Re: Help! System crashes and locks up.

[Sven Arvidsson]

On Sun, 2016-02-21 at 18:12 -0600, Dennis Wicks wrote:
> Greetings;
> 
> I have a system I just put together. New pwr sup, mobo, and 
> 1 new SATA disk, 1TB. 2Gig memory. Processor is a Phenom 
> 9950 4 core. Running Deb 8.3.0 Jessie, new install.
> 
> Every so often it crashes and locks up, and the monitor 
> screen has many narrow horizontal lines, mostly the 
> background color.
> 
> When it crashes only reset and power off will work. I have 
> looked in every log file I can think of and no luck.
> 
> Does this sound familiar to anybody? Any hints?
> 
> Any help at all greatly appreciated!!

https://blog.codinghorror.com/is-your-computer-stable/

-- 
Cheers,
Sven Arvidsson
http://www.whiz.se
PGP Key ID 6FAB5CD5



signature.asc
Description: This is a digitally signed message part

I Couldn't install geany-plugin-gdb in jessie.

[EenyMeenyMinyMoa]

Hi,
refering to

https://packages.debian.org/search?lang=en&suite=all&searchon=names&keywords=geany-plugin-gdb

I added the line
deb http://ftp.jp.debian.org/debian/ wheezy main
to /etc/apt/sources.list, and apt-get updated,
but I was not able to install geany-plugin-gdb.

$ sudo apt-get install geany-plugin-gdb
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
geany-plugin-gdb : Depends: geany-plugins-common (= 0.21.1.dfsg-4) but
1.24+dfsg-5 is to be installed
E: Unable to correct problems, you have held broken packages.

What should I do?
And why isn't geany-plugin-gdb in the jessie repository?


EenyMeenyMinyMoa

Re: I Couldn't install geany-plugin-gdb in jessie.

[Reco]

Hi.

On Mon, 22 Feb 2016 16:21:31 +0800
EenyMeenyMinyMoa  wrote:

> Hi,
> refering to
> 
> https://packages.debian.org/search?lang=en&suite=all&searchon=names&keywords=geany-plugin-gdb
> 
> I added the line
> deb http://ftp.jp.debian.org/debian/ wheezy main
> to /etc/apt/sources.list, and apt-get updated,
> but I was not able to install geany-plugin-gdb.

And you should not be able to as most of geany plugins depend on exact
version of geany.

This:

> geany-plugin-gdb : Depends: geany-plugins-common (= 0.21.1.dfsg-4) but
> 1.24+dfsg-5 is to be installed

clearly shows us that you have installed geany from jessie, so the only
kind of plugins that fit your install are geany plugins from Jessie.


> What should I do?

Try installing 'geany-plugin-debugger' instead.


> And why isn't geany-plugin-gdb in the jessie repository?

My guess is that they simply renamed the package.

Reco

Re: rotating screen in debian tablet

[jdd]

Le 21/02/2016 19:49, Sven Arvidsson a écrit :


I also suggest that you document your efforts on getting Debian to run
here: https://wiki.debian.org/InstallingDebianOn/

Both the stuff that works, and the stuff that doesn't.


I will, after having investigated a bit more :-)

I was worried to notice the bug is still there when booting as 
multi-user, that is with no X, and this was confirmed this morning, 
there are no X recent logs.


so I looked at the kernel logs and noticed a crash:

http://dodin.org/owncloud/index.php/s/PzRjuxtZHKbMwzK

that seems to be a known issue, with some fixes, but I do not really 
understand what I have to do to apply the fixes :-(


https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1492632

https://bugs.launchpad.net/mesa/+bug/1274315

any way to do this on the grub kernel command line?

https://wiki.debian.org/KernelModesetting#Intel_GfxCards

thanks
jdd

Re: Is it possible to fully reinstall the base system without affecting /home?

[Dalios]

On 02/22/2016 06:36 AM, Kynn Jones wrote:
> My system is badly damaged, and it looks like the only way to fix it
> is to do a full re-install.
> 
> I figure I will have to back everything up to an external drive,
> reformat the hard drive, and install everything from scratch.
> 
> But I thought I'd ask if there's anything close to this that would not
> require backing up everything and reformatting the hard disk.
> Wouldn't it be possible, for example, to boot the system up from a
> live CD, and reinstall the base system, leaving /home untouched?  (I
> should mention that the hard disk in question is just one big
> partition, including /home and everything else.)
> 
> Thanks in advance!
> 
> kj
> 
> 

You can certainly do it but I am not sure you want!

First of all you would have to move your /home to a new partition (to
the same disk or another) and you would need to start from a Live CD/USB
in order to do this step. Of course if you don't have another HD
available then you would have to partition the disk which is risky for
your data which you would have to backup elsewhere etc

Next is the new installation procedure where you will eventually connect
the new system with the old /home.

However let me note that some of the problems of your current
installation may live inside /home which means that you will still have
to deal with them. The /home folder contains not only your data but also
various settings files for your applications.

So, as I said, you can certainly do it but I am not sure you want!

Another approach would be to start a new thread (or more!) on this
helpful list in order to try to solve your system's problems. Of course
you can always re-install and start from scratch but how can you be sure
you will not end on the same position after a while.


Dalios

BIND problem

[Glenn English]

I'm seeing lots of:

> Feb 21 23:32:24 log named[20061]: dumping master file: 
> /var/cache/bind/slaves/tmp-I5cJjYH7fV: open: permission denied
> Feb 21 23:36:54 log named[20117]: dumping master file: 
> /var/cache/bind/slaves/tmp-zsVXbHkEG1: open: permission denied
> Feb 21 23:46:00 log named[20061]: dumping master file: 
> /var/cache/bind/slaves/tmp-ngGrdGrU2a: open: permission denied
> Feb 21 23:49:26 log named[20117]: dumping master file: 
> /var/cache/bind/slaves/tmp-Q0vQCUg5xd: open: permission denied
> Feb 21 23:58:36 log named[20061]: zone richeyrentals.com/IN: refresh: could 
> not set file modification time of 
> '/var/cache/bind/slaves/db.richeyrentals.com': permission denied
> Feb 21 23:59:56 log named[20061]: dumping master file: 
> /var/cache/bind/slaves/tmp-Ef1P4JJ7WK: open: permission denied
> Feb 22 00:02:30 log named[20117]: dumping master file: 
> /var/cache/bind/slaves/tmp-X7frzE1EHg: open: permission denied
> Feb 22 00:14:26 log named[20061]: dumping master file: 
> /var/cache/bind/slaves/tmp-Mvis5kMjqB: open: permission denied
> Feb 22 00:14:54 log named[20117]: dumping master file: 
> /var/cache/bind/slaves/tmp-5cVqqTAnb6: open: permission denied
> Feb 22 00:25:31 log named[20117]: zone richeyrentals.com/IN: refresh: could 
> not set file modification time of 
> '/var/cache/bind/slaves/db.richeyrentals.com': permission denied
> Feb 22 00:25:48 log named[20061]: dumping master file: 
> /var/cache/bind/slaves/tmp-5n3f6qn0Cj: open: permission denied
> Feb 22 00:29:50 log named[20117]: dumping master file: 
> /var/cache/bind/slaves/tmp-qbxXuXSlvZ: open: permission denied
> Feb 22 00:38:07 log named[20061]: dumping master file: 
> /var/cache/bind/slaves/tmp-n99ZL1tdSc: open: permission denied
> Feb 22 00:43:19 log named[20117]: dumping master file: 
> /var/cache/bind/slaves/tmp-yhcq7G3STF: open: permission denied
> Feb 22 00:51:46 log named[20061]: dumping master file: 
> /var/cache/bind/slaves/tmp-8m09QHZPqR: open: permission denied
> Feb 22 00:53:20 log named[20061]: zone richeyrentals.com/IN: refresh: could 
> not set file modification time of 
> '/var/cache/bind/slaves/db.richeyrentals.com': permission denied

in my log.

I looked on the web, and no suggestion helped. Except one: one of then said his 
worked when he ran bind (aka named) as root. I tried that and sure enough, it 
'fixed' the problem. Until monit somehow noticed the DNS wasn't running and 
started it from /etc/init.d (I'm still running Wheezy). 

It happens only on the master DNS server -- the slaves do their dumps 
successfully, or maybe they don't try.

I tried su -'ing from root to user bind (after giving bind a shell). No joy.

Everything in /var/cache/bind is owned by bind:bind, it's all owner and group 
writable, root manages to write the files, there are no complaints about the 
masters directory (there are also no files called tmp-*** in there), and I'm at 
a loss as to why there's a problem setting the modification time (touch does it 
just fine).

Has anyone seen this and fixed it? 

I'm guessing somebody's just kidding about the directory they're trying to 
write into, and their real directory is owned by user nobody...

-- 
Glenn English

Re: BIND problem

[Reco]

Hi.

