text (or IM for that matter) anything other than a one-liner is beyond me. Now for the real issue, what happens when Network Manager (Systemd, journald, etc.) breaks? Who is going to fix it? Hiding the complexity in software effectively dumbs us down leaving us helpless when problems surface. Anyone who has worked with Microsoft understands - give me the command prompt any day rather than layers of GUI hiding those possibly cryptic but also possibly useful messages. The people who are going to fix it are people who have RHCE certs and/or computer science degrees who work for the companies running Linux. Thank you for agreeing that systemd is not suitable for use outside of an organization that employs such people. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On Wed, February 15, 2017 7:34 am, Leroy Tennison wrote: > Too much temptation to resist, I don't know which one of us is older but I > have a feeling it's a "horse race". Like you, I still have a land line, > WiFi is too slow and "WiFi security" seems to be an oxymoronic phrase. > Why people text (or IM for that matter) anything other than a one-liner is > beyond me. > > Now for the real issue, what happens when Network Manager (Systemd, > journald, etc.) breaks? Who is going to fix it? Hiding the complexity in > software effectively dumbs us down leaving us helpless when problems > surface. Anyone who has worked with Microsoft understands - give me the > command prompt any day rather than layers of GUI hiding those possibly > cryptic but also possibly useful messages. Yes, stepping up to CentOS 7 reminded me MacOS Server which I had to help my Professor to maintain. For the most part it (MacOS Server) worked and all was self evident, but when it doesn't you finally have to open their huge doc book just to discover that it merely explains you mostly in pictures how to navigate through their GUI menus. And each of them ended with something like "and you are done". No descriptions of errors and what to do when one occurs. Because of which (unexpected errors) we actually opened documentation. (Then we finally agreed that no matter how huge the book is, documentation does not exist). My start with CentOS 7 to some extent reminded me this MacOS Server experience ;-) No, not ansence of documentation, but the attitude to make everybody use GUI. Exactly as you notice. I bet many users were lost by Linux then... Valeri > > - Original Message - > From: "m roth" > To: "CentOS mailing list" > Sent: Tuesday, February 14, 2017 10:07:55 AM > Subject: Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my > > Johnny Hughes wrote: > >> I get it .. but no one needed a hand held cell phone before 1973 and no >> one needed a smart phone before 2007. Now, almost everyone has a smart >> cell and land lines are dying. Technology moves forward. People want >> integrated cloud, container, SDN technology, etc. Used a VCR or >> Cassette Player lately? > > I have no intention of *ever* getting an annoyaphone - I'm online all day > at work, before I go to work, and most evenings, in front of a *real* > computer. My cell's a flipphone, and I *LOATHE* texts... because the > protocol was developed for freakin' pagers, and after a job 20 years ago, > I don't EVER want that again. > > And my land line phone has *much* better voice quality than any > cell/mobile.* > > And yes, I very happily have my VCR, for all the tapes I have, and a good > dual cassette deck (OK, I do want to burn them to disk... along with my > 200-300 vinyl records...oh, that's right, vinyl's coming back. > > mark, who's older than a lot of you > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
Robert Nichols wrote: > On 02/15/2017 07:41 AM, Johnny Hughes wrote: >> On 02/15/2017 07:34 AM, Leroy Tennison wrote: >>> Too much temptation to resist, I don't know which one of us is older >>> but I have a feeling it's a "horse race". Like you, I still have a >>> land line, WiFi is too slow and "WiFi security" seems to be an >>> oxymoronic phrase. Why people text (or IM for that matter) anything >>> other than a one-liner is beyond me. >>> >>> Now for the real issue, what happens when Network Manager (Systemd, >>> journald, etc.) breaks? Who is going to fix it? Hiding the complexity >>> in software effectively dumbs us down leaving us helpless when problems >>> surface. Anyone who has worked with Microsoft understands - give me >>> the command prompt any day rather than layers of GUI hiding those >>> possibly cryptic but also possibly useful messages. >> >> The people who are going to fix it are people who have RHCE certs and/or >> computer science degrees who work for the companies running Linux. > > Thank you for agreeing that systemd is not suitable for use outside of an > organization that employs such people. > 'Fraid I have a lot of sympathy with Robert. When something here breaks, we - me, the other admin, and our manager - are the ones who have to figure it out asap. We do have a few RH licenses... but even so, even if we *were* paying for a 4-hr response, that's not soon enough mark "I have enough problems with user teams that have *multiple* levels of symlinks" ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
Hello Warren, On Thu, 2017-02-09 at 15:27 -0700, Warren Young wrote: > So you’ve now sprayed the heap on this system, but you can’t upload > anything else to it because noexec, so…now what? What has our > nefarious attacker gained? So the heap is set with data provided by the (local) attacker who could initialize it to his liking using either of the two memory leaks in the options parsing. The heap, that is entirely under the control of the attacker, now contains a call to a library with parameters such that it invokes a zero day kernel escalation privilege exploit. And now the exploit will run because pkcheck allowed the attacker to initialize its entire heap via the command line. Had the two memory leaks in the pkcheck options parsing been fixed the attacker should have looked for another path to leverage his zero day. So the mere fact that an untrusted user is able to massage the heap of a binary (pkcheck in this case) to run whatever code he wants is a serious attack vector and thus those two memory leaks should be fixed. Because they allow bad people to leverage attacks with much more ease. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On Wed, 15 Feb 2017, Valeri Galtsev wrote: My start with CentOS 7 to some extent reminded me this MacOS Server experience ;-) No, not ansence of documentation, but the attitude to make everybody use GUI. Exactly as you notice. I bet many users were lost by Linux then... Sometimes on this list I get the impression that I've downloaded an entirely different release of CentOS 7 to other people. Exactly what GUI do you ever have to use with CentOS7? systemd all in has caused me remarkably little bother, getting on and doing what it's told. I had some logind glitches, but those were fixable. I configure the lot with puppet, and to be honest found C7 pretty pain free as an upgrade. For various reasons, real happiness didn't arrive until 7.2, but then lots of that was due to nvidia driver behaviours with Gnome3 that I suspect most people don't have to worry about. But complaining that CentOS 7 is GUI driven I find baffling. jh ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
On 02/15/2017 09:37 AM, Leonard den Ottolander wrote: > Hello Warren, > > On Thu, 2017-02-09 at 15:27 -0700, Warren Young wrote: >> So you’ve now sprayed the heap on this system, but you can’t upload >> anything else to it because noexec, so…now what? What has our >> nefarious attacker gained? > > So the heap is set with data provided by the (local) attacker who could > initialize it to his liking using either of the two memory leaks in the > options parsing. > > The heap, that is entirely under the control of the attacker, now > contains a call to a library with parameters such that it invokes a zero > day kernel escalation privilege exploit. And now the exploit will run > because pkcheck allowed the attacker to initialize its entire heap via > the command line. > > Had the two memory leaks in the pkcheck options parsing been fixed the > attacker should have looked for another path to leverage his zero day. > > So the mere fact that an untrusted user is able to massage the heap of a > binary (pkcheck in this case) to run whatever code he wants is a serious > attack vector and thus those two memory leaks should be fixed. Because > they allow bad people to leverage attacks with much more ease. > What people are trying to point out to you is: 1. The 'user' that the 'atacker' can run things as is themselves .. AND 2. They already have shell access on the machine in question and they can already run anything in that shell that they can run via what you are pointing out. 3. If they have access to a zeroday issue that give them root .. they can just use that via their shell that they already have (that you gave them, which they are using) to get root .. they therefore don't need to use this issue at all. All of that said, all memory leaks (and any other bugs) should be fixed. It is just NOT a major security issue. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
Hello Johnny, On Wed, 2017-02-15 at 09:47 -0600, Johnny Hughes wrote: > 2. They already have shell access on the machine in question and they > can already run anything in that shell that they can run via what you > are pointing out. No, assuming noexec /home mounts all they can run is system binaries. > 3. If they have access to a zeroday issue that give them root .. they > can just use that via their shell that they already have (that you gave > them, which they are using) to get root .. they therefore don't need to > use this issue at all. No, assuming noexec /home mounts all they have to leverage a zero day are system binaries. pkcheck to the rescue. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On 02/15/2017 09:45 AM, John Hodrien wrote: > On Wed, 15 Feb 2017, Valeri Galtsev wrote: > >> My start with CentOS 7 to some extent reminded me this MacOS Server >> experience ;-) No, not ansence of documentation, but the attitude to make >> everybody use GUI. Exactly as you notice. I bet many users were lost by >> Linux then... > > Sometimes on this list I get the impression that I've downloaded an > entirely > different release of CentOS 7 to other people. > > Exactly what GUI do you ever have to use with CentOS7? systemd all in has > caused me remarkably little bother, getting on and doing what it's told. I > had some logind glitches, but those were fixable. I configure the lot with > puppet, and to be honest found C7 pretty pain free as an upgrade. For > various > reasons, real happiness didn't arrive until 7.2, but then lots of that > was due > to nvidia driver behaviours with Gnome3 that I suspect most people don't > have > to worry about. > > But complaining that CentOS 7 is GUI driven I find baffling. > Exactly. If I install CentOS-7 on a desktop, I use gui things. If I install CentOS-7 on a server, I never install gui things (unless I am doing for someone who specifically asks for that). nmcli allows you to do anything you would do in a NM GUI. But the real bottom line is .. this is not the place where any of that could be changed anyway. CentOS is a rebuild of RHEL source code .. if RHEL does it, so do we. The other thing is .. CentOS-6 has security support until 30 Nov 2020, so no one has to upgrade to CentOS-7 or systemd for 3.75 more years. If you like the older things, use CentOS-6. If you want the new things, use CentOS-7. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
Johnny Hughes wrote: > On 02/15/2017 09:37 AM, Leonard den Ottolander wrote: >> On Thu, 2017-02-09 at 15:27 -0700, Warren Young wrote: >>> So you’ve now sprayed the heap on this system, but you can’t upload anything else to it because noexec, so…now what? What has our nefarious attacker gained? >> >> So the heap is set with data provided by the (local) attacker who could initialize it to his liking using either of the two memory leaks in the options parsing. >> >> The heap, that is entirely under the control of the attacker, now contains a call to a library with parameters such that it invokes a zero day kernel escalation privilege exploit. And now the exploit will run because pkcheck allowed the attacker to initialize its entire heap via the command line. I've skipped most of this thread, but went through this post, and excuse me if this sounds like a stupid question... but when the attacker runs their job, isn't it *THEIR* heap, one allocated for this PID, and not any other, such as the heap allocated for PID 1? mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
