Segment fault ../sysdeps/i386/i686/multiarch/strcpy-sse2.S
My Debian is with kernel4.0.0-2-rt-686-pae, andgcc (Debian 4.9.2-10) 4.9.2.
I have a program where it uses strcpy, but when executing (compilation successfully), it throws segment fault. Debugging with gdb, it shows that it goes worng in strcpy function.
_strcpy_sse2 () at ../sysdeps/i386/i686/multiarch/strcpy-sse2.S:2099
2099 ../sysdeps/i386/i686/multiarch/strcpy-sse2.S: No such file or directory.
I wrote a simple program, it also throws segment fault.
#include string.h
#include stdio.h
int main(int argc, char **argv)
{
char *str;
strcpy(str, hello);
printf(say %sn, str);
return 0;
}
How can I fix this problem?
Thanks
Re: laptop protection in an office network
On Sat, August 29, 2015 12:53 am, Riley Baird wrote: On Fri, 28 Aug 2015 23:56:17 -0500 rlhar...@oplink.net wrote: Do I need to take special precautions such as configuring the iptable firewall on my laptop? Is the laptop likely to pick up anything (virus, trojan, or whatever) which could compromise the machines in my own network? Probably not, if you have no network services running on your laptop. On https://wiki.debian.org/Network I find the following list of network services: Printing, Data Base, DHCP, DNS, FTP, LDAP, Mail, Monitoring, NTP, PPP, Remote Display, File sharing, Disk Sharing, SSH, SVN, Web Server, IM, IPSec VPN, Azureus as a daemon I do not recall all the details of the installation, but I did install SSH, printing, and approx. I may have installed NTP and a web server. I did not install mail. The laptop uses DHCP to get an ip address from the router, but DHCP as a network service must have to do with a machine used as a router, correct? Installing again would take only a few hours, most of the time being spent on configuration of the XFCE desktop. RLH
Re: Segment fault ../sysdeps/i386/i686/multiarch/strcpy-sse2.S
Hi,
Dan Richard wrote
char *str; strcpy(str, hello);
You are writing to a random memory location.
The pointer str is not initialized to point to valid
memory, which you would have to allocate previously.
Try instead
char str[100];
strcpy(str, hello);
This is good for strings up to 99 characters plus
trailing 0 as terminator.
If your string length is only predictable at run time
then use dynamic memory allocation
...
#include stdlib.h
...
char *str;
int lstr;
lstr= strlen(argv[1]);
/* maybe check for absurd size */
str= calloc(1, lstr + 1);
if(str == NULL) {
/* bail out with message about lack of memory */;
}
strcpy(str, argv[1]);
(Warning: Written from wetware memory. Not actually tested.
Take this only as sketch for the real code.)
Further reading:
Classic: Kernighan, Ritchie, The C Programming Language
Online: google C language tutorial
Recreational: http://crashworks.org/if_programming_languages_were_vehicles/
Have a nice day :)
Thomas
Re: Segment fault ../sysdeps/i386/i686/multiarch/strcpy-sse2.S
On Sat, 2015-08-29 at 08:54 +0200, Dan Richard wrote:
My Debian is with kernel 4.0.0-2-rt-686-pae, and gcc (Debian 4.9.2
-10) 4.9.2.
I have a program where it uses strcpy, but when executing
(compilation successfully), it throws segment fault. Debugging with
gdb, it shows that it goes worng in strcpy function.
_strcpy_sse2 () at ../sysdeps/i386/i686/multiarch/strcpy-sse2.S:2099
2099../sysdeps/i386/i686/multiarch/strcpy-sse2.S: No such file or
directory.
I wrote a simple program, it also throws segment fault.
#include string.h
#include stdio.h
int main(int argc, char **argv)
{
char *str;
strcpy(str, hello);
printf(say %s\n, str);
return 0;
}
How can I fix this problem?