On Mon, 22 Feb 2016 02:35:52 -0700
Glenn English  wrote:

> I'm seeing lots of:
> 
> > Feb 21 23:32:24 log named[20061]: dumping master file: 
> > /var/cache/bind/slaves/tmp-I5cJjYH7fV: open: permission denied
> > Feb 21 23:36:54 log named[20117]: dumping master file: 
> > /var/cache/bind/slaves/tmp-zsVXbHkEG1: open: permission denied
> > Feb 21 23:46:00 log named[20061]: dumping master file: 
> > /var/cache/bind/slaves/tmp-ngGrdGrU2a: open: permission denied
> > Feb 21 23:49:26 log named[20117]: dumping master file: 
> > /var/cache/bind/slaves/tmp-Q0vQCUg5xd: open: permission denied
> > Feb 21 23:58:36 log named[20061]: zone richeyrentals.com/IN: refresh: could 
> > not set file modification time of 
> > '/var/cache/bind/slaves/db.richeyrentals.com': permission denied
> > Feb 21 23:59:56 log named[20061]: dumping master file: 
> > /var/cache/bind/slaves/tmp-Ef1P4JJ7WK: open: permission denied
> > Feb 22 00:02:30 log named[20117]: dumping master file: 
> > /var/cache/bind/slaves/tmp-X7frzE1EHg: open: permission denied
> > Feb 22 00:14:26 log named[20061]: dumping master file: 
> > /var/cache/bind/slaves/tmp-Mvis5kMjqB: open: permission denied
> > Feb 22 00:14:54 log named[20117]: dumping master file: 
> > /var/cache/bind/slaves/tmp-5cVqqTAnb6: open: permission denied
> > Feb 22 00:25:31 log named[20117]: zone richeyrentals.com/IN: refresh: could 
> > not set file modification time of 
> > '/var/cache/bind/slaves/db.richeyrentals.com': permission denied
> > Feb 22 00:25:48 log named[20061]: dumping master file: 
> > /var/cache/bind/slaves/tmp-5n3f6qn0Cj: open: permission denied
> > Feb 22 00:29:50 log named[20117]: dumping master file: 
> > /var/cache/bind/slaves/tmp-qbxXuXSlvZ: open: permission denied
> > Feb 22 00:38:07 log named[20061]: dumping master file: 
> > /var/cache/bind/slaves/tmp-n99ZL1tdSc: open: permission denied
> > Feb 22 00:43:19 log named[20117]: dumping master file: 
> > /var/cache/bind/slaves/tmp-yhcq7G3STF: open: permission denied
> > Feb 22 00:51:46 log named[20061]: dumping master file: 
> > /var/cache/bind/slaves/tmp-8m09QHZPqR: open: permission denied
> > Feb 22 00:53:20 log named[20061]: zone richeyrentals.com/IN: refresh: could 
> > not set file modification time of 
> > '/var/cache/bind/slaves/db.richeyrentals.com': permission denied
> 
> in my log.

Please post the output of:

ls -ald /var/cache/bind/slaves

lsattr /var/cache/bind/slaves

getfacl /var/cache/bind/slaves


Also, do you have SELinux enabled?

Reco

Re: Is it possible to fully reinstall the base system without affecting /home?

[arian]

Just to make sure, your filesystem is OK, right?

> But I thought I'd ask if there's anything close to this that would not
> require backing up everything and reformatting the hard disk.
> Wouldn't it be possible, for example, to boot the system up from a
> live CD, and reinstall the base system, leaving /home untouched?  (I
> should mention that the hard disk in question is just one big
> partition, including /home and everything else.)

Just do a normal install with manual filesystem configuration, choose the 
existing partition with the prior filesystem format and make sure to _not_ 
choose format partition. The installer will warn you, something along the lines 
that it will overwrite the old /usr, /etc/, /var, etc - which is what you want.

optionally you can remove all directories but /home (and may be /root prior to 
installation from a live system (the installer will do).

I strongly advise to make the backup before nonetheless - breaking things is 
easy, especially in the installer. This procedure will however spare you 
restoring thing from the backup, if it works.



signature.asc
Description: OpenPGP digital signature

Re: Is it possible to fully reinstall the base system without affecting /home?

[Keith Bainbridge]

On 22/02/16 20:10, Dalios wrote:

First of all you would have to move your /home to a new partition (to
the same disk or another) and you would need to start from a Live CD/USB
in order to do this step.



Or move /home from a terminal as root.  But if you have to create a new 
partition you might as well move /home while you are using the live CD.


--
Keith Bainbridge

keithrbaugro...@gmail.com

+61 (0)447 667 468

Re: Is it possible to fully reinstall the base system without affecting /home?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Feb 22, 2016 at 11:20:24AM +0100, arian wrote:
> 
> Just to make sure, your filesystem is OK, right?
> 
> > But I thought I'd ask if there's anything close to this that would not
> > require backing up everything and reformatting the hard disk.
> > Wouldn't it be possible, for example, to boot the system up from a
> > live CD, and reinstall the base system, leaving /home untouched?  (I
> > should mention that the hard disk in question is just one big
> > partition, including /home and everything else.)
> 
> Just do a normal install with manual filesystem configuration, choose
> the existing partition with the prior filesystem format and make sure
> to _not_ choose format partition.

This was my impression too: installation should not wipe home (actually
it should'nt wipe anything, e.g. /usr/local and friends, just overwrite
existing packages with their newer versions.

That said, and as arian states, it's easy to fat-finger something and
format your disks, so a backup is in order; and you might meet some
niggles, like new packages stumbling upon older configurations and
data in your home (think ~/.config, but also ~/.openffice.org, ~/.gimp
and whatever nice things apps put into your home). Some may cope
and some not.

regards
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlbK5AcACgkQBcgs9XrR2kbIKQCfUlb64LbSE2F5UHgT2hEGiYsI
yDkAnjXbOy72G7BsuxPCBfS/qOWI6pyw
=wbEI
-END PGP SIGNATURE-

Enabling of the control grups with its subsystems and Kernel module "net_cls" on Debian Jessie.

[Mark Johnson]

Hi all.

My name is Mark, and I try since a few days to implement outbound traffic 
shaping with cgoups and its podsystems (especially - "net_cls", "net_prio") and 
iptables. The problem is to enable cgroups (subsystems "net_cls" and daemons 
like "cgrulesengd") Spent many hours looking for education stuff, but 
everything was time wasting only. In my opinion something must be wrong with 
Kernel ( set-up?, patching?, upgrade? )
 My Kernel - 3.16.If you could explain how-to in a few words, it would be 
really great news for me. We all belongs to big "Debian Family" are we not?

Regards from Dublin
Mark

Re: Enabling of the control grups with its subsystems and Kernel module "net_cls" on Debian Jessie.

[Reco]

Hi.

On Mon, 22 Feb 2016 11:01:29 + (UTC)
Mark Johnson  wrote:

> Hi all.
> 
> My name is Mark, and I try since a few days to implement outbound traffic 
> shaping with cgoups and its podsystems (especially - "net_cls", "net_prio") 
> and iptables. The problem is to enable cgroups (subsystems "net_cls" and 
> daemons like "cgrulesengd") Spent many hours looking for education stuff, but 
> everything was time wasting only. In my opinion something must be wrong with 
> Kernel ( set-up?, patching?, upgrade? )
>  My Kernel - 3.16.If you could explain how-to in a few words, it would be 
> really great news for me. We all belongs to big "Debian Family" are we not?

A case study:

1) Ensure that you're *not* running systemd as PID=1. It *will* screw
things up, do not try it.

2) Ensure that you don't have any services in enabled state that try to
configure cgroups on their own. libvirtd or cgmanager, for instance.

3) Write a configuration file /etc/cgconfig.conf with the contents like
this:

mount {
cpuset = /sys/fs/cgroup/cpuset;
cpu = /sys/fs/cgroup/cpu;
cpuacct = /sys/fs/cgroup/cpuacct;
devices = /sys/fs/cgroup/devices;
freezer = /sys/fs/cgroup/freezer;
net_cls = /sys/fs/cgroup/net_cls;
blkio = /sys/fs/cgroup/blkio;
perf_event = /sys/fs/cgroup/perf_event;
}

group mynet {
net_cls {
net_cls.classid="122541";
}
}

4) Invoke:

mount -t tmpfs cgroup_root /sys/fs/cgroup
/usr/sbin/cgconfigparser -l /etc/cgconfig.conf

5) If all goes well you should see a bunch of mounted filesystems of
type cgroup, one for each controller.

6) Create a configuration file /etc/cgrules.conf with the contents
like this:

*:/bin/bash net_cls mynet

7) Start cgrulesengd for debugging:

/usr/sbin/cgrulesengd -nv

8) Observe all instances of bash to migrate to mynet cgroup.
Double-check it with:

cat /sys/fs/cgroup/net_cls/nonet/tasks

9) Clean up:

/usr/sbin/cgclear
umount /sys/fs/cgroup

Reco

Re: Debian package on Windows

[Thiago]

Em 21-02-2016 23:49, John Hasler escreveu:
> I don't know what you mean by that.  It's Free Software.  They can do
> with it what the license terms permit and no more absent special
> permission from the copyright owner.  The authors released it under the
> GPL and that's that.  Debian, not owning the copyright, is not able to
> allow or forbid anything.
> 
> Debian or some members thereof might or might not choose to assist in
> the endeavor, but that's a different matter.
> 

John,

"They can do with it what the license terms permit and no more absent
permission from the copyright owner." -> That's true, no more further
reply would be needed.

If Microsoft will be respecting freedom, ok. But I doubt which they will
do. Will they own it and remove software freedom? I hope no. If they own
something in GPL, we know they have to maintain software freedom in this
way.



signature.asc
Description: OpenPGP digital signature

Re: Debian package on Windows

[Jonathan Dowland]

On Sat, Feb 20, 2016 at 11:21:46PM -0300, Thiago wrote:
> Why did you send this message on Debian Apache and not in the main
> mailing list?

Since this is a development query, debian-devel would be more appropriate than
debian-user, and unless I'm mistaken, you should make it clear that you do not
speak for Debian as you are not formally affiliated with the project in any way.

-- 
Jonathan Dowland

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Jonathan Dowland]

On Wed, Feb 17, 2016 at 02:24:02PM +, Darac Marjal wrote:
> On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote:
> >2. after initial setup, no ssh access will be allowed via a password
> 
> $ echo "PasswordAuthentication No" | sudo tee -a /etc/ssh/sshd_config

Convenient for writing in an email, but doesn't handle the situation where
PasswordAuthentication is already defined in the config file. Better to just
recommend editing the file and setting or changing the value as necessary.