Once upon a time, Leonard den Ottolander said: > On Wed, 2017-02-15 at 09:47 -0600, Johnny Hughes wrote: > > 2. They already have shell access on the machine in question and they > > can already run anything in that shell that they can run via what you > > are pointing out. > > No, assuming noexec /home mounts all they can run is system binaries. noexec is not that big of a protection. On a normal CentOS system, you almost certainly have python installed (as well as likely other scripting languages such as perl), and they can be used to do just about anything compiled code can do. Plus there's /tmp, /var/tmp, and other directories (depending on software installed) that are writable by users, so unless you mount something noexec on all of them, you haven't gained much. noexec is largely a legacy option at this point. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] (re)build sssd-client.i686 for x86_64
hi all, building with mock was pretty easy (esp easier then figuring out what build deps were required ;) anyway, for this specific case, following things needed to be taken in account: * do not copy all i686 rpms with the x86_64 ones in a single repo; was a huge mess. i ended up with same rpms that centos has in the x86_64 repo (sssd-client and some of the libsss rpms) * i was unable to mix the x86_64 copr sssd rpms with self build i686 ones. once i also rebuild the x86_64 ones, things worked out (wrt manpage conflicts) anyway, thanks a lot for the explanation! stijn On 02/15/2017 11:10 AM, Stijn De Weirdt wrote: > hi johnny, > > apologies, yes this is centos7 on x86_64. > > i had to set PKGCONFIG_DIR, but that looked like the only thing. > > i'll give mock a try and see what comes out. > > thanks a lot > > stijn > > On 02/15/2017 10:44 AM, Johnny Hughes wrote: >> On 02/15/2017 03:41 AM, Johnny Hughes wrote: >>> On 02/15/2017 02:39 AM, Stijn De Weirdt wrote: hi all, i'm trying to rebuild the current sssd-client.i686 rpm that is part of the x86_64 repo, but i fail to do so. rebuilding the sssd.src.rpm on x86_64 does not produce this rpm. i can rebuild sssd.src.rpm with --target=i686, but that sssd-client rpm has conflicts and a whole bunch of i686 deps that the rpm from the centos repo doesn't have. tips/help welcome >>> >>> I'll assume CentOS-7 as you don't really say which version. This works >>> for CentOS-6 as well though. >>> >>> RHEL-7 does not contain a full i686 tree, only some of that tree in the >>> form of multilib packages. However to BUILD those i686 packages, you >>> need a full i686 repo in your build system. >>> >>> CentOS-7 does actually have an AltArch i686 SIG that produces a fully >>> installable i686 arch. You could use this arch and mock to build i686 >>> packages on an x86_64 CentOS-7 machine. >>> >>> You always want to build SRPMs in mock instead of using rpmbuild on a >>> normal system because when building the configure files look for things >>> to link against .. if it finds extra things installed on your system >>> (like desktop files or extra repository packages) it can link against >>> those files and then require things you don't want. Mock creates a >>> separate minimal chroot and adds only requirements of the specific SRPM >>> to that minimal root. The RPMs produced are then only linked against >>> that very controlled build root. >>> >>> There are mock configs for both CentOS-6 i386 and CentOS-7 i386 that >>> will work to build packages in mock and use the CentOS Base and Updates >>> repos by default. >>> >>> You can also see all the mock configs we use on CentOS-7 here: >>> >>> https://git.centos.org/tree/sig-core!bld-seven.git/37012c4fe4f69aa649fdb3e9b1ec002aafd2054f/mock >> >> I forgot to say that we have a mock in centos extras for CentOS-7. You >> can get it with: >> >> yum install mock >> >> >> >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On Mon, 2017-02-13 at 16:49 +, James Hogarth wrote: > On EL6 yes NM should be removed on anything but a wifi system but on > EL7 unless you fall into a specific edge case as per the network docs: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Networking_Guide/index.html > > you really should be using NM for a variety of reasons. > > Incidentally Mark, this had nothing to do with systemd ... I wish you > would pick your topics a little more appropriately rather than > tempting the usual flames. Mark actually gets his hands dirty running the systems (on C7). He has a valid point which worries me - Red Hat's gradual imitation of Micro $oft's aversion to ordinary people understanding and controlling their systems. Luckily some of us remain on C6 because we love simplicity and stability. When C6 expires some will migrate to BSD rather than face C7's persistent difficulties and confusion. -- Regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
On Wed, February 15, 2017 10:22 am, Chris Adams wrote: > Once upon a time, Leonard den Ottolander said: >> On Wed, 2017-02-15 at 09:47 -0600, Johnny Hughes wrote: >> > 2. They already have shell access on the machine in question and they >> > can already run anything in that shell that they can run via what you >> > are pointing out. >> >> No, assuming noexec /home mounts all they can run is system binaries. > > noexec is not that big of a protection. On a normal CentOS system, you > almost certainly have python installed (as well as likely other > scripting languages such as perl), and they can be used to do just about > anything compiled code can do. Indeed, perl and often python are installed on most of servers I run. Not considering myself security expert, I would like to ask: could you point to some elevation of privileges exploit written in perl or python? All I've seen were c/c++, but again I'm just a humble sysadmin. > > Plus there's /tmp, /var/tmp, and other directories (depending on > software installed) that are writable by users, so unless you mount > something noexec on all of them, you haven't gained much. And yes, ALL user writable places (including often overlooked /dev/shm) are mounted with nosuid, nosgid, nodev, noexec options on servers where users are allowed to have shell. Or you should be able to do something like jail on FreeBSD which you dedicate to user shell login, and restrict it the way you need - don't know off hand how you do it on Linux box, experts will definitely name several ways. Valeri > > noexec is largely a legacy option at this point. > -- > Chris Adams > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
