Re: [arch-general] Thunderbird 78
Hello Nico, You cannot use gpg for public key operations but for secret key ops. Please follow the instructions for smartcards (no smartcard daemon needed obviously): https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards Then you can use the external gpg with your ~/.gnupg for decryption and signing. Best wishes, NTS On 28 Nov 2020 9:36 a.m., "NicoHood" wrote: Thunderbird 78 is in the repos for quite some time now. Can anyone please explain me what is the best way to use GPG now for email encryption? I read that Archlinux aims to use the system wide gpg keyring instead of thunderbirds builtin store. Is that still the case and is that implemented yet? Thunderbird asks me to migrate my keys, and I am not sure, if I should not wait a few more days. Having the private key in multiple places is really not the best idea in my opinion. Depending on the current state we could also add a news on the archlinux website or at least update the wiki: https://wiki.archlinux.org/index.php/Thunderbird/Enigmail Cheers Nico
Re: [arch-general] busted system after update
On one LVM on LUKS system I always enter an emergency shell upon boot and need to do "mount /dev/mapper/cryptolvm_root /new_root" - never got round to correcting the grub2.cfg. On Mon, 16 Nov 2020 at 21:10, Ben Oliver via arch-general wrote: > > Many of use have been there! Earlier this year I overwrote /etc/shadow with > pacnew in a moment of madness.
Re: [arch-general] root login @ console
On Fri, 13 Nov 2020 at 16:06, Jack Frost via arch-general wrote: > > So I foo-bared my /home partition, no big deal, done it before, and I > keep good backups. I boot to single mode and get to a prompt. My > regular user is gone so I try to just login at the console (no X) as > root. It doesn't work. I know I set the root password. > > What setting is preventing root from being able to authenticate. In a runlevel S console perhaps the keymap isn't set, try typing in a visible field to check if you use special chars in your passwd.
Re: [arch-general] Problem with GPG Access Rules
On Mon, 12 Oct 2020 at 13:12, Jörg Jellissen wrote: > > Hello, > > no it doesn't work yet > > now i have changed like this > > chmod -R go= ~/.gnupug > > but in evolution comes a minimal different error > > Detailed error message: Output from gpg2: > gpg: write after '-' > gpg: pinentry launched (6884 curses 1.1.0 - -: 0) > gpg: Authentication failed: Inappropriate IOCTL (I / O control) for the > device > gpg: signing failed: Unsuitable IOCTL (I / O control) for the device > > > and the ls -lah says > > drwx-- 3 joerg users 4,0K 12. Okt 13:07 . > drwx-- 29 joerg users 4,0K 11. Okt 18:48 .. > drwx-- 2 joerg users 4,0K 9. Okt 21:13 private-keys-v1.d > -rw--- 1 joerg users 2,5K 9. Okt 21:13 pubring.kbx > -rw--- 1 joerg users 32 9. Okt 21:13 pubring.kbx~ > -rw--- 1 joerg users7 10. Okt 19:41 reader_0.status > -rw--- 1 joerg users 1,3K 9. Okt 21:13 trustdb.gpg > > i forgot to say the i have my key transfered to a yubikey > (PIV=Smartcard) but the key is pluged in the usb device OK, in that case make sure scdaemon is installed and running as your user. It's best to start it every time with your graphical shell/session. The private-keys-v1.d will only have a "stub" key and reference the card. Best, NTS
Re: [arch-general] Problem with GPG Access Rules
On Mon, 12 Oct 2020 at 12:31, Filipe Laíns via arch-general wrote: > > On Mon, 2020-10-12 at 13:08 +0200, Jörg Jellissen wrote: > Hello, > > i have a problem with my access rules on my ~/.gnupg folder. The reason > is that i can't sign any e-mails . > > the warning message was that the access rules to the folder are too > open > > but which rights are correct? > > i have looked in the folder and my rights looks like this > > drwxr-xr-x 3 joerg users 4,0K 12. Okt 12:57 . > drwx-- 29 joerg users 4,0K 11. Okt 18:48 .. > drwx-- 2 joerg users 4,0K 9. Okt 21:13 private-keys-v1.d > -rw-r--r-- 1 joerg users 2,5K 9. Okt 21:13 pubring.kbx > -rw--- 1 joerg users 