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Jonathan Dowland]

On Fri, Feb 19, 2016 at 09:30:20AM +1300, Richard Hector wrote:
> That then means that you don't get to choose which people have root on
> which boxes - anyone who gets the rule gets the lot. And that includes
> anyone who leaves, of course.

Yes, but a leaked root password for one host does not translate into a leaked
root password for other hosts, so there are some advantages. If the routine
additionally concatenates a fixed password string, you can rotate that when
staff leave and regenerate/reset all the passwords.

> I think a better solution in the end is to generate a random password
> for each box, and leave it, on paper, in a safe or similar. It's very
> rare anyone needs to use it.

In my past jobs we've always ended up doing something like that in the end,
never getting an algorithmic solution like the above off the ground, but it
does sound attractive to me.

-- 
Jonathan Dowland
Please do not CC me, I am subscribed to the list.

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Jeremy T. Bouse]

On 2/18/2016 5:05 PM, Roman wrote:
> Seriously, you have to trust someone to achieve goals. So accessing
> server via ssh keys is pretty normal and secure + ldaps auth of course
> (centralized account management), so if someone leaves, just disable
> his account. sudo supports ldap auth, kind of on group level, so if
> user even got into a server for some reason, he can't become root,
> because his account was deleted and not in sudo enebled group anymore.
>
> After you configure the ldap and sudo for this scenario,  just disable
> password auth and  root login in ssh conf. Also setup firewall to
> enable ssh from known IP addresses only (here comes VPN into the game,
> if needed) and move SSH port to something else, but 22. You will be as
> safe as ldap and ssh and ssl are (exploits, exploits.. they're
> everywhere, you can't be 100% secure unless you disconnect the network
> cable from your server, remove the keyboard and USB ports)
>
> So basically security is all about trusting. You HAVE to choose whom
> (and what) you trust. 
> -- 
> Best regards,
> Roman.

I can show a couple examples of just simply having the centralized
account management can fail... in both cases the password was locked but
I had an SSH identity key already setup on the account. I was till able
to log into the server even with my account locked in the LDAP
centralized account management because the SSH keys were still
authorized. As well I had password-less sudo "NOPASSWD:" entries so I
still had full admin rights while being locked out.

All that to say, don't just assume things are secure you have to
verify and maintain it.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Debian package on Windows

[Thiago]

Em 22-02-2016 10:56, Jonathan Dowland escreveu:
> On Sat, Feb 20, 2016 at 11:21:46PM -0300, Thiago wrote:
> Since this is a development query, debian-devel would be more appropriate than
> debian-user, and unless I'm mistaken, you should make it clear that you do not
> speak for Debian as you are not formally affiliated with the project in any 
> way.
> 

Yes, it is.



signature.asc
Description: OpenPGP digital signature

Re: Debian package on Windows

[Ric Moore]

On 02/20/2016 09:21 PM, Thiago wrote:

Hello,

Why did you send this message on Debian Apache and not in the main
mailing list? I'm sorry, but you're not able to own GNU GPL to suck in
your Application Manager. Either you will be educated mentioning it and
respecting his copyright.


First, thanks for top-posting and totally screwing up the timeline. To 
me, anyone top-posting usually winds up in my junk filters with extreme 
prejudice. I'd rather a top-poster not try to educate ~anyone~ within 
the Debian scheme of things.


Second, the OP openly asked for the thoughts and opinions as how to 
potentially proceed. According to the GPL anyone is free to take the 
source-code, edit/change it and compile it any way they wish AS LONG AS 
the GPL remains intact. That means they can compile a binary and 
distribute it, as long as the source code remains available to anyone 
and the GPL notice is included. I saw no mention to avoid the GPL in his 
request for information. Ergo, as long as the GPL is honored, this plan 
is actually a plus for Debian. Ric




I don't know why do you do it. Maybe you thought in new things to do.
Congrats for using Clang instead of GNU C Compiler, at least you're
trying don't using it to don't need mentioning him. But Debian is signed
in GPG too.

And of course, taking apt-get/Debian and implementing new DRMs to avoid
GNU. History is same the even. Or would be Microsoft don't mistreating
who shares the packing management? Are you trying to take it and kick
that out of new hardwares?

Reply us.

Att.


Em 19-02-2016 23:09, Eric Mittelette escreveu:

Hi



I contact you today about a crazy idea, but I hope it is a right kind of
crazy!



I’m PM in the Visual C++ Team (VC Lib to be precise here at Microsoft),
we started to think about lib acquisition (still a painful process for
C++ on Windows) and we are imaging different options, one is to port
apt-get on Windows.

Porting Apt-Get mean using Debian format (we love it) and providing
Windows binary inside the package…



For doing that we imagine a light way process to adapt your actual build
script to generate Windows binaries using our latest Clang/c2 compiler
integration (meaning in theory just changing an env variable to switch
from gcc or Clang to our Clang/C2 compiler will be enough…)



The main idea here is to not reinvent the wheel for packaging management
and use something existing, powerful and well known by the community.

Of course all the project will be open source (the new Microsoft J)



I know you’re really busy, and don’t want to boring you, but I wanted to
know your feedback about this idea?

Do you want to be included in future discussions and provide feedback as
we get more details fleshed out?



Again it is just a draft idea, nothing concrete, but wanted to validate
with you and the Debian maintainers community if that make sense for you…



Thanks for your time



Eric Mittelette

Senior Program Manager – Visual C++ (VCLib)

ericm...@microsoft.com 










--
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
http://linuxcounter.net/user/44256.html

Re: Is it possible to fully reinstall the base system without affecting /home?

[Jochen Spieker]

Kynn Jones:
> 
> But I thought I'd ask if there's anything close to this that would not
> require backing up everything and reformatting the hard disk.

If there is anything on your hard disk worth keeping that you haven't
backed up at least weekly then you should start worrying about that now.

Hard disks (and SSDs) die and take your data with them. Worry about that
daily until you have a solution.

J.
-- 
I see weapons of mass destruction as shameful but necessary.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Debian package on Windows

[Jean-Baptiste Thomas]

De: "Ric Moore" 
> and the GPL notice is included. I saw no mention to avoid the GPL in his 
> request for information. Ergo, as long as the GPL is honored, this plan 
> is actually a plus for Debian.

How is Debian better off from Microsoft porting apt to Windows ?

Re: Is it possible to fully reinstall the base system without affecting /home?

[John L. Ries]

While it probably doesn't help you now, it is good practice to store 
user data on their own file system (/home), separate from applications 
and system files.  That way, if you hose the system, the user data are 
undisturbed and you only need to worry about backing up system settings.


Something to consider when you're doing your reinstall.

--|
John L. Ries  |
Salford Systems   |
Phone: (619)543-8880 x107 |
or (435)867-8885  |
--|


On Sunday 2016-02-21 21:36, Kynn Jones wrote:


Date: Sun, 21 Feb 2016 21:36:45
From: Kynn Jones 
To: Debian User 
Subject: Is it possible to fully reinstall the base system without affecting
   /home?

My system is badly damaged, and it looks like the only way to fix it
is to do a full re-install.

I figure I will have to back everything up to an external drive,
reformat the hard drive, and install everything from scratch.

But I thought I'd ask if there's anything close to this that would not
require backing up everything and reformatting the hard disk.
Wouldn't it be possible, for example, to boot the system up from a
live CD, and reinstall the base system, leaving /home untouched?  (I
should mention that the hard disk in question is just one big
partition, including /home and everything else.)

Thanks in advance!

kj

Re: Debian package on Windows

[Ric Moore]

On 02/22/2016 11:40 AM, Jean-Baptiste Thomas wrote:

De: "Ric Moore" 

and the GPL notice is included. I saw no mention to avoid the GPL in his
request for information. Ergo, as long as the GPL is honored, this plan
is actually a plus for Debian.


How is Debian better off from Microsoft porting apt to Windows ?


Because they didn't select YUM. :) Ric


--
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
http://linuxcounter.net/user/44256.html

dovecot -- Require different setting for mail_location for each of POP3S and IMAPS protocols

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Okay,

I've tried getting this answered on dovecot mailing list, but not
having success so far; so I'm trying here too now (considering it is a
Debian system that was upgraded from squeeze-lts to wheezy).


Old dovecot allowed me to configure past dovecot to have a different
mail_location setting for the same user, but with different protocols.


When the user requests POP3S, I adjusted the mail_location to
/var/mail/$USER (with mbox in use).


When that *same* user requested IMAPS protocol, the required
mail_location is the Maildir folder.


This allows for independent two mail storage locations, one for the use
of mbox and the other for the use of Maildir *and* for the same user.


Some users only require mbox with others only requiring Maildir.


So, I need to cater for each of these situations.

How might I adjust current dovecot configuration to provide different
mail_location settings for different protocols?

Old dovecot allowed me to run a script before POP3S processing that gave
me the chance to adjust the mail_location variable.  That is what I need
now, just for POP3S.

Thanks
AndrewM


-BEGIN PGP SIGNATURE-

iF4EAREIAAYFAlbLPpoACgkQqBZry7fv4vsr6QEAzqtAdTurYS94B+mfEoJZux65
3uXIHbz0+8WbiqDTIasBALNb/CRtAwkxCzxjrdNy65b7BBrowrSCfXHT1N+xQW3o
=vtb5
-END PGP SIGNATURE-

opengl problem with avidemux

[Pierre Frenkiel]

hi,
I have strange (for me) problem with avidemux:
when I run it from my account, the characters are rather big (about 2 mm)
and there is not enough room to display the current time in the
bottom "Time" window, so that only the seconds and milliseconds are
seen.
If run from any other account, the characters are much smaller, and the
time display is correct (and the size of the avidemux window itself
is a little smaller.(205 mm .vs 230 mm)

Looking at the avidemux output, I found this difference:
for me:
[initGUI]  OpenGL not activated, not initialized
for others:
[initGUI]  OpenGL activated, initializing... 
(the avidemux Display is set to "X11" in both cases in the preferences menu)


Can anybody explain that?
thanks in advance.

best regards,
--
Pierre Frenkiel

Re: dovecot -- Require different setting for mail_location for each of POP3S and IMAPS protocols

[Christian Seiler]

On 02/22/2016 06:00 PM, Andrew McGlashan wrote:
> I've tried getting this answered on dovecot mailing list, but not
> having success so far; so I'm trying here too now (considering it is a
> Debian system that was upgraded from squeeze-lts to wheezy).