> Used a VCR or Cassette Player lately? My VCR broke. Replaced it with a DVD/HDD & USB3 unit. Replaced cassette player and tape recorders with broadcast quality handheld recorder DR-100mk3 and an amazingly good Sony PX440. Still retain the original functionality. C7 doesn't retain all the original functionality :-) -- Regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On Tue, 2017-02-14 at 20:40 -0800, Alice Wonder wrote: > Why the bleep can't stuff like this be simple KISS with simple > key=value > configuration files? Amen. Its incredibly simple to understand and doesn't require a doctorate in confused thinking ! -- Regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On 15 Feb 2017 16:40, "Always Learning" wrote: On Mon, 2017-02-13 at 16:49 +, James Hogarth wrote: > On EL6 yes NM should be removed on anything but a wifi system but on > EL7 unless you fall into a specific edge case as per the network docs: > > https://access.redhat.com/documentation/en-US/Red_Hat_ Enterprise_Linux/7/html-single/Networking_Guide/index.html > > you really should be using NM for a variety of reasons. > > Incidentally Mark, this had nothing to do with systemd ... I wish you > would pick your topics a little more appropriately rather than > tempting the usual flames. Mark actually gets his hands dirty running the systems (on C7). He has a valid point which worries me - Red Hat's gradual imitation of Micro $oft's aversion to ordinary people understanding and controlling their systems. Luckily some of us remain on C6 because we love simplicity and stability. When C6 expires some will migrate to BSD rather than face C7's persistent difficulties and confusion. And no he doesn't have a point because that's nonsense And course with the subject chosen this whole thread burned into flames rather than being constructive Can we just kill this now and if there is actually something wrong have a fresh thread with diagnostics? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
Always Learning wrote: > >> Used a VCR or Cassette Player lately? > > My VCR broke. Replaced it with a DVD/HDD & USB3 unit. Replaced cassette > player and tape recorders with broadcast quality handheld recorder > DR-100mk3 and an amazingly good Sony PX440. But how do you play all your old VCR tapes? As I said, I want to burn them to disk, but I still have a working VCR. mark > > Still retain the original functionality. C7 doesn't retain all the > original functionality :-) > > > > -- > Regards, > > Paul. > England, EU. England's place is in the European Union. > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
On 02/15/2017 08:22 AM, Chris Adams wrote: noexec is not that big of a protection. On a normal CentOS system, you almost certainly have python installed (as well as likely other scripting languages such as perl), and they can be used to do just about anything compiled code can do. Exactly. Since python is required by yum (and gettext, and systemd-sysv), it's nearly impossible to have a CentOS system without python. Python, of course, includes the "ctypes" module, which allows you to load a shared object and call a C function with whatever arguments you choose. You *absolutely* do not need a heap spraying attack in order to make arbitrary library or kernel calls. Leonard, man... you've got let this go. Users with shell access already have fairly broad permission to execute arbitrary code on the system they log in to. The memory leak in pkcheck is *not* a security issue. It's just a bug. *Everyone* is trying to tell you this, including the maintainers of CentOS, and (in your original bug report) the maintainers of RHEL. The security bug you've used as a foundation for all of this was built on a SUID binary, which pkcheck is not. What's it going to take for you to accept this? Do you honestly think that you are better qualified than all of the maintainers and developers that are telling you that this isn't a security bug? I really want to encourage you to stay involved as a community member. Free Software is a participation culture, and every contributor has the potential to make the entire system better, but participation is a two-way conversation. You've got to learn to listen, as well. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On Wed, February 15, 2017 11:45 am, m.r...@5-cent.us wrote: > Always Learning wrote: >> >>> Used a VCR or Cassette Player lately? >> >> My VCR broke. Replaced it with a DVD/HDD & USB3 unit. Replaced cassette >> player and tape recorders with broadcast quality handheld recorder >> DR-100mk3 and an amazingly good Sony PX440. > > But how do you play all your old VCR tapes? I converted my video tapes (the ones I taped myself, not movies I purchased on tapes: the last just went to garbage, the law here does not allow you to transfer purchased copyrighted videos to different carrier) into DVDs (with poorer quality that VCR has). What I needed was video card with video capture capability, and piece of software. Confession: I did it in Windows (2000 probably), the card was ATI Radeon (something), that had video (and audio) inputs and came with capture software. You can find stand alone video capture box that you can feed from VCR as well. once you have mpeg video files, it is trivial to conver them to DVD structure. For that I used ffmpeg and dvdauthor (both run on Linux on FreeBSD). I hope this helps. Valeri > As I said, I want to burn them > to disk, but I still have a working VCR. > >mark >> >> Still retain the original functionality. C7 doesn't retain all the >> original functionality :-) >> >> >> >> -- >> Regards, >> >> Paul. >> England, EU. England's place is in the European Union. >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