Thanks
Hi,
You are failing to allocate memory. This sample program should look
something like this:
#include string.h
#include stdio.h
#include malloc.h
int main(int argc, char **argv)
{
char *str;
str = malloc (5);
strcpy(str, hello);
printf(say %s\n, str);
free(str);
return 0;
}
Best,
Lev
signature.asc
Description: This is a digitally signed message part
Re: Segment fault ../sysdeps/i386/i686/multiarch/strcpy-sse2.S
Hi, Lev Lazinskiy wrote: str = malloc (5); malloc(6) or else hello will produce a buffer overflow by its trailing 0. free(str); Yes. This is a good idea when the memory is no longer needed. (Kids: Do this only once per malloc/calloc.) http://crashworks.org/if_programming_languages_were_vehicles/ This is amazing, I have not seen this before. Thanks for sharing :) Google for other old computer jokes. E.g. how to shoot your foot with operating systems / languages and Bastard Operator From Hell. Could not find a good search term for the Blame Diagram. So sifted out of the fog: http://www.astrodigital.org/digital/flowchart.html Have a nice day :) Thomas
Re: Clavier qui se blo. au réveil.
On 29/08/2015 00:27, Charles Plessy wrote: Le Fri, Aug 28, 2015 at 05:42:04PM +0200, maderios a écrit : Quelques pistes pour déboguer l'usb mais il y a certainement d'autres moyens (après la déconnexion de l'usb du clavier) dmesg cat /sys/kernel/debug/usb/devices cat /var/log/debug/ cat /var/log/syslog Voici en pièce jointe la différence pour chaque fichier entre avant et après la veille. On y retrouve le message d'erreur de atkbd, mais rien d'autre ne me saute aux yeux... Bonne fin de semaine, A quoi correspondent ces traces ? +Aug 29 07:17:36 bubu kernel: [ 426.545965] PM: suspend of devices complete after 139.541 msecs +Aug 29 07:17:36 bubu kernel: [ 426.551489] [ cut here ] +Aug 29 07:17:36 bubu kernel: [ 426.551511] WARNING: CPU: 0 PID: 1952 at /home/zumbi/linux-4.1.3/debian/build/source_rt/drivers/gpu/drm/i915/intel_display.c:8263 hsw_enable_pc8+0x639/0x7a0 [i915]() +Aug 29 07:17:36 bubu kernel: [ 426.551512] SPLL enabled +Aug 29 07:17:36 bubu kernel: [ 426.551527] Modules linked in: bnep joydev nfsd auth_rpcgss oid_registry nfs_acl btusb btbcm btintel nfs bluetooth lockd grace fscache sunrpc uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core v4l2_common videodev media iTCO_wdt iTCO_vendor_support snd_hda_codec_hdmi nls_utf8 nls_cp437 vfat fat intel_powerclamp intel_rapl iosf_mbi coretemp tpm_infineon kvm_intel kvm arc4 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper efi_pstore ablk_helper cryptd evdev snd_hda_codec_realtek snd_hda_codec_generic iwlmvm psmouse serio_raw pcspkr efivars mac80211 rtsx_pci_ms iwlwifi memstick snd_hda_intel i915 cfg80211 snd_hda_controller drm_kms_helper snd_hda_codec rfkill lpc_ich mei_me i2c_i801 snd_hda_core drm snd_hwdep mei shpchp i2c_algo_bit snd_soc_rt5640 snd_soc_rl6231 snd_soc_core snd_compress snd_pcm snd_timer snd dw_dmac video soundcore dw_dmac_core regmap_i2c snd_soc_sst_acpi i2c_designware_platform i2c_designware_core battery tpm_tis tpm acpi_pad ac wmi button processor fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sg sd_mod rtsx_pci_sdmmc crc32c_intel ahci libahci libata ehci_pci scsi_mod xhci_pci rtsx_pci r8169 ehci_hcd mfd_core mii xhci_hcd usbcore thermal usb_common