Not tested, but you could try the following (10-mail.conf): set
location = Maildir in the "namespace private", but set
mail_location = mbox globally. Since namespaces are an IMAP feature,
it might be the case that the POP3 server doesn't evaluate the
namespace stuff at all, and then you'd have two separate settings.

No idea if that will actually work.

Alternatively, if that doesn't work out, the 'mail' field in userdb
always overwrites mail_location. And dovecot does replace '%s' with
the service that's accessing the userdb, so what you could do is
use the sqlite driver of dovecot, set the connection path to a non-
existent file (or an empty sqlite database) and use

user_query = SELECT CASE WHEN 'pop3' == '%s' THEN ('mbox:.../' || '%u') ELSE 
('Maildir:.../' || '%n') END AS mail, '%n' as uid ;

Since userdb and passdb are separate, you should be able to get
away with that.

(Unfortunately, using sqlite is the closest I could find to having
generic scripting support for this kind of thing.)

Also not tested, also no idea if that will actually work.

Regards,
Christian



signature.asc
Description: OpenPGP digital signature

FW: Debian package on Windows

[Richard Zimmerman]

>> How is Debian better off from Microsoft porting apt to Windows ?
>
> Because they didn't select YUM. :) Ric

What is so wrong with YUM? I actually like it better over apt-get or aptitude...

FYI, I'm a CentOS shop and a programmer. I used to run Debian full-time and 
running Debian Jessie as I'm looking at possibly moving back.

Regards,

Richard



---
Richard Zimmerman
Systems / Network Administrator
River Bend Hose Specialty, Inc.
 S Main Street
South Bend, IN   46601-3337
(574) 233-1133
(574) 280-7284 Fax

Re: FW: Debian package on Windows

[Reco]

On Mon, 22 Feb 2016 17:04:42 +
Richard Zimmerman  wrote:

> >> How is Debian better off from Microsoft porting apt to Windows ?
> >
> > Because they didn't select YUM. :) Ric
> 
> What is so wrong with YUM? I actually like it better over apt-get or 
> aptitude...

There's nothing wrong with YUM except that:

a) It's dead upstream. They axed it in favor of DNF.

b) It's dependency resolution algorithm is easily beat by snail. And
it usually about as smart as said snail.

c) YUM's package database is stored in SQLite, to which it's written by
sync I/O by small chunks. 4 kilobytes small.

d) And last, but not least. YUM is written in Python in such
memory-hungry way that some Java programs pale in comparison. Adds some
interesting 'jump-through-the-hoops' scenarios on Python upgrades.

YUM has some redeeming qualities but the main on of them is that
YUM is better than it's predecessor - up2date.

If you need an example of good package manager from rpm world - there's
zypper.

Reco

Warning ?~@~T Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System)

[Karen Lewellen]

Sharing in case anyone was impacted.


-- Forwarded message --
Date: Mon, 22 Feb 2016 08:50:44 -0800

http://thehackernews.com/2016/02/linux-mint-hack.html

Re: Debian package on Windows

[Nate Bargmann]

* On 2016 22 Feb 10:42 -0600, Jean-Baptiste Thomas wrote:
> De: "Ric Moore" 
> > and the GPL notice is included. I saw no mention to avoid the GPL in his 
> > request for information. Ergo, as long as the GPL is honored, this plan 
> > is actually a plus for Debian.
> 
> How is Debian better off from Microsoft porting apt to Windows ?

Your question is a non sequitur.  The GPL does not require derivatives
of a work to benefit the original author in any way.  It only requires
that the terms it spells out be honored by anyone exercising the rights
to the covered work granted by it [GPL].

IANAL, etc.

- Nate

-- 

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us

Re: FW: Debian package on Windows

[Ric Moore]

On 02/22/2016 12:04 PM, Richard Zimmerman wrote:

How is Debian better off from Microsoft porting apt to Windows ?


Because they didn't select YUM. :) Ric


What is so wrong with YUM? I actually like it better over apt-get or
aptitude...


I wuz just being snarky. I used to work at Redhat and know Bob Young well.


FYI, I'm a CentOS shop and a programmer. I used to run Debian
full-time and running Debian Jessie as I'm looking at possibly moving
back.


The fact that they asked, right out in the open and seeking permissions, 
is telling. If one considers the "Star Trek Effect" of the GPL, Veeger 
might become infected by it. I'll laugh and laugh anticipating how that 
plays out! :) Ric



--
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
http://linuxcounter.net/user/44256.html

Re: Debian package on Windows

[John Hasler]

Nate Bargmann writes:
> Your question is a non sequitur.  The GPL does not require derivatives
> of a work to benefit the original author in any way.  It only requires
> that the terms it spells out be honored by anyone exercising the
> rights to the covered work granted by it [GPL].

True, but so what?  Ric claimed this is a plus for Debian.
Jean-Baptiste asked how.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Thomas Schmitt]

Hi,

> http://thehackernews.com/2016/02/linux-mint-hack.html

A virus of 1.5 GiB size.

Does anybody know a download URL for such an infected ISO image ?
(I am curious whether they used my software or mkisofs or something
unusual.)

Have a nice day :)

Thomas

Re: opengl problem with avidemux

[Sven Arvidsson]

On Mon, 2016-02-22 at 18:01 +0100, Pierre Frenkiel wrote:
> hi,
> I have strange (for me) problem with avidemux:
> when I run it from my account, the characters are rather big (about 2
> mm)
> and there is not enough room to display the current time in the
> bottom "Time" window, so that only the seconds and milliseconds are
> seen.
> If run from any other account, the characters are much smaller, and
> the
> time display is correct (and the size of the avidemux window itself
> is a little smaller.(205 mm .vs 230 mm)
> 
> Looking at the avidemux output, I found this difference:
> for me:
>  [initGUI]  OpenGL not activated, not initialized
> for others:
>  [initGUI]  OpenGL activated, initializing... 
> (the avidemux Display is set to "X11" in both cases in the
> preferences menu)
> 
> Can anybody explain that?
> thanks in advance.

I'm not familiar with avidemux, but does it really use OpenGL to render
the GUI? 

Find out what GUI toolkit it uses and see if other applications using
the same toolkit have similar problems.

You might also want to investigate your OpenGL setup with glxinfo or
similar to make sure you're not getting software rendering.


-- 
Cheers,
Sven Arvidsson
http://www.whiz.se
PGP Key ID 6FAB5CD5



signature.asc
Description: This is a digitally signed message part

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Karen Lewellen]

The article indicates that hackers redirected the download link for one 
edition  of mint to an ftp site with their infected iso image.

Cannot say more, but the article is rather detailed.
Kare


On Mon, 22 Feb 2016, Thomas Schmitt wrote:


Hi,


http://thehackernews.com/2016/02/linux-mint-hack.html


A virus of 1.5 GiB size.

Does anybody know a download URL for such an infected ISO image ?
(I am curious whether they used my software or mkisofs or something
unusual.)

Have a nice day :)

Thomas

Re: opengl problem with avidemux

[Pierre Frenkiel]

On Mon, 22 Feb 2016, Sven Arvidsson wrote:


I'm not familiar with avidemux, but does it really use OpenGL to render
the GUI? 

Find out what GUI toolkit it uses and see if other applications using
the same toolkit have similar problems.


  in avidemux, you can choose for the Display between X11 or OpenGL
  As I said, I chooes X11.


You might also want to investigate your OpenGL setup with glxinfo or
similar to make sure you're not getting software rendering.


  The main question is why those different behaviours for different
  users on the same PC?
  glxinfo gives of course the same result for all users.

cheers,
--
Pierre Frenkiel

Re: opengl problem with avidemux

[Nicolas George]

Le quartidi 4 ventôse, an CCXXIV, Sven Arvidsson a écrit :
> I'm not familiar with avidemux, but does it really use OpenGL to render
> the GUI? 

For the GUI, probably not.

For the preview of the video, why not? Sync with monitor refresh is not
available in plain X11 and YUV->RGB conversion is expensive.

Regards,

-- 
  Nicolas George


signature.asc
Description: Digital signature

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Thomas Schmitt]

Hi,

> Cannot say more, but the article is rather detailed.

It tells a lot about the hack and the Mint people are bravely answering
questions.
But my curiosity is about whether i indirectly helped the hackers.

I cannot prevent such misuse of xorriso, neither practically nor legally.
The GPL does not discriminate evil people. On the short view this might
appear bad, but in depth it is a very wise position of Richard Stallman and
the FSF. At least we do not risk to deny Giordano Bruno the license for ink.

Nevertheless:

Be Cursed, Ye Abusers Of Innocent ISO Programs !


Have a nice day :)

Thomas

Re: pam_smbpass.so

[Christian Seiler]

On 02/18/2016 02:49 AM, Joe Pfeiffer wrote:
> Christian Seiler  writes:
>> Just a hunch: do you run dovecot chroot'ed? If so, then it is most
>> likely the case that the specific PAM module is not available within
>> the chroot and that's why it produces that message.
> 
> No, it isn't chrooted -- if it were, I'd expect the other pam modules to
> give the same issues (for that matter, I'd expect it to not be able to
> find pam.d!).