On 02/15/2017 08:47 AM, Valeri Galtsev wrote: And yes, ALL user writable places (including often overlooked /dev/shm) are mounted with nosuid, nosgid, nodev, noexec options on servers where users are allowed to have shell. How sure are you? On the system I'm looking at right now, any user can write to: /dev/mqueue /dev/shm /run/user/ /run/screen/S- /var/spool/samba /home/ /tmp /var/tmp Notably, the "screen" and "samba" locations only appear when the respective packages are installed, so the places users can write may vary from system to system. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On 2/15/2017 9:45 AM, m.r...@5-cent.us wrote: But how do you play all your old VCR tapes? As I said, I want to burn them to disk, but I still have a working VCR. ugh, the video quality of VHS is *so* nasty, I don't WANT to play those old tapes any more. I do have a still working Hi8 VCR I've used to convert some of our old camcorder tapes to digital (burned onto DVDs and/or converted to MP4 files), the quality on that was a good notch better than VHS, I connect the s-video output of the deck to a USB dongle (from Hauppauge), and run a pile of MS windows software to suck in the tape and convert the results to useful formats. My old cassette deck (a Denon) is still plugged into my stereo, I don't think I've used it once in 10 years. -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Kickstart - part ignore onpart ??
Hello Guys,
after hours of uncessfull create example before i forward special
parition tests.
part ignoe --onpart
But Installation hang out for parition the harddisk.
jump to another console partitions are ok ?
Which line/lines is/are missing?
Andy
#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
cdrom
# Use graphical install
graphical
# Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
# System language
lang de_DE.UTF-8
# Network information
network --bootproto=dhcp --device=enp0s3 --ipv6=auto --no-activate
network --hostname=localhost.localdomain
# Root password
rootpw --iscrypted $6$ZzmFRmN6XqC0.Mc4
$LVrBwcqgnv5kIU5mM8e424PDPD7P1dq342lIZrB9gVFzv6EzSRPTGfLyH/M4yf88iwUpOK/XidvqWiYVl8xcG1
# System services
services --enabled="chronyd"
# System timezone
timezone Europe/Berlin --isUtc
user --groups=wheel --name=andy --password=$6$gpkn155QMucNw0DC
$TUuSuPCe5NEdFyoF/e.bKzrEHvE7W5gyYqNMCmKbkdLIyUnq1qAD5A/.ax/r6DU1MspPnrUzpuWw7rEzOD9hM.
--iscrypted --gecos="Andreas Benzler"
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
# Disk partitioning information
part/boot --onpart=/dev/sda1
part/ --onpart=/dev/sda2
partswap--onpart=/dev/sda3
selinux --disabled
%packages
@^minimal
@core
chrony
kexec-tools
%end
%pre
# clear the MBR and partition table
dd if=/dev/zero of=/dev/sda bs=512 count=1
parted -s /dev/sda mklabel msdos
TOTAL=`parted -s /dev/sda unit mb print free | grep Free | awk '{print
$3}' | cut -d "M" -f1`
let SWAP_START=$TOTAL-820
let ROOT_END=$TOTAL-128-820
parted -s /dev/sda mkpart primary ext2 0 128
parted -s /dev/sda mkpart primary ext2 128 $ROOT_END
parted -s /dev/sda mkpart primary linux-swap $SWAP_START $TOTAL
mkfs.ext2 /dev/sda1
mkfs.ext2 /dev/sda2
mkswap /dev/sda3
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=50 --notstrict --nochanges
--notempty
pwpolicy user --minlen=6 --minquality=50 --notstrict --nochanges
--notempty
pwpolicy luks --minlen=6 --minquality=50 --notstrict --nochanges
--notempty
%end
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kickstart - part ignore onpart ??
On 2/15/2017 11:04 AM, Andreas Benzler wrote: after hours of uncessfull create example before i forward special parition tests. part ignoe --onpart But Installation hang out for parition the harddisk. jump to another console partitions are ok ? There are an awful lot of typos in this email message, including the command you're saying you're using... leads me to wonder if you're not making similar errors in what you're actually doing. -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mach64 driver, latest update in CentOS 6.8, symbol lookup error
Opened bug Bug 1422622 at RedHat Bugzilla. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
Once upon a time, Gordon Messmer said: > Leonard, man... you've got let this go. Users with shell access > already have fairly broad permission to execute arbitrary code on > the system they log in to. The memory leak in pkcheck is *not* a > security issue. It's just a bug. Here's the other thing about it: you are saying it might could be exploited in your setup (where other things maybe could not). That's potentially a problem, but it is not a problem in most anybody else's setup (most definitely not the default setup, or alternate setups from the Red Hat documentation). Red Hat generally only devotes resources to security issues in the default or documented setups; there have been CVEs where they just say "this is outside any supported setup". -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
Once upon a time, Valeri Galtsev said: > Indeed, perl and often python are installed on most of servers I run. Not > considering myself security expert, I would like to ask: could you point > to some elevation of privileges exploit written in perl or python? All > I've seen were c/c++, but again I'm just a humble sysadmin. That wasn't the point; the point was that users can only run system binaries so they can only do what is "permitted". I don't know about python, but perl can make arbitrary kernel system calls (even if they aren't actually supported by perl), so having perl installed allows users to do anything a compiled program can do. Trying to control what users can do by mounting "noexec" is not particularly limiting, at least to somebody determined. So it may be harder/more cumbersome/etc., but I believe that you could write exploits in perl or python; it just isn't commonly done in examples because of the extra work (it's also probably harder to read). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kickstart - part ignore onpart ??