thermal_sys sdhci_acpi sdhci mmc_core i2c_hid hid +Aug 29 07:17:36 bubu kernel: [ 426.551545] CPU: 0 PID: 1952 Comm: kworker/u16:4 Not tainted 4.1.0-0.bpo.1-rt-amd64 #1 Debian 4.1.3-1~bpo8+1 +Aug 29 07:17:36 bubu kernel: [ 426.551545] Hardware name: VAIO Corporation VJP132/VAIO, BIOS R0220MA 05/06/2015 +Aug 29 07:17:36 bubu kernel: [ 426.551550] Workqueue: events_unbound async_run_entry_fn +Aug 29 07:17:36 bubu kernel: [ 426.551551] a0661e08 81594654 8800a64afc88 +Aug 29 07:17:36 bubu kernel: [ 426.551552] 81077101 88003685 8802432c1ca8 8802432c1cb8 +Aug 29 07:17:36 bubu kernel: [ 426.551553] 8802432c1800 0002 8107719a a066f4fe +Aug 29 07:17:36 bubu kernel: [ 426.551554] Call Trace: +Aug 29 07:17:36 bubu kernel: [ 426.551559] [81594654] ? dump_stack+0x4a/0x89 +Aug 29 07:17:36 bubu kernel: [ 426.551561] [81077101] ? warn_slowpath_common+0x81/0xd0 +Aug 29 07:17:36 bubu kernel: [ 426.551562] [8107719a] ? warn_slowpath_fmt+0x4a/0x50 +Aug 29 07:17:36 bubu kernel: [ 426.551573] [a0609d89] ? hsw_enable_pc8+0x639/0x7a0 [i915] +Aug 29 07:17:36 bubu kernel: [ 426.551579] [a0599e78] ? intel_suspend_complete+0xe8/0x6d0 [i915] +Aug 29 07:17:36 bubu kernel: [ 426.551584] [a059a481] ? i915_drm_suspend_late+0x21/0x90 [i915] +Aug 29 07:17:36 bubu kernel: [ 426.551589] [a059a610] ? i915_pm_poweroff_late+0x40/0x40 [i915] +Aug 29 07:17:36 bubu kernel: [ 426.551590] [81422a9a] ? dpm_run_callback+0x4a/0x180 +Aug 29 07:17:36 bubu kernel: [ 426.551591] [81423370] ? __device_suspend_late+0xa0/0x180 +Aug 29 07:17:36 bubu kernel: [ 426.551592] [8142346e] ? async_suspend_late+0x1e/0xa0 +Aug 29 07:17:36 bubu kernel: [ 426.551594] [810997b3] ? async_run_entry_fn+0x43/0x150 +Aug 29 07:17:36 bubu kernel: [ 426.551596] [810911c6] ? process_one_work+0x146/0x480 +Aug 29 07:17:36 bubu kernel: [ 426.551597] [8109187b] ? worker_thread+0x6b/0x500 +Aug 29 07:17:36 bubu kernel: [ 426.551599] [81091810] ? rescuer_thread+0x310/0x310 +Aug 29 07:17:36 bubu kernel: [ 426.551600] [81096d95] ? kthread+0xc5/0xe0 +Aug 29 07:17:36 bubu kernel: [ 426.551602] [81096cd0] ? kthread_worker_fn+0x1a0/0x1a0 +Aug 29 07:17:36 bubu kernel: [ 426.551604] [81599d32] ? ret_from_fork+0x42/0x70 +Aug 29 07:17:36 bubu kernel: [ 426.551606] [81096cd0] ? kthread_worker_fn+0x1a0/0x1a0 +Aug 29 07:17:36 bubu kernel: [ 426.551607] ---[ end trace 0002 ]--- -- Fabien
Re: Drivers Nvidia (GTX 9X0)- Consejos, recomendaciones o experiencias.
El Viernes, 28 de agosto de 2015 13:52:29 Camaleón Zuk idatzi: Si quieres usar el driver propietario en lugar del libre (recuerda que también puedes usar nouveau aunque parece que aún está un poco verde) yo instalaría el paquete de nvidia (352.41) sin pensarlo, sigue las instrucciones que están muy bien explicadas¹ y listo :-) Tienes muchas nvidia andando Por que dices que esta verde? en que está verde? Me parece que es hablar por hablar Y luego está el hecho que de hay gente que esta trabajando para hacer un driver libre por ingeniería inversa. Y merece la pena usarlo para encontrar los bugs que pueda tener. Es otra forma de contribuir a la comunidad -- Agur bero bat / a greeting BasaBuru BASATU ~ basatia bihur zaitez ~ gako ID gnupg: F9044F8FC64B2544 hatz-aztarna: 13FF 7B28 D999 B957 F837 D566 F904 4F8F C64B 2544 signature.asc Description: This is a digitally signed message part.