So I just looked a bit at the PAM source code and found the following:

1. the message you see is generated from libpam/pam_handlers.c [1] from
   within the function _pam_load_module, using the mod_path argument
   passed to that function (which is not modified)

2. the function _pam_load_module is only called from _pam_add_handler,
   which calls it in two cases [2]:

a. module name starts with a /, then it uses that directly
b. module name doesn't start with a /, then it prepends
   DEFAULT_MODULE_PATH

   In Debian, DEFAULT_MODULE_PATH is /lib//security (set via
   debian/rules --libdir=/lib/ for dh_auto_configure [3],
   then used by configure.in as the default argument for
   --enable-securedir if that's not specified [4], which it isn't in
   debian/rules, and then used my Makefile.am to specify the variable
   to the C source [5]).

[1] http://sources.debian.net/src/pam/1.1.8-3.2/libpam/pam_handlers.c/#L705
[2] http://sources.debian.net/src/pam/1.1.8-3.2/libpam/pam_handlers.c/#L760
[3] http://sources.debian.net/src/pam/1.1.8-3.2/debian/rules/#L30
[4] http://sources.debian.net/src/pam/1.1.8-3.2/configure.in/#L274
[5] http://sources.debian.net/src/pam/1.1.8-3.2/libpam/Makefile.am/#L5

If I look at your configuration file, we clearly have 

> # and here are more per-package modules (the "Additional" block)
> authoptionalpam_mount.so
> authoptionalpam_smbpass.so migrate

that the pam_smbpass.so is a relative path, so the code path 2(b)
should be taken, so the error you see shouldn't appear.

This is _really_ weird, especially since (as you said) the other
modules should also be affected...

I'm drawing a blank, sorry. Other than stracing the dovecot auth
process hand hoping you find something in the (presumeably huge) log
of that, I don't think I have any idea on how to debug that. Sorry.

Regards,
Christian



signature.asc
Description: OpenPGP digital signature

CRM Users List

[Ronald Charles]

Hi,

I just wanted to drop you a quick note to see if you would be interested in a discussion 
about "CRM Users List" and the benefits it can bring your organization for your 
Marketing Initiatives like Email Marketing, Tele Marketing, Direct Mailings etc.

Every contact will include: Company Name, Web Address, Contact Name, Verified 
Email, Job Title,  Complete Mailing Address, Phone Number, FAX Number, Total  
Employees, SIC Code, and Industry details.

We guarantee 100% on that list type that means every individual on that list 
will be as per your criteria for sure, any irrelevant contact will be replaced 
at no cost.

Few Technology Specific Lists:-
   
  1) Consona CRM

  2) Frontrange GoldMine CRM
  3) InterAction CRM
  4) KANA CRM
  5) Microsoft Dynamics CRM
  6) Oracle CRM On Demand
  7) Oracle Customer Relationship Management (CRM)
  8) Oracle Siebel CRM
  9) Salesforce.com CRM
  10) SAP Customer Relationship Management (CRM)
  11) Oracle PeopleSoft Enterprise Customer Relationship 
Management (CRM)
  12) Veeva CRM  and many more

Let me know your target criteria / market like: 

Target Title:
Target Industry:
Target Geography:

Regards,
Ronald Charles


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

FW: FW: Debian package on Windows

[Richard Zimmerman]

>> What is so wrong with YUM? I actually like it better over apt-get or 
>> aptitude...

> There's nothing wrong with YUM except that:
>
> a) It's dead upstream. They axed it in favor of DNF.

   Yes, I did hear that but again, I like yum so stayed with it.

> b) It's dependency resolution algorithm is easily beat by snail. And it 
> usually about as smart as said snail.
> c) YUM's package database is stored in SQLite, to which it's written by sync 
> I/O by small chunks. 4 kilobytes small.
> d) And last, but not least. YUM is written in Python in such memory-hungry 
> way that some Java programs pale in comparison. Adds some interesting 
> 'jump-through-the-hoops' scenarios on Python upgrades.

Hmm... It's always worked well for me so I guess I don't mind the drawbacks :)

> If you need an example of good package manager from rpm world - there's 
> zypper.
> Reco

I will have a look at that...

So, to get this back on track for a Debian forum, anything better then aptitude 
I should look at?

Kind regards and thanks,

Richard


---
Richard Zimmerman
Systems / Network Administrator
River Bend Hose Specialty, Inc.
 S Main Street
South Bend, IN   46601-3337
(574) 233-1133
(574) 280-7284 Fax

Re: BIND problem

[Glenn English]

> On Feb 22, 2016, at 3:14 AM, Reco  wrote:
> 
> Please post the output of:
> 
> ls -ald /var/cache/bind/slaves

drwxrwxr-x 2 bind bind 4096 Feb  5 07:52 /var/cache/bind/slaves

> lsattr /var/cache/bind/slaves

-e-- /var/cache/bind/slaves/db.172.16.0
-e-- /var/cache/bind/slaves/db.richeyrentals.com
-e-- /var/cache/bind/slaves/db.richeyrentals.dmz
-e-- /var/cache/bind/slaves/db.richeyrentals.lan

> getfacl /var/cache/bind/slaves

getfacl: Removing leading '/' from absolute path names
# file: var/cache/bind/slaves
# owner: bind
# group: bind
user::rwx
group::rwx
other::r-x

> Also, do you have SELinux enabled?

root@log:/etc# egrep -ir SELinux *
dbus-1/session.conf:  contexts/dbus_contexts
dbus-1/system.conf:  contexts/dbus_contexts
init.d/x11-common:  # Restore file security context (SELinux).
init.d/udev:# set the SELinux context for devices created in the initramfs
init.d/checkroot.sh:if selinux_enabled && [ -x /sbin/restorecon ] && [ -r 
/etc/mtab ]
Binary file ld.so.cache matches
pam.d/login:# SELinux needs to be the first session rule. This ensures that any 
pam.d/login:# When the module is present, "required" would be sufficient (When 
SELinux
pam.d/login:session [success=ok ignore=ignore module_unknown=ignore 
default=bad] pam_selinux.so close
pam.d/login:# SELinux needs to intervene at login time to ensure that the 
process
pam.d/login:session [success=ok ignore=ignore module_unknown=ignore 
default=bad] pam_selinux.so open
pam.d/login:# When the module is present, "required" would be sufficient (When 
SELinux
pam.d/sshd:# Set up SELinux capabilities (need modified pam)
pam.d/sshd:# session  required pam_selinux.so multiple
security/sepermit.conf:#- a SELinux user name, with %seuser syntax
selinux/semanage.conf:# Specify how libsemanage will interact with a SELinux 
policy manager.
selinux/semanage.conf:#  "source" - libsemanage manipulates a source 
SELinux policy
webmin/useradmin/config:selinux_con=user_u:object_r:user_home_dir_t

I think so...

-- 
Glenn English

Re: opengl problem with avidemux

[Sven Arvidsson]

On Mon, 2016-02-22 at 20:42 +0100, Nicolas George wrote:
> For the GUI, probably not.
> 
> For the preview of the video, why not? Sync with monitor refresh is
> not
> available in plain X11 and YUV->RGB conversion is expensive.

Right, it probably uses OpenGL for previews and filters, but it
shouldn't impact the font rendering in the GUI.

-- 
Cheers,
Sven Arvidsson
http://www.whiz.se
PGP Key ID 6FAB5CD5



signature.asc
Description: This is a digitally signed message part

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Charlie Kravetz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 22 Feb 2016 20:50:55 +0100
"Thomas Schmitt"  wrote:

>Hi,
>
>> Cannot say more, but the article is rather detailed.  
>
>It tells a lot about the hack and the Mint people are bravely answering
>questions.
>But my curiosity is about whether i indirectly helped the hackers.
>
>I cannot prevent such misuse of xorriso, neither practically nor legally.
>The GPL does not discriminate evil people. On the short view this might
>appear bad, but in depth it is a very wise position of Richard Stallman and
>the FSF. At least we do not risk to deny Giordano Bruno the license for ink.
>
>Nevertheless:
>
>Be Cursed, Ye Abusers Of Innocent ISO Programs !
>
>
>Have a nice day :)
>
>Thomas
>

There are several articles out now, including one that is an interview
with the hacker. Google is your friend today.

- -- 
Charlie Kravetz
Linux Registered User Number 425914
[http://linuxcounter.net/user/425914.html]
Never let anyone steal your DREAM.   [http://keepingdreams.com]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWy24yAAoJEIqui46mydCA2hoH/jVvrWYBWFiQt9B6zglrTDn7
yDaKiFURAu0Vc5up/HqKHhcznao2N0Gd7gBbUC0EN0syHgkk4c3rzEDJOWJsgexL
bW4OPVYk6KcK2rlUaSh2PORehaDP32WVnQNstheNmYu7WroahkFysTGxlLg21qyT
IKHDyfIseKDEc7KsbiBPz6c22niWBk7a6GrkblLOV0bmh4TB4xIsK9TagGFx3j3W
8/uEARw/lrUqwzJcci6ijJQUyL46XynTnm4JvoL67a/UYIYLDj+ZOF6yzKagb1gN
9plJ8ePuBoNvm2nK5o3cAJCUlfOoAO6LQBimz3pfAaZDdcrKsSPDOYETJtvZlvs=
=nhPy
-END PGP SIGNATURE-

Re: dovecot -- Require different setting for mail_location for each of POP3S and IMAPS protocols

[Andrew McGlashan]

Hi,

On 23/02/2016 4:27 AM, Christian Seiler wrote:
> On 02/22/2016 06:00 PM, Andrew McGlashan wrote:
>> I've tried getting this answered on dovecot mailing list, but not
>> having success so far; so I'm trying here too now (considering it is a
>> Debian system that was upgraded from squeeze-lts to wheezy).
> 
> Not tested, but you could try the following (10-mail.conf): set
> location = Maildir in the "namespace private", but set
> mail_location = mbox globally. Since namespaces are an IMAP feature,
> it might be the case that the POP3 server doesn't evaluate the
> namespace stuff at all, and then you'd have two separate settings.
> 
> No idea if that will actually work.