I'm ill, i'm german ... the script is looks ok, copy from a slim installation of anaconda. Insert only the "pre part" and part/boot --onpart=/dev/sda1 part/ --onpart=/dev/sda2 partswap--onpart=/dev/sda3 As i wrote: Jump over to another console and the partitions are there. Sincerely Andy Am Mittwoch, den 15.02.2017, 11:16 -0800 schrieb John R Pierce: > On 2/15/2017 11:04 AM, Andreas Benzler wrote: > > after hours of uncessfull create example before i forward special > > parition tests. > > > > part ignoe --onpart > > > > But Installation hang out for parition the harddisk. > > > > jump to another console partitions are ok ? > > There are an awful lot of typos in this email message, including the > command you're saying you're using... leads me to wonder if you're not > making similar errors in what you're actually doing. > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
On Wed, February 15, 2017 1:29 pm, Chris Adams wrote: > Once upon a time, Valeri Galtsev said: >> Indeed, perl and often python are installed on most of servers I run. >> Not >> considering myself security expert, I would like to ask: could you point >> to some elevation of privileges exploit written in perl or python? All >> I've seen were c/c++, but again I'm just a humble sysadmin. > > That wasn't the point; the point was that users can only run system > binaries so they can only do what is "permitted". I don't know about > python, but perl can make arbitrary kernel system calls (even if they > aren't actually supported by perl), so having perl installed allows > users to do anything a compiled program can do. Trying to control what > users can do by mounting "noexec" is not particularly limiting, at least > to somebody determined. Thanks for answering. Well, I have seen attempts on my systems, more than once, and they were unsuccessful, as all user writable on these two machines was mounted noexec (and also nosuid, nosgid, nodev). Of course, systems didn't have unpatched known exploits, here we are on the same page: you have to keep your system updated. So they shouldn't be successful even if they were executed. Still, noexec is like yet one more line of defense. Pretty much like we lock front doors of our buildings, even though we do lock doors of our apartments. Or the same as having firewall, even though you don't have anything listening to some ports which is not supposed to. I kind of was repeated too many times by many people in my life that there is no overdoing when the security is concerned. Valeri > > So it may be harder/more cumbersome/etc., but I believe that you could > write exploits in perl or python; it just isn't commonly done in > examples because of the extra work (it's also probably harder to read). > > -- > Chris Adams > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
On Wed, February 15, 2017 12:23 pm, Gordon Messmer wrote: > On 02/15/2017 08:47 AM, Valeri Galtsev wrote: >> And yes, ALL user writable places (including often overlooked /dev/shm) >> are mounted with nosuid, nosgid, nodev, noexec options on servers where >> users are allowed to have shell. > > > How sure are you? I just run a bunch of find commands before rolling out system to find what I might not like, e.g. finding all world writable files...: find / -perm -2 ! -type l -ls ... > On the system I'm looking at right now Oh, yes, I must confess, I do not tighten up latest Linuxes, my machines that do need this level of attitude to users are FreeBSD since long ago. The last Linuxes that needed that were CentOS 5, so logically, you are right again. And on CentOS 5, as far as the following list is concerned (I am just marking those that did not exists there on my boxes): >, any user can > write to: > /dev/mqueue - NOT on CentOS 5 /dev/shm- there and was mounted with noexec (and others) /run/user/ - NOT on CentOS 5 /run/screen/S- - NOT on CentOS 5 /var/spool/samba - NOT on CentOS 5 that needs extra security - in our shop; but there is /var/spool/mail (needs to be writable for locks if it is mbox format, not maildir) /home/ - mounted with noexec and friends /tmp - mounted with noexec and friends /var/tmp - mounted with noexec and friends And you are right again, there is a lot of hassle (and using separate partitions to have them noexec). I guess, I was not too lazy with respect to security back then (and now too, hopefully ;-) Valeri > > Notably, the "screen" and "samba" locations only appear when the > respective packages are installed, so the places users can write may > vary from system to system. > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, systemd, NetworkMangler, oh, my