Re: Adapter Names on Stretch
On 8/28/2015 11:32 PM, Tixy wrote: On Sat, 2015-08-29 at 10:06 +1200, Chris Bannister wrote: On Fri, Aug 28, 2015 at 10:22:58AM -0500, David Wright wrote: Quoting Ric Moore (wayward4...@gmail.com): From my own experience, if you replace a network card, udev will automagically name it /dev/eth +1 so eth0 becomes eth1. I'm using eth1 right now. Bugs the hell out of me but the network works, :) That's because you didn't clear the previous card's eth0 entry in /etc/udev/rules.d/70-persistent-net.rules before you booted up the new card. I think you can delete the file and it will get regenerated on boot. Well, it used to be that way, probably best to save a copy first in case it doesn't work that way any more. It does on Jessie. Just been bringing up several boards using the same filesystem image and needed to do this myself. Which reminds me, I should add a command to rc.local to delete all udev rules at boot. (Idea is that I can swap out boards if they fail and keep the same disk image - which is on SD card). You can also just delete the udev rule that generates the persistent interface names to begin with. Matt Ventura
Re: Segment fault ../sysdeps/i386/i686/multiarch/strcpy-sse2.S
On Sat, 2015-08-29 at 09:14 +0200, Thomas Schmitt wrote: Recreational: http://crashworks.org/if_programming_languages_were_vehicles/ This is amazing, I have not seen this before. Thanks for sharing :) Best, Lev -- @levlaz | https://levlaz.org signature.asc Description: This is a digitally signed message part
Re: laptop protection in an office network
On Sat, August 29, 2015 2:10 am, Joe wrote: Do you have other Linux machines in your network? If so, use nmap from one of them to see what services your laptop is offering. It is possible to install nmap on Windows, but Windows networking is such a pain these days that I wouldn't trust the results of running it. In particular, Windows AV software is increasingly invasive. If you don't have another Linux machine, you could run a Live CD/USB. My home LAN is all-Debian. The office LAN to which I need to connect is all-Windows. First thing tomorrow I plan to install nmap on this machine, then fire up the laptop and take a look. Thanks. RLH
Scripts init.d et mise à jour vers Jessie
Bonjour, Je vais planifier une mise à jour vers Jessie mais je me pose une question à propos d'un script présent dans /etc/init.d. Il s'agit d'un script de firewall crée par fwbuilder (lancé sur une autre machine et installée sur le serveur par fwbuilder via ssh). Lors d'une précédente mise à jour, j'ai eu des soucis avec ce script : insserv: warning: script '???' missing LSB tags and overrides insserv: There is a loop at service ?? if started insserv: Starting ?? depends on stop-bootlogd and therefore on system facility `$all' which can not be true! Les ?? Sont le nom des applications en question mais je ne me souviens plus lequelles. Il y avait fwbuilder, mediatomb au moins. En ajoutant des en-têtes à mon script /etc/init.d/fwbuilder, ça a fonctionné mais j'ai peur que ça recommence et que mon serveur soit down ! Merci pour toute aide ou piste !
Re: Adapter Names on Stretch
On Sat, 2015-08-29 at 10:06 +1200, Chris Bannister wrote: On Fri, Aug 28, 2015 at 10:22:58AM -0500, David Wright wrote: Quoting Ric Moore (wayward4...@gmail.com): From my own experience, if you replace a network card, udev will automagically name it /dev/eth +1 so eth0 becomes eth1. I'm using eth1 right now. Bugs the hell out of me but the network works, :) That's because you didn't clear the previous card's eth0 entry in /etc/udev/rules.d/70-persistent-net.rules before you booted up the new card. I think you can delete the file and it will get regenerated on boot. Well, it used to be that way, probably best to save a copy first in case it doesn't work that way any more. It does on Jessie. Just been bringing up several boards using the same filesystem image and needed to do this myself. Which reminds me, I should add a command to rc.local to delete all udev rules at boot. (Idea is that I can swap out boards if they fail and keep the same disk image - which is on SD card). -- Tixy
Installer un scanner Mustek
Bonjour, Je Cherche à installer faire reconnaitre mon scanner MUSTEK P3600 A3 Pro Il est reconnu par le système : ID 055f:0401 Mustek Systems, Inc. P 3600 A3 Pro Mais il n'est pas dans les scanners reconnus par sane Je suis sous Debian GNU/Linux 7.8 (wheezy) (64 bits) LXDE J'ai installé entre autres les paquets sane, libsane, sane-utils, xsane, simple-scan J'ai essayé de modifier les fichier etc/sane.d/mustek.conf et mustek_usb.conf avec J'ai aussi essayé la procédure touvée ici http://synergeek.fr/installer-un-scanner-sous-linux J'ai essayé de faire un cabextract sur le pilote windows, mais je n'ai rien trouvé Pour l'instant la solution que j'ai trouvé c'est de scanner à partir d'un windows xp installé sur une virtualbox. À terme, j'aimerai pouvoir l'utiliser directement sur ma debian Merci d'avance pour votre aide :) David.