I think that will be too risky to try -- I wish I had a proper
test server for it.


Okay, I've decided to simplify things. It is now POP3S or IMAPS, not
both.


I've adjusted POP3S only users to have their mbox emails in
their Maildir folder.  And advised IMAPS users that they can no longer
do POP3s with a separate email store.


 # mb2md -s /var/mail/$TARGET_USER -d /tmp/$TARGET_USER
 # chown $TARGET_USER:$TARGET_USER /tmp/$TARGET_USER/cur/1*
 # mv /tmp/$TARGET_USER/cur/1* $TARGET_USER_HOME/Maildir/cur/


Also adjusted all the .forward file to save all new emails to Maildir
folders.

Now, I expect that those that only use POP3S, then the emails will be
deleted after "x" number of days, as per their client setup.

Thank you for the ideas.

Kind Regards
AndrewM

Re: BIND problem

[Reco]

Hi.

On Mon, 22 Feb 2016 13:07:44 -0700
Glenn English  wrote:

> 
> > On Feb 22, 2016, at 3:14 AM, Reco  wrote:
> > 
> > Please post the output of:
> > 
> > ls -ald /var/cache/bind/slaves
> 
> drwxrwxr-x 2 bind bind 4096 Feb  5 07:52 /var/cache/bind/slaves
> 
> > lsattr /var/cache/bind/slaves
> 
> -e-- /var/cache/bind/slaves/db.172.16.0
> -e-- /var/cache/bind/slaves/db.richeyrentals.com
> -e-- /var/cache/bind/slaves/db.richeyrentals.dmz
> -e-- /var/cache/bind/slaves/db.richeyrentals.lan
> 
> > getfacl /var/cache/bind/slaves
> 
> getfacl: Removing leading '/' from absolute path names
> # file: var/cache/bind/slaves
> # owner: bind
> # group: bind
> user::rwx
> group::rwx
> other::r-x

Ok, so nothing out of place here.


> > Also, do you have SELinux enabled?
> 
> root@log:/etc# egrep -ir SELinux *
 
> I think so...

No, that's not how you check it. Every Debian system has those records.
I meant something like 'ls -alZ /'.


And having looking on all those permissions - I have an idea. Two,
actually.

First, what does contents of /etc/default/bind9 look like?

Second, can you install auditd please and run
'auditctl -w /var/cache/bind/slaves/ -p wa' afterward?
A contents of /var/log/audit/audit.log would be invaluable to
troubleshoot this problem. Of course, it would be also required for
bind to fail to dump a zone at least once. 

Reco

Re: BIND problem

[Glenn English]

> On Feb 22, 2016, at 1:59 PM, Reco  wrote:
> 
> No, that's not how you check it. Every Debian system has those records.
> I meant something like 'ls -alZ /'.

drwxr-xr-x  25 root   root?  4096 Jun  6  2014 .
drwxr-xr-x  25 root   root?  4096 Jun  6  2014 ..
drwxr-xr-x   2 root   root?  4096 Feb 19 10:26 bin
drwxr-xr-x   3 root   root?  4096 Jan  7 21:40 boot
drwxr-xr-x  14 root   root?  3380 Feb 22 02:34 dev
drwxr-xr-x 127 root   root? 12288 Feb 22 14:12 etc
drwxr-xr-x   3 root   root?  4096 Aug 31 00:42 home
lrwxrwxrwx   1 root   root?30 Oct 11  2013 initrd.img -> 
/boot/initrd.img-3.2.0-4-amd64
drwxr-xr-x  15 root   root?  4096 Mar 17  2014 lib
drwxr-xr-x   2 root   root?  4096 Feb 17 07:36 lib64
drwx--   2 root   root? 16384 Oct 11  2013 lost+found
drwxr-xr-x   3 root   root?  4096 Oct 11  2013 media
drwxr-xr-x   2 root   root?  4096 Jun  2  2013 mnt
drwxr-xr-x   2 root   root?  4096 Oct 11  2013 opt
dr-xr-xr-x 149 root   root? 0 Feb 22 02:33 proc
drwxr-xr-x   3 root   root?  4096 Jun  6  2014 project
drwx--  23 root   root?  4096 Feb 21 20:24 root
drwxr-xr-x  22 root   root?   960 Feb 22 14:12 run
drwxr-xr-x   2 root   root?  4096 Feb 22 14:12 sbin
drwxr-xr-x   2 root   root?  4096 Jun 10  2012 selinux
drwxr-xr-x   3 root   root?  4096 Oct 11  2013 srv
drwxr-xr-x  13 root   root? 0 Feb 22 02:34 sys
drwxrwxrwx   4 nobody nogroup ?  4096 Apr  2  2014 tftpboot
drwxrwxrwt   7 root   root?  4096 Feb 22 14:17 tmp
drwxr-xr-x  11 root   root?  4096 Oct 11  2013 usr
drwxr-xr-x  14 root   root?  4096 Feb  8  2014 var
lrwxrwxrwx   1 root   root?26 Oct 11  2013 vmlinuz -> 
boot/vmlinuz-3.2.0-4-amd64

> First, what does contents of /etc/default/bind9 look like?

# run resolvconf?
RESOLVCONF=yes

# startup options for the server
### OPTIONS="-u bind"
OPTIONS=" -4 -u bind"

> Second, can you install auditd please

Selecting previously unselected package auditd.
(Reading database ... 72472 files and directories currently installed.)
Unpacking auditd (from .../auditd_1%3a1.7.18-1.1_amd64.deb) ...
Processing triggers for man-db ...
Setting up auditd (1:1.7.18-1.1) ...

> and run
> 'auditctl -w /var/cache/bind/slaves/ -p wa' afterward?
> A contents of /var/log/audit/audit.log

type=DAEMON_START msg=audit(1456174952.726:9009): auditd start, ver=1.7.18 
format=raw kernel=3.2.0-4-amd64 auid=4294967295 pid=18137 res=success
type=CONFIG_CHANGE msg=audit(1456174952.825:2): audit_backlog_limit=320 old=64 
auid=4294967295 ses=4294967295 res=1
type=LOGIN msg=audit(1456174953.225:3): login pid=18158 uid=0 old 
auid=4294967295 new auid=118 old ses=4294967295 new ses=1
type=LOGIN msg=audit(1456174953.301:4): login pid=18183 uid=0 old 
auid=4294967295 new auid=118 old ses=4294967295 new ses=2
type=LOGIN msg=audit(1456174981.336:5): login pid=18250 uid=0 old 
auid=4294967295 new auid=1 old ses=4294967295 new ses=3
type=CONFIG_CHANGE msg=audit(1456174992.612:6): auid=4294967295 ses=4294967295 
op="add rule" key=(null) list=4 res=1

> it would be also required for
> bind to fail to dump a zone at least once. 

I hadn't read that part until after I ran auditctl. I think there'd been 
several failed dumps before then, so I looked at the logs in hopes of giving 
you proof, but auditctl kept saying "Error sending add rule data request (Rule 
exists)". So I uninstalled --purge'ed it (and deleted it's log) and reinstalled 
it and ran 'date ; auditctl -w /var/cache/bind/slaves/ -p wa'. That printed the 
date and nothing else. I ran auditctl again, by itself, and it repeated the 
error statement.

The logs say there have been many dump failures, so I'm pretty sure auditctl 
was run after a failed dump. I can't prove it, though.

-- 
Glenn English

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Dalios]

On 02/22/2016 09:23 PM, Thomas Schmitt wrote:

> Does anybody know a download URL for such an infected ISO image ?
> (I am curious whether they used my software or mkisofs or something
> unusual.)


Here you go:

https://mega.nz/#!QwY1EZKJ!GW1gLzXaOUo8sNGF-zddRLwgsfamZy7C5u0CARjaUs0

Have in mind that I found it in one of the thousand discussions on the
subject in forums, blogs etc. Can't remember where exactly and can't
guarantee that it is what it says that it is so take care...


Dalios

Re: opengl problem with avidemux

[Pierre Frenkiel]

On Mon, 22 Feb 2016, Nicolas George wrote:


Le quartidi 4 ventôse, an CCXXIV, Sven Arvidsson a écrit :

I'm not familiar with avidemux, but does it really use OpenGL to render
the GUI? 


For the GUI, probably not.

For the preview of the video, why not? Sync with monitor refresh is not
available in plain X11 and YUV->RGB conversion is expensive.


  in the preferences/Display menu, there are 2 lines related to OpenGl:
   the first one is labeled "video display". As I understand it, this
   means that the choice between X11 and OpenGL is actually for the video
   preview.
   the second one is "enable OpenGl support", which is rather confusing,
   as one may think that the "video display" setting was enough.
   In fact, I discovred that after checking this box, I also get
   the messsage
   "[initGUI]  OpenGL activated, initializing"...
   This means that my character's size problem is not related to OpenGl,
   but to something else. God knows what, but also may-be one of you.

cheers,
--
Pierre Frenkiel

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Thomas Schmitt]

Hi,

Dalios wrote:
> https://mega.nz/#!QwY1EZKJ!GW1gLzXaOUo8sNGF-zddRLwgsfamZy7C5u0CARjaUs0

Only wgets a small index.html file:
  meta name="description" content="MEGA provides free cloud storage with 
convenient and powerful always-on privacy. Claim your free 50GB now!"
Probably spam, i fear.