On Wed, 2017-02-15 at 12:45 -0500, m.r...@5-cent.us wrote: > Always Learning wrote: > > > >> Used a VCR or Cassette Player lately? > > > > My VCR broke. Replaced it with a DVD/HDD & USB3 unit. Replaced cassette > > player and tape recorders with broadcast quality handheld recorder > > DR-100mk3 and an amazingly good Sony PX440. > > But how do you play all your old VCR tapes? As I said, I want to burn them > to disk, but I still have a working VCR. I converted all of them to DVDs several years ago. Like you I still have vinyl disks, 33 rpm and 45 rpm from the lat 1960's and early 1970's. Although a classical music fan, some of the old singles are evocative classics in their own right. I need to convert them. Paul. P.S. Landlines = better quality than mobiles. Non-Smart Phones can't get hacked or mics and cameras turned-on remotely. Prefer my Canon SX40 and Nikon D7100 to any Smart Phone. Wifi has guest zones but is usually disabled. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
On 02/15/2017 12:08 PM, Valeri Galtsev wrote: /run/screen/S- - NOT on CentOS 5 /var/spool/samba - NOT on CentOS 5 that needs extra security - in our shop; To be pedantic: screen definitely creates a user-writable directory on CentOS 5, in a different location, and samba will include that directory if installed. It can be really hard to make sure everything required is mounted noexec when some of these directories are automatically created by SUID or SGID binaries, in response to user actions. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mach64 driver, latest update in CentOS 6.8, symbol lookup error
So the rebuilt not work? Sincerely Andy Am Mittwoch, den 15.02.2017, 17:26 + schrieb Styma, Robert (Nokia - US): > 1422622 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems with latest Firefox update -- can't install new extensions
On Wed, Feb 15, 2017 at 2:25 AM, Johnny Hughes wrote: > On 02/12/2017 03:15 PM, Kay Schenk wrote: > > Since the latest Firefox update to 45.7.0 on my CentOS 6.8 system, I can > > no longer install add-ons/extensions. Things LOOK like they're working > > but the extensions don't get stored in my normal area and they don't > > appear in my Add-Ons menu. Is anyone else having this issue? > > > > It has been a while since I added any new extensions so I can't say WHEN > > exactly this problem happened but :( > > I don't have any CentOS-6 desktops anymore, but I did a desktop install > into a VM and installed firefox and the flash plugin from adobe.. seemed > to work OK. > > I also installed firessh extension as a test. That also worked fine. > This extension was installed in my home directory under: > > /.mozilla/extensions/ > Thanks for the reply. The "normal" plug-ins are fine. It's the "Add-Ons" that are my problem. I've got some "odd" ones, and am still trying to determine if some of my privacy setting might have any bearing. So far, no joy with the ones I've tried, even checking Mozilla's black list, etc. If I discover anything more worthwhile in this regard, I'll re-post here. > > > > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > > -- -- MzK "Trust, but verify." -- Ronald Reagan ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] About the flash-plugin
Y'all may remember I posted here weeks ago, that flash-plugin was crashing. There was an update this morning, which I did on my workstation... and it hasn't crashed all day on either of the two radio stations who I listen to via streaming media. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kickstart - part ignore onpart ?? sovled, but not enough place for core.img grub2
Terrible me of understand how that works ...
But: not enough place on sda for core.img if you are using grub2 ???
I bump boot to 500MB, help nothing. Try another filesystem same
error.
"Sometimes you must be the developer to understand the program."
now it looks like
#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
cdrom
# Use graphical install
graphical
# Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
# System language
lang de_DE.UTF-8
# Network information
network --bootproto=dhcp --device=enp0s3 --ipv6=auto --no-activate
network --hostname=localhost.localdomain
# Root password
rootpw --iscrypted $6$ZzmFRmN6XqC0.Mc4
$LVrBwcqgnv5kIU5mM8e424PDPD7P1dq342lIZrB9gVFzv6EzSRPTGfLyH/M4yf88iwUpOK/XidvqWiYVl8xcG1
# System services
services --enabled="chronyd"
# System timezone
timezone Europe/Berlin --isUtc
user --groups=wheel --name=andy --password=$6$gpkn155QMucNw0DC
$TUuSuPCe5NEdFyoF/e.bKzrEHvE7W5gyYqNMCmKbkdLIyUnq1qAD5A/.ax/r6DU1MspPnrUzpuWw7rEzOD9hM.