32 9. Okt 21:13 pubring.kbx~ > -rw-r--r-- 1 joerg users7 10. Okt 19:41 reader_0.status > -rw--- 1 joerg users 1,3K 9. Okt 21:13 trustdb.gpg > > is this correct for gpg / Kleopatra? No, please chmod -R go= ~/.gnupg > the translated output was > > Detailed error message: Output from gpg2: > gpg: WARNING: Insecure access rights of the home directory > `/home/joerg/.gnupg ' > gpg: write after '-' > gpg: pinentry launched (5745 curses 1.1.0 - -: 0) > gpg: Authentication failed: Inappropriate IOCTL (I / O control) for the > device > gpg: signing failed: Unsuitable IOCTL (I / O control) for the device > > > Many thanks for helpers > > Seems like there is an issue with the pinentry binary. It does not seem > to be compatible with your system. IOCTL are a way to interface with > the kernel, they export extra "functions" in file descriptors that you > can call. Your system does not support whatever the pinentry is trying > to use. If you still have a problem you could try using a different pinentry binary, there are usually several using different/no graphical toolkit(s): $ ll /usr/bin/*pinentry* -rwxr-xr-x 1 root root 3071 Aug 25 22:35 /usr/bin/pinentry* -rwxr-xr-x 1 root root 56792 Aug 25 22:35 /usr/bin/pinentry-curses* -rwxr-xr-x 1 root root 52536 Aug 25 22:35 /usr/bin/pinentry-emacs* -rwxr-xr-x 1 root root 77760 Aug 25 22:35 /usr/bin/pinentry-gnome3* -rwxr-xr-x 1 root root 90560 Aug 25 22:35 /usr/bin/pinentry-gtk-2* -rwxr-xr-x 1 root root 123664 Aug 25 22:35 /usr/bin/pinentry-qt* lrwxrwxrwx 1 root root 11 Aug 25 22:35 /usr/bin/pinentry-qt4 -> pinentry-qt* lrwxrwxrwx 1 root root 11 Aug 25 22:35 /usr/bin/pinentry-qt5 -> pinentry-qt* -rwxr-xr-x 1 root root 52408 Aug 25 22:35 /usr/bin/pinentry-tty* Perhaps a different one will work (because it may not use that functionality). That helped me once. The first suggestion will more likely help here, though. Best wishes, NTS
Re: [arch-general] dash as default shell?
On 17 Jun 2020 8:36 p.m., "David Rosenstrauch" wrote: On 6/17/20 2:18 PM, Piscium via arch-general wrote: > Today I set dash as my default shell [1] on two PCs. We will see if I > get into trouble. > > This question was asked years ago but maybe good to ask again. Could > dash be made the default shell in Arch? > Couldn't you just set it as the default for your user using chsh? Yes, that would probably more safe. Also, you could have a user "doot" or whatever name with user ID 0 and shell /bin/dash to log in as a sys admin with dash. Alternatively when you "su" interactively you could instead do "sudo dash". Used to do the same (new user with ID 0 I mean) under Solaris and it worked flawlessly. Best regards, NTS
Re: [arch-general] pacman system update - Why am I prompted to import a specific key?
Hello David, The way I understand it the key was not "in the wild" but on his laptop. So no bug in sight, large or small. Not that it is very relevant here but just to make sure no-one gets a wrong impression of our dev. Best wishes, NTS On 13 Jun 2020 6:46 p.m., "David C. Rankin" wrote: On 06/12/2020 09:24 PM, mpan wrote: >> On update today (yesterday's updates went fine), I am prompted to approve >> import of the following key a number of times: […] >> :: Import PGP key 3B94A80E50A477C7, "Jan Alexander Steffens (heftig) […] > Oh, “the heftig bug” ;). While Simon Wilper has provided the solution, > here is some background: > > “[…] I replaced it to get a clean break for a new key, which I'm > treating more securely from the beginning (no secret keys on the > laptop, just subkeys on a yubikey and the master key on a few > backups)” —heftig > > -Syu often to avoid problems. > Oh So there was a private key that escaped into the wild... That would be a big bug... Thank you for the background. I generally -Syu daily (at most every few days) -- which is why this event immediately jumped out as not normal. I hope he got the laptop back :p -- David C. Rankin, J.D.,P.E.
Re: [arch-general] community/NUT access cgi in /usr/share/nut/cgi without FollowSymLinks?