Re: Adapter Names on Stretch
On Sat, 2015-08-29 at 00:24 -0700, Matt Ventura wrote: On 8/28/2015 11:32 PM, Tixy wrote: On Sat, 2015-08-29 at 10:06 +1200, Chris Bannister wrote: On Fri, Aug 28, 2015 at 10:22:58AM -0500, David Wright wrote: Quoting Ric Moore (wayward4...@gmail.com): From my own experience, if you replace a network card, udev will automagically name it /dev/eth +1 so eth0 becomes eth1. I'm using eth1 right now. Bugs the hell out of me but the network works, :) That's because you didn't clear the previous card's eth0 entry in /etc/udev/rules.d/70-persistent-net.rules before you booted up the new card. I think you can delete the file and it will get regenerated on boot. Well, it used to be that way, probably best to save a copy first in case it doesn't work that way any more. It does on Jessie. Just been bringing up several boards using the same filesystem image and needed to do this myself. Which reminds me, I should add a command to rc.local to delete all udev rules at boot. (Idea is that I can swap out boards if they fail and keep the same disk image - which is on SD card). You can also just delete the udev rule that generates the persistent interface names to begin with. My first thought was that the rule would re-appear if udev package gets updated. But anyway, I grepped /usr for 70-persistent-net.rules and got a hit in /usr/share/doc/libudev1/README.Debian which says: To disable persistent naming of network interfaces, create an empty /etc/udev/rules.d/75-persistent-net-generator.rules file to override the one in /lib/udev/rules.d/ and delete /etc/udev/rules.d/70-persistent-net.rules. So, touch /etc/udev/rules.d/75-persistent-net-generator.rules job done :-) Thanks for the clue. -- Tixy
Re: Installer un scanner Mustek
Le 29/08/2015 09:07, David a écrit : Bonjour, Je Cherche à installer faire reconnaitre mon scanner MUSTEK P3600 A3 Pro [...] il n'est à priori pas dans la liste des scanners supportés par Sane, tant en Stable qu'en Développement. sur le site Sane est toutefois mentionné un driver externe (non testé): http://www.meier-geinitz.de/sane/mustek_a3p1-backend/ qu'il faut semble-t-il compiler, donc il faudra peut-être un peu mettre la main à la pâte vu ue ça date d'il y a 10 ans...