> Have in mind that I found it in one of the thousand discussions on the
> subject in forums, blogs etc.

Yeah. I tried to find any link to that dreaded bulgarian FTP server.
No success yet.
(I even have a MD5 to identify the evil ISO: 7d590864618866c225ede058f1ba61f0
from the discussion at Mint's makeshift home.)

Well, it's purely academic. Even if i learn that xorriso was used,
i cannot keep people from bending other people's bytes.


Have a nice day :)

Thomas

Re: opengl problem with avidemux

[Sven Arvidsson]

On Mon, 2016-02-22 at 23:06 +0100, Pierre Frenkiel wrote:
> On Mon, 22 Feb 2016, Nicolas George wrote:
> 
> > Le quartidi 4 ventôse, an CCXXIV, Sven Arvidsson a écrit :
> >> I'm not familiar with avidemux, but does it really use OpenGL to
> render
> >> the GUI? 
> >
> > For the GUI, probably not.
> >
> > For the preview of the video, why not? Sync with monitor refresh is
> not
> > available in plain X11 and YUV->RGB conversion is expensive.
> 
>    in the preferences/Display menu, there are 2 lines related to
> OpenGl:
>     the first one is labeled "video display". As I understand it,
> this
>     means that the choice between X11 and OpenGL is actually for the
> video
>     preview.
>     the second one is "enable OpenGl support", which is rather
> confusing,
>     as one may think that the "video display" setting was enough.
>     In fact, I discovred that after checking this box, I also get
>     the messsage
>     "[initGUI]  OpenGL activated, initializing"...
>     This means that my character's size problem is not related to
> OpenGl,
>     but to something else. God knows what, but also may-be one of
> you.

From what I can tell from Google, avidemux comes in both GTK+ (2.x?)
and Qt flavours. If you got it from deb-multimedia it's probably qt4,
so you'll probably need to figure out how to set the fonts with
something like qt4-qtconfig?

I'm not sure why your other users don't have the same problem, but
maybe you are running different desktop environments?

At least that's my be best guess, I always reserve the right to be
totally and utterly wrong ;)

-- 
Cheers,
Sven Arvidsson
http://www.whiz.se
PGP Key ID 6FAB5CD5



signature.asc
Description: This is a digitally signed message part

Re: BIND problem

[Reco]

On Mon, 22 Feb 2016 14:33:03 -0700
Glenn English  wrote:

> 
> > On Feb 22, 2016, at 1:59 PM, Reco  wrote:
> > 
> > No, that's not how you check it. Every Debian system has those records.
> > I meant something like 'ls -alZ /'.
> 
> drwxr-xr-x  25 root   root?  4096 Jun  6  2014 .
> drwxr-xr-x  25 root   root?  4096 Jun  6  2014 ..
> drwxr-xr-x   2 root   root?  4096 Feb 19 10:26 bin
> drwxr-xr-x   3 root   root?  4096 Jan  7 21:40 boot
> drwxr-xr-x  14 root   root?  3380 Feb 22 02:34 dev
> drwxr-xr-x 127 root   root? 12288 Feb 22 14:12 etc
> drwxr-xr-x   3 root   root?  4096 Aug 31 00:42 home
> lrwxrwxrwx   1 root   root?30 Oct 11  2013 initrd.img -> 
> /boot/initrd.img-3.2.0-4-amd64
> drwxr-xr-x  15 root   root?  4096 Mar 17  2014 lib
> drwxr-xr-x   2 root   root?  4096 Feb 17 07:36 lib64
> drwx--   2 root   root? 16384 Oct 11  2013 lost+found
> drwxr-xr-x   3 root   root?  4096 Oct 11  2013 media
> drwxr-xr-x   2 root   root?  4096 Jun  2  2013 mnt
> drwxr-xr-x   2 root   root?  4096 Oct 11  2013 opt
> dr-xr-xr-x 149 root   root? 0 Feb 22 02:33 proc
> drwxr-xr-x   3 root   root?  4096 Jun  6  2014 project
> drwx--  23 root   root?  4096 Feb 21 20:24 root
> drwxr-xr-x  22 root   root?   960 Feb 22 14:12 run
> drwxr-xr-x   2 root   root?  4096 Feb 22 14:12 sbin
> drwxr-xr-x   2 root   root?  4096 Jun 10  2012 selinux
> drwxr-xr-x   3 root   root?  4096 Oct 11  2013 srv
> drwxr-xr-x  13 root   root? 0 Feb 22 02:34 sys
> drwxrwxrwx   4 nobody nogroup ?  4096 Apr  2  2014 tftpboot
> drwxrwxrwt   7 root   root?  4096 Feb 22 14:17 tmp
> drwxr-xr-x  11 root   root?  4096 Oct 11  2013 usr
> drwxr-xr-x  14 root   root?  4096 Feb  8  2014 var
> lrwxrwxrwx   1 root   root?26 Oct 11  2013 vmlinuz -> 
> boot/vmlinuz-3.2.0-4-amd64

So, the result has question marks instead of SELinux labels. This rules
out SELinux completely. Audit log would include SELinux violations
anyway, but still - simplest methods are the best :)


> > First, what does contents of /etc/default/bind9 look like?
> 
> # run resolvconf?
> RESOLVCONF=yes
> 
> # startup options for the server
> ### OPTIONS="-u bind"
> OPTIONS=" -4 -u bind"

And again, your usual run-of-the-mill Debian bind configuration file,
nothing to see here.


> > Second, can you install auditd please
> 
> Selecting previously unselected package auditd.
> (Reading database ... 72472 files and directories currently installed.)
> Unpacking auditd (from .../auditd_1%3a1.7.18-1.1_amd64.deb) ...
> Processing triggers for man-db ...
> Setting up auditd (1:1.7.18-1.1) ...
> 
> > and run
> > 'auditctl -w /var/cache/bind/slaves/ -p wa' afterward?
> > A contents of /var/log/audit/audit.log
> 
> type=DAEMON_START msg=audit(1456174952.726:9009): auditd start, ver=1.7.18 
> format=raw kernel=3.2.0-4-amd64 auid=4294967295 pid=18137 res=success
> type=CONFIG_CHANGE msg=audit(1456174952.825:2): audit_backlog_limit=320 
> old=64 auid=4294967295 ses=4294967295 res=1
> type=LOGIN msg=audit(1456174953.225:3): login pid=18158 uid=0 old 
> auid=4294967295 new auid=118 old ses=4294967295 new ses=1
> type=LOGIN msg=audit(1456174953.301:4): login pid=18183 uid=0 old 
> auid=4294967295 new auid=118 old ses=4294967295 new ses=2
> type=LOGIN msg=audit(1456174981.336:5): login pid=18250 uid=0 old 
> auid=4294967295 new auid=1 old ses=4294967295 new ses=3
> type=CONFIG_CHANGE msg=audit(1456174992.612:6): auid=4294967295 
> ses=4294967295 op="add rule" key=(null) list=4 res=1
> 
> > it would be also required for
> > bind to fail to dump a zone at least once. 
> 
> I hadn't read that part until after I ran auditctl. I think there'd been 
> several failed dumps before then, so I looked at the logs in hopes of giving 
> you proof, but auditctl kept saying "Error sending add rule data request 
> (Rule exists)". So I uninstalled --purge'ed it (and deleted it's log) and 
> reinstalled it and ran 'date ; auditctl -w /var/cache/bind/slaves/ -p wa'. 
> That printed the date and nothing else. I ran auditctl again, by itself, and 
> it repeated the error statement.

Sorry, I forgot to add. To clear out audit rules you need to issue
'auditctl -D'. To view existing ones you need to issue 'auditctl -l'.
Reinstalling the package would clear the rules along the way, of
course.


> The logs say there have been many dump failures, so I'm pretty sure auditctl 
> was run after a failed dump. I can't prove it, though.

And that leaves us exactly one possible explanation for this.

/var has 755 permissions, and owner:group of root.
/var/cache/bind/slaves has 775 permission, and owner:group of bind.

Since bind user is unable to write to /var/cache/bind/slaves, and audit
is unable to catch failed writes there - that can only mean that bind
user is unable to chdir to either /var/cache or /var/cache/bind.

So, what permissions does /var/cache and /var/cache/bind have?

Reco

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Sven Hartge]

Thomas Schmitt  wrote:
> Dalios wrote:

>> https://mega.nz/#!QwY1EZKJ!GW1gLzXaOUo8sNGF-zddRLwgsfamZy7C5u0CARjaUs0

> Only wgets a small index.html file:
>   meta name="description" content="MEGA provides free cloud storage with 
> convenient and powerful always-on privacy. Claim your free 50GB now!"
> Probably spam, i fear.

You cannot wget a mega.nz URL. You have to use a Javascript-enabled
Browser to get the file.

S°

-- 
Sigmentation fault. Core dumped.

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Thomas Schmitt]

Hi,

Sven Hartge wrote:
> You cannot wget a mega.nz URL. You have to use a Javascript-enabled
> Browser to get the file.

Shall i really enable insecure Javascript to download a malicious ISO ?

... google ... Kim Schmitz ... rofl ... i am not that curious.