--iscrypted --gecos="Andreas Benzler"
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
# Disk partitioning information
clearpart --none
part/boot --fstype=ext2 --onpart=/dev/sda1 --noformat
part/ --fstype=ext2 --onpart=/dev/sda2 --noformat
partswap --onpart=sda3 --noformat
selinux --disabled
%packages
@^minimal
@core
chrony
#nfs-utils
#bind-utils
kexec-tools
%end
%pre
# clear the MBR and partition table
dd if=/dev/zero of=/dev/sda bs=512 count=1
partprobe
parted -s /dev/sda mklabel msdos
TOTAL=`parted -s /dev/sda unit mb print free | grep Free | awk '{print
$3}' | cut -d "M" -f1`
let SWAP_START=$TOTAL-820
let ROOT_END=$TOTAL-500-820
parted -s /dev/sda mkpart primary ext2 0 500
parted -s /dev/sda mkpart primary ext2 500 $ROOT_END
parted -s /dev/sda mkpart primary linux-swap $SWAP_START $TOTAL
# parted -s /dev/sda set 1 boot on
mkfs.ext2 -L BOOT /dev/sda1
mkfs.ext2 -L ROOT /dev/sda2
mkswap -L SWAP /dev/sda3
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=50 --notstrict --nochanges
--notempty
pwpolicy user --minlen=6 --minquality=50 --notstrict --nochanges
--notempty
pwpolicy luks --minlen=6 --minquality=50 --notstrict --nochanges
--notempty
%end
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mach64 driver, latest update in CentOS 6.8, symbol lookup error
Hi Andy, I tried it but got the same error. I am pretty sure I got the correct copy of the driver as can be seen in the log. Interesting note, when rhgb was on during boot, the word CentOS 6.8 at the bottom right of the screen was orange instead of white. I wonder if the kernel was aware of there being a custom driver. I do appreciate the help. While I have never written drivers, my experience with .so files indicates that they added something to the file which invokes the driver to reference xf86LinearVidMem which was never added to that driver. yum --disablerepo=\* --enablerepo=cms4all install xorg-x11-drv-mach64 Loaded plugins: fastestmirror, refresh-packagekit Setting up Reinstall Process Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package xorg-x11-drv-mach64.i686 0:6.9.4-10.el6 will be reinstalled --> Finished Dependency Resolution Dependencies Resolved == Package Arch Version Repository Size == Reinstalling: xorg-x11-drv-mach64 i686 6.9.4-10.el6cms4all69 k Transaction Summary == Reinstall 1 Package(s) Total download size: 69 k Installed size: 168 k Is this ok [y/N]: y Downloading Packages: xorg-x11-drv-mach64-6.9.4-10.el6.i686.rpm | 69 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : xorg-x11-drv-mach64-6.9.4-10.el6.i686 1/1 Verifying : xorg-x11-drv-mach64-6.9.4-10.el6.i686 1/1 Installed: xorg-x11-drv-mach64.i686 0:6.9.4-10.el6 Complete! [root@host yum.repos.d]# cat cms4all.repo [cms4all] name=cms4all baseurl=http://centos.cms4all.org/repo/6/updates/ enabled=1 gpgcheck=0 priority=1 I had to move an older production server and it had the same problem when I powered it on, so I opened the ticket. -Original Message- From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Andreas Benzler Sent: Wednesday, February 15, 2017 1:39 PM To: centos@centos.org Subject: Re: [CentOS] mach64 driver, latest update in CentOS 6.8, symbol lookup error So the rebuilt not work? Sincerely Andy Am Mittwoch, den 15.02.2017, 17:26 + schrieb Styma, Robert (Nokia - US): > 1422622 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious attack vector on pkcheck ignored by Red Hat
On Wed, February 15, 2017 2:38 pm, Gordon Messmer wrote: > On 02/15/2017 12:08 PM, Valeri Galtsev wrote: >> /run/screen/S- - NOT on CentOS 5 >> /var/spool/samba - NOT on CentOS 5 that needs extra security - in our shop; > > > To be pedantic: screen definitely creates a user-writable directory on CentOS 5, in a different location, and samba will include that directory if installed. It can be really hard to make sure everything required is mounted noexec when some of these directories are automatically created by SUID or SGID binaries, in response to user actions. Sure, I agree. Screen itself is SGID group screen and no SUID. One needs to watch for places with group screen write permission, that they do not live anywhere that is not noexec mounted. And we never had SAMBA whenever we went to that length in restricting users... All in all virtualization made our lives easier (I'm using FreeBSD jails to compartmentalize immiscible things these days, I bet Linux has its lightweight equivalent, and likely more than one). Valeri > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Centos7 GeoIP support with BIND
In my new Centos7 BIND DNS server, I am seeing messages in logwatch about GeoIP. Something new for me to learn about, and it seems, configure. Checking to see what packages are available I find: GeoIP.armv7hl 1.5.0-11.el7 @centos-base_rbf GeoIP-data.noarch 1.5.0-11.el7 base GeoIP-devel.armv7hl 1.5.0-11.el7 base GeoIP-update.noarch 1.5.0-11.el7 base and GeoIP.armv7hl is already installed in my image (even before I installed BIND, it seems to be part of a base server?). I am not finding any help for GeoIP on Centos, but for debian/ubuntu they are saying to install geoip-database. Is GeoIP-data the same thing? What about GeoIP-update? Basically, I probably should get started on this, or disable it in my DNS server. Can someone point me to Centos specific help or help me out? thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos7 GeoIP support with BIND
On Feb 15, 2017 11:11 PM, "Robert Moskowitz" wrote: In my new Centos7 BIND DNS server, I am seeing messages in logwatch about GeoIP. Something new for me to learn about, and it seems, configure. Checking to see what packages are available I find: GeoIP.armv7hl 1.5.0-11.el7 @centos-base_rbf GeoIP-data.noarch 1.5.0-11.el7 base GeoIP-devel.armv7hl 1.5.0-11.el7 base GeoIP-update.noarch 1.5.0-11.el7 base and GeoIP.armv7hl is already installed in my image (even before I installed BIND, it seems to be part of a base server?). I am not finding any help for GeoIP on Centos, but for debian/ubuntu they are saying to install geoip-database. Is GeoIP-data the same thing? What about GeoIP-update? Basically, I probably should get started on this, or disable it in my DNS server. Can someone point me to Centos specific help or help me out? thanks This the first hearing of this package, geoIP-data is the same as geoIP-database. http://dev.maxmind.com/geoip/legacy/csv/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