Hello David, On 6 Jun 2020 10:33 a.m., "David C. Rankin" wrote: On 06/05/2020 04:04 AM, Maxime Gauduin via arch-general wrote: > > Hi David, > > I haven't used apache in years so please take this with a grain of > salt. On nginx I'm using the alias directive, restricting access to > the upsset.cgi to my local network [0], as suggested by the nut > documentation in /etc/upsset.conf. It seems apache has a similar alias directive so you may be able to achieve the same without using any symlink [1]. > > [0] https://paste.xinu.at/BNUJFeuBycXUw8fB/ > [1] https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias > > Cheers, > Thanks for the reply, I already use the alias for the html directory, but the problem is with the cgi scripts since the default cgi-bin directory is /srv/http/cgi-bin, you cannot declare a second alias for cgi-bin to /usr/share/nut/cgi -- apache will fail to start due to conflicting aliases. That would work with location statements in nginx. You can use more than one per path and the best fitting one will be used. Perhaps you could switch over to nginx and/or reverse proxy to your Apache if you need it for some paths? Currently I have: ## nut directory Alias /nut/ "/usr/share/nut/html/" Alias /nut "/usr/share/nut/html/" ... Options +ExecCGI The problem is that the link in the nut files is hardwired to, e.g.: http://yourdomain.tld/cgi-bin/nut/upsstats.cgi so it looks for the cgi-bin directory off of the document root not under /usr/share/nut/cgi and you can't alias to /cgi-bin/nut to /usr/share/nut/cgi because /cgi-bin/nut will never match due to the default alias of /cgi-bin. So it looks like the way I have it will have to work, otherwise we have to hack the urls in the nut/html files to look for the cgi scripts in /usr/share/nut/cgi instead of under /cgi-bin/nut -- David C. Rankin, J.D.,P.E. Best wishes, NTS
Re: [arch-general] Iptables
Hello Silvio, First of all, great idea and nice script! Two small things: - The ssh port is fixed as TCP port 12500. Since 12500 >1024 this is a non-priviledged port which is a security risk. Ports < 1024 can only be opened (here: state LISTEN) by root, others by everyone. If a user manages to crash your sshd then they can start their own service at that port. Even though ssh has protection against MitM by means of key fingerprints the attacker can at least keep you from starting sshd by blocking that port (not ideal on a remote server). - You test a Debian release version to see whether to use /usr/sbin/iptables-nft or /usr/sbin/iptables . More portable and more simple would be to test for -x /usr/sbin/iptables-nft . Best wishes, NTS On Tue, 11 Feb 2020 at 14:26, Genes Lists via arch-general wrote: > > > Hi Silvio > > One general comment - your script uses the iptables command for each > rule - this is extremely inefficient. This is probably not a big deal in > your case but I'll mention it anyway. > > Far better way is to output the firewall in the same format as > iptables-save uses, then simply use iptaples-restore to load the > firewall rules - this reads the entire set of rules and ask the kernel > to install them all in one shot. This is essentially just dropping the > '$IPT' part for each rule plus a slightly different way to define chains > and set the default policies. > > One way to see the format is simply to use iptables-save on existing > firewall. This is the format used by iptables to save / restore rules. > > best > > gene
Re: [arch-general] Pacman update: new package breaks many dependencies, how to cope
Hello, These kinds of upgrade issues are documented here whenever they cannot be avoided: https://www.archlinux.org/news/ Your issue is this one: https://www.archlinux.org/news/xorg-cleanup-requires-manual-intervention/ where a simple solution is given, too. Best regards, nts On Sat, 8 Feb 2020 at 09:40, Jeanette C. via arch-general wrote: > > Hey hey, > I just tried to update my system. Admittedly, I probably left it a little too > long. > > Now xorgproto apparently breas a lot of dependencies. This includes dmxproto > and xproto, which in turn are required by other packages like libgmx or > libxfont. > > It there an "automated" method of dealing with this kind of dependency > breakage? I dare not try this by hand. I don't know how many other packages > would be affected by this. > > Best wishes and many thanks, > > Jeanette > > -- > * Website: http://juliencoder.de - for summer is a state of sound > * Youtube: https://www.youtube.com/channel/UCMS4rfGrTwz8W7jhC1Jnv7g > * SoundCloud: https://soundcloud.com/jeanette_c > * Twitter: https://twitter.com/jeanette_c_s > * Audiobombs: https://www.audiobombs.com/users/jeanette_c > * GitHub: https://github.com/jeanette-c > > ... About some useless information, > Supposed to fire my imagination <3 > (Britney Spears)
Re: [arch-general] Many timers now running at boot. How to make them run later?