Have a nice day :)

Thomas

Re: BIND problem

[Glenn English]

> On Feb 22, 2016, at 3:16 PM, Reco  wrote:
> 
> So, what permissions does /var/cache and /var/cache/bind have?

root@log:~# ls -lh /var/cache/bind
total 48K
-rw-rw-r-- 1 bind bind  221 Oct 12  2013 managed-keys.bind
-rw-rw-r-- 1 bind bind  512 Oct 12  2013 managed-keys.bind.jnl
drwxrwxr-x 2 bind bind 4.0K Feb 16 19:19 masters
-rw-rw-r-- 1 bind bind  30K Feb 22 00:32 named_dump.db
drwxrwxr-x 2 bind bind 4.0K Feb  5 07:52 slaves

root@log:~# ls -lh /var/cache/
total 48K
drwxr-xr-x  3 root root 4.0K Feb  8  2014 apache2
drwxr-xr-x  3 root root 4.0K Feb 22 14:12 apt
drwxr-xr-x  4 bind bind 4.0K Feb 22 02:34 bind
drwxrwxr-x  3 root lp   4.0K Feb 22 06:25 cups
drwxr-xr-x  2 root root 4.0K Feb 22 14:12 debconf
drwxr-xr-x  2 root root 4.0K Oct 11  2013 dictionaries-common
drwxr-xr-x  2 root root 4.0K Oct 29  2013 fontconfig
drwxr-xr-x  2 root root 4.0K Nov 24  2012 git
drwx--  2 root root 4.0K Feb 17 07:36 ldconfig
drwxr-sr-x 38 man  root 4.0K Feb 22 14:12 man
drwxr-xr-x  2 root root 4.0K Jan 16  2012 pm-utils
drwxr-xr-x  2 root root 4.0K Aug 15  2013 samba

-- 
Glenn English

Re: BIND problem

[Reco]

On Mon, 22 Feb 2016 15:33:54 -0700
Glenn English  wrote:

> 
> > On Feb 22, 2016, at 3:16 PM, Reco  wrote:
> > 
> > So, what permissions does /var/cache and /var/cache/bind have?
> 
> root@log:~# ls -lh /var/cache/bind
> total 48K
> -rw-rw-r-- 1 bind bind  221 Oct 12  2013 managed-keys.bind
> -rw-rw-r-- 1 bind bind  512 Oct 12  2013 managed-keys.bind.jnl
> drwxrwxr-x 2 bind bind 4.0K Feb 16 19:19 masters
> -rw-rw-r-- 1 bind bind  30K Feb 22 00:32 named_dump.db
> drwxrwxr-x 2 bind bind 4.0K Feb  5 07:52 slaves
> 
> root@log:~# ls -lh /var/cache/
> total 48K
> drwxr-xr-x  3 root root 4.0K Feb  8  2014 apache2
> drwxr-xr-x  3 root root 4.0K Feb 22 14:12 apt
> drwxr-xr-x  4 bind bind 4.0K Feb 22 02:34 bind
> drwxrwxr-x  3 root lp   4.0K Feb 22 06:25 cups
> drwxr-xr-x  2 root root 4.0K Feb 22 14:12 debconf
> drwxr-xr-x  2 root root 4.0K Oct 11  2013 dictionaries-common
> drwxr-xr-x  2 root root 4.0K Oct 29  2013 fontconfig
> drwxr-xr-x  2 root root 4.0K Nov 24  2012 git
> drwx--  2 root root 4.0K Feb 17 07:36 ldconfig
> drwxr-sr-x 38 man  root 4.0K Feb 22 14:12 man
> drwxr-xr-x  2 root root 4.0K Jan 16  2012 pm-utils
> drwxr-xr-x  2 root root 4.0K Aug 15  2013 samba

OK, three small details are missing from the puzzle.

First one is 'ls -ald /var/cache'.

Second one is 'sudo -u touch /var/cache/bind/slaves/1'.
'su -l bind -c "touch /var/cache/bind/slaves/1"' should do it too since
you have an interactive login shell for bind.

Third one (hey, you never know) is 'ls -ald /'.

Reco

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Gener Badenas]

On Wed, Feb 17, 2016 at 10:08 PM, Tom Browder  wrote:

> I have several remote Debian 7 servers and would like to secure it in
> the following manner:
>
> 1. root will not be allowed any external access (access is only via a
> user becoming root while logged in)
>
> 2. after initial setup, no ssh access will be allowed via a password
>
> I have seen much documentation on securing such a host, but I don't
> want to be an expert--I just need a recipe.
>

You need to open /etc/ssh/sshd_config and the right settings are obvious
from there.  But I would suggest you setup a key pair login and test it
before applying these changes. Otherwise you might be locked out.  But you
might be able to VNC to it just in case.



>
> Many thanks.
>
> Best regards,
>
> -Tom
>
>


-- 
Code , code , code
, and code 

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Gener Badenas]

On Tue, Feb 23, 2016 at 3:23 AM, Thomas Schmitt  wrote:

> Hi,
>
> > http://thehackernews.com/2016/02/linux-mint-hack.html
>
> A virus of 1.5 GiB size.
>
> Does anybody know a download URL for such an infected ISO image ?
> (I am curious whether they used my software or mkisofs or something
> unusual.)
>

Will people downloading the linix mint from torrent be affected?


>
> Have a nice day :)
>
> Thomas
>
>


-- 
Code , code , code
, and code 

Re: BIND problem

[Glenn English]

> On Feb 22, 2016, at 3:58 PM, Reco  wrote:
> 
> First one is 'ls -ald /var/cache'.

root@log:~# ls -ald /var/cache
drwxr-xr-x 14 root root 4096 Oct 12  2013 /var/cache

> Second one is 'sudo -u touch /var/cache/bind/slaves/1'.

sudo: unknown user: touch
sudo: unable to initialize policy plugin

(Should there have been a "bind" after the '-u'? I just tried that, and it 
returns an empty line.)

> 'su -l bind -c "touch /var/cache/bind/slaves/1"' should do it too since
> you have an interactive login shell for bind.

That one replies with an empty line. BIND's shell is still BASH (I thought I'd 
deleted that long ago).

If I do 'su -l bind -c "touch /var/cache/bind/slaves/1" ; echo $?', it prints 
'0'.

> Third one (hey, you never know) is 'ls -ald /'.

drwxr-xr-x 25 root root 4096 Jun  6  2014 /

...

Wait a minute. I just took a look at today's DNS log with 'cat /var/log/daemon 
| egrep permission' and I see at the bottom:

Feb 22 02:15:07 log named[20117]: dumping master file: 
/var/cache/bind/slaves/tmp-7OngiRhduG: open: permission denied
Feb 22 02:23:31 log named[20061]: dumping master file: 
/var/cache/bind/slaves/tmp-jpxayKBERz: open: permission denied
Feb 22 02:29:31 log named[20117]: dumping master file: 
/var/cache/bind/slaves/tmp-KvIK8XPZRW: open: permission denied

That says to me that the problem stopped around 2AM last night, no? I think 
that's about the time I rebooted the server -- I don't remember why. If that's 
true, something got well of natural causes, and I apologize tremendously for 
the noise. 

The 2 PIDs could very well be because I had 2 BINDs running for a while trying 
to figure this out -- one as user bind, and one as root. There's a command in 
my history file to kill 20061.

'logwatch --range today' prints (about the DNS dumps):

dumping master file: /var/cache/bind/slaves/tmp-18yeqdeUo7: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-5cVqqTAnb6: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-5n3f6qn0Cj: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-7OngiRhduG: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-8m09QHZPqR: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-93yzSn2HVG: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-KQi00ADskK: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-KnYb1BM7ho: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-KvIK8XPZRW: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-Mvis5kMjqB: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-NB1hVFYTQ3: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-RbEDOfprSt: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-Tr7TNyn2pB: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-X7frzE1EHg: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-fHVyGM1SqQ: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-fSPdEwQTGO: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-h28gNDyR7n: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-jpxayKBERz: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-n99ZL1tdSc: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-pPGgsIYF9T: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-qbxXuXSlvZ: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-ucvOB7hKDt: open: 
permission denied: 1 Time(s)
dumping master file: /var/cache/bind/slaves/tmp-yhcq7G3STF: open: 
permission denied: 1 Time(s)

The day isn't over yet, but compared to the last few days, that does seem like 
a pretty small number of failed dumps.

'cat /var/log/daemon.log | egrep '^Feb 22.*tmp-' | sort -k9' (sorted on 
filename to match logwatch's sorting it's lines) prints:

Feb 22 01:57:18 log named[20061]: dumping master file: 
/var/cache/bind/slaves/tmp-18yeqdeUo7: open: permission denied
Feb 22 00:14:54 log named[20117]: dumping master file: 
/var/cache/bind/slaves/tmp-5cVqqTAnb6: open: permission denied
Feb 22 00:25:48 log named[20061]: dumping master file: 
/var/cache/bind/slaves/tmp-5n3f6qn0Cj: open: permission denied
Feb 22 02:15:07 log named[20117]: dumping master file: 
/var/cache/bind/slaves/tmp-7OngiRhduG: open: permission denied
Feb 22 00:51:46 log named[20061]: dumping master file: 
/var/cache/bind/slaves/tmp-8m09QHZPqR: open: permission denied
Feb 22 01:24:08 log named[20117]: dumping master file: 
/var

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Glenn English]

> On Feb 22, 2016, at 6:39 PM, Gener Badenas  
> wrote:
> 
> Will people downloading the linix mint from torrent be affected?

Don't think so. 

Google (or DuckDuckGo) for 'linux mint hacked' and you'll get lots of info with 
no "Click Here" buttons. 


One I found that way said torrent downloads weren't infected. Besides, it's all 
fixed now, and the backdoor code didn't work anyway.


-- 
Glenn English

Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

[Thomas Schmitt]

Hi,

Gener Badenas wrote:
> Will people downloading the linix mint from torrent be affected?

http://blog.linuxmint.com/?p=2994

"Does this affect you?

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon
edition.
If you downloaded another release or another edition, this does not affect you.
If you downloaded via torrents or via a direct HTTP link, this doesn’t affect
you either.
Finally, the situation happened today, so it should only impact people who
downloaded this edition on February 20th."


Have a nice day :)

Thomas