On Thu, 21 Nov 2019 at 18:13, David C. Rankin wrote: > > On 11/21/2019 05:53 AM, Christian Hesse wrote: > > I've created systemd configuration overlay snippets for this, for example > > /etc/systemd/system/man-db.timer.d/RandomizedDelaySec.conf: > > > > [Timer] > > RandomizedDelaySec=30min > > > > Create a file for every timer you want to delay. > > Thank you Ralph & Christian, > > I'll do that. Something to just keep them all from firing when I boot would > be nice. Can't you make these services depend on another one which you write to start a certain number of minutes after boot? Regards, NTS
Re: [arch-general] talkingarch
Dear Adérito, Have you read our many e-mails and recommendations for you? Regards NTS On Sun, 4 Aug 2019 at 14:28, adérito wrote: > > Hello you can help me to install talkingarch send me the commands to install > talkingarch. > > Enviado do Correio para Windows 10 >
Re: [arch-general] talking arch
PS: Comunidades Portuguesas de Software Livre: https://ansol.org/comunidades There are other lists, too. KR, NTS On Mon, 29 Jul 2019 at 22:01, NTS wrote: > > On Mon, 29 Jul 2019 at 18:42, Ralf Mardorf via arch-general > wrote: > > > > On Mon, 29 Jul 2019 15:59:24 +, NTS wrote: > > >There are Arch Linux user groups in many cities around the world. > > > > Is there a list available? > > > > https://wiki.archlinux.org/index.php/International_communities does > > only mention two user groups: > > The português version of that page: > > > https://wiki.archlinux.org/index.php/International_communities_(Portugu%C3%AAs) > > mentions a few português speaking communities but they are in Brazil :-( > > I suppose, though, any search for "grupo de linux" or similar and the > name of a city may lead to results. > > Here is one (randomly selected, I do not know Portuguese - nor where > Adérito lives) at a University (Universidade de Aveiro): > > https://glua.ua.pt/ > > Where there is a group of Linux users meeting regularly there will be > one with Arch Linux experience for sure - or at least one who can help > one way or the other. > > If those at Aveiro are too far perhaps they can still help or know someone... > > I would gladly help myself but I am a very long way away... > > Best regards, > > NTS
Re: [arch-general] talking arch
On Mon, 29 Jul 2019 at 18:42, Ralf Mardorf via arch-general wrote: > > On Mon, 29 Jul 2019 15:59:24 +0000, NTS wrote: > >There are Arch Linux user groups in many cities around the world. > > Is there a list available? > > https://wiki.archlinux.org/index.php/International_communities does > only mention two user groups: The português version of that page: https://wiki.archlinux.org/index.php/International_communities_(Portugu%C3%AAs) mentions a few português speaking communities but they are in Brazil :-( I suppose, though, any search for "grupo de linux" or similar and the name of a city may lead to results. Here is one (randomly selected, I do not know Portuguese - nor where Adérito lives) at a University (Universidade de Aveiro): https://glua.ua.pt/ Where there is a group of Linux users meeting regularly there will be one with Arch Linux experience for sure - or at least one who can help one way or the other. If those at Aveiro are too far perhaps they can still help or know someone... I would gladly help myself but I am a very long way away... Best regards, NTS
Re: [arch-general] talking arch
Dear Adérito, Arch Linux is, by design, a Linux distribution specifically for advanced Linux users, not for beginners. Therefore, the installation is more difficult (but also more flexible, if you know what you are doing). I assume that in the talkingarch variant this is similar, or the same - difficult for beginners of Linux. I also understand that you still wish to try out this Linux variant, and once it is installed this will be easier than it is now. It would perhaps be useful to find a user of Arch Linux locally, in your city, who can assist you during installation. There are Arch Linux user groups in many cities around the world. Kind regards, NTS On Mon, 29 Jul 2019 at 12:04, adérito wrote: > > Hello, how do I install talkingarch send me the commands or make the install > script easier. > > Enviado do Correio para Windows 10 >
Re: [arch-general] firejail and network
Dear Shridhar, It's a known bug in firejail that has apparently been fixed upstream. Once Arch's maintainer does a pull you may be fine: https://github.com/netblue30/firejail/issues/1591#issuecomment-334749301 So, it is not you :-) Have a nice day/night, NTS On 10 October 2017 at 03:33, Iván Ruvalcaba via arch-general wrote: > https://wiki.archlinux.org/index.php/Firejail#Using_Firejail_by_default > Fingerprint: 49AA 091A CBF9 632E BD99 9BF2 32D9 E18C 3D99 B685 > > Keybase: https://ivanruvalcaba.keybase.pub/ > > El lun, 9 de oct 2017 a las 8:03 , Herminio Hernandez, Jr. via arch-general > escribió: >> >> Do you just run 'firejail firefox' from the terminal? Do have any custom >> settings? >> >> On Mon, Oct 9, 2017 at 5:47 PM, Shridhar Daithankar < >> ghodech...@ghodechhap.net> wrote: >> >>> Hello, >>> >>> For some time, chromium, firefox and qupzilla are unable to reach >>> network/ >>> internet/dns, if started from firejail. >>> >>> When started normally, all of these can reach the network as expected. >>> So >>> the >>> internet link is not the problem. >>> >>> Has anybody experienced this? Any pointers to debug? >>> >>> Thanks. >>> -- >>> Regards >>> Shridhar >>> >