Re: new laptop: DVD or Blu-ray
On 8/28/2015 12:38 AM, Lisi Reisz wrote: On Friday 28 August 2015 06:24:33 Seeker wrote: On 8/27/2015 12:48 PM, Lisi Reisz wrote: Connecting home computers to TVs came _before_ connecting them to monitors. The circle has merely come back to the beginning. Lisi I had a Commodor 64, but did not have the accessories to actually use it like a computer so it was just a game system to me. It was probably 2007-2008 so it wasn't *that* long ago, No - I was referring to c. 1981 when Sinclair launched the ZX81 and Atari launched its home computer (or was that in 1982?). We used TVs for display. 2007 is really recent. Lisi Guess I jumped gears there without giving a clear indication. :-\ 2007-2008 was when I started messing around with getting a computer to work with the TV so we could watch the Australian show. The Commodore 64 was earlier. www.computerhistory.org seems a bit US centric http://www.computerhistory.org/timeline/?category=cmptr and missing some of the European computers, their timeline lists Atari Model 400 and 800 in 1979, Commodore 64 in 1982. Wikipedia shows Sinclair ZX81 in 1981. https://en.wikipedia.org/wiki/ZX81 All I really remember of the Commodore was Jumpman Jr. https://en.wikipedia.org/wiki/Jumpman I didn't have the monitor or floppy drive, we hooked it to the TV. Jumping back to 2007 I see some places on the net that list US NTSC as being 60 on the refresh rate, but it is actually slightly less. The slightly less seemed to be the issue, with the video cards giving a 59 or 60 or maybe only 60 as an option. Currently. Don't know if the better compatibility these days is in the video hardware or the TV hardware, but I suspect it's on the TV side of the equation, maybe a little of both with more people wanting to do the media center thing, computer gaming on the TV, etc... About 3 years ago I did play around with Blu-ray, the drive was old, the software that came with it stopped being updated in 2010. Had 2 movies both released after 2010, initially neither would play, after poking around on the net and finding a firmware update, I could get one of the movies to play. Same result with the included software and VLC. Since then I have seen another solution mentioned in the MythTV mailing list a few times. I think it doesn't allow just watching a movie directly though because they talk about a delay while starting the movie decoding and building up a buffer then watching the buffered content. DVD is only slightly screwed up. With Blu-ray it seems like they did every thing they could to screw it up. Even if you don't care about playing commercial video discs, there is some question of whether you want to spend money supporting a technology that has that much baggage. Later, Seeker
Re: laptop protection in an office network
On Sat, 29 Aug 2015 01:16:35 -0500 rlhar...@oplink.net wrote: On Sat, August 29, 2015 12:53 am, Riley Baird wrote: On Fri, 28 Aug 2015 23:56:17 -0500 rlhar...@oplink.net wrote: Do I need to take special precautions such as configuring the iptable firewall on my laptop? Is the laptop likely to pick up anything (virus, trojan, or whatever) which could compromise the machines in my own network? Probably not, if you have no network services running on your laptop. On https://wiki.debian.org/Network I find the following list of network services: Printing, Data Base, DHCP, DNS, FTP, LDAP, Mail, Monitoring, NTP, PPP, Remote Display, File sharing, Disk Sharing, SSH, SVN, Web Server, IM, IPSec VPN, Azureus as a daemon I do not recall all the details of the installation, but I did install SSH, printing, and approx. I may have installed NTP and a web server. I did not install mail. The laptop uses DHCP to get an ip address from the router, but DHCP as a network service must have to do with a machine used as a router, correct? Installing again would take only a few hours, most of the time being spent on configuration of the XFCE desktop. Do you have other Linux machines in your network? If so, use nmap from one of them to see what services your laptop is offering. It is possible to install nmap on Windows, but Windows networking is such a pain these days that I wouldn't trust the results of running it. In particular, Windows AV software is increasingly invasive. If you don't have another Linux machine, you could run a Live CD/USB. -- Joe
Re: Scripts init.d et mise à jour vers Jessie
Bonjour, Le samedi 29 août 2015 à 10:55, Migrec a écrit : insserv: warning: script '???' missing LSB tags and overrides [...] En ajoutant des en-têtes à mon script /etc/init.d/fwbuilder, ça a fonctionné mais j'ai peur que ça recommence et que mon serveur soit down ! Avant la mise-à-jour, passe en revue chacun des scripts dans « /etc/init.d/ » et vérifie qu'ils contiennent bien les entêtes LSB. Modifie les scripts qui ne sont pas conformes et ça devrait le faire. J'ai deux scripts d'init perso sur deux systèmes différents que j'ai mis à jour en Jessie. Tout s'est bien passé (mais mes scripts on les entêtes LSB nécessaires). Sébastien
Re: laptop protection in an office network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Aug 29, 2015 at 03:13:59AM -0500, rlhar...@oplink.net wrote: On Sat, August 29, 2015 2:10 am, Joe wrote: Do you have other Linux machines in your network? If so, use nmap from one of them to see what services your laptop is offering. It is possible to install nmap on Windows, but Windows networking is such a pain these days that I wouldn't trust the results of running it. In particular, Windows AV software is increasingly invasive. If you don't have another Linux machine, you could run a Live CD/USB. My home LAN is all-Debian. The office LAN to which I need to connect is all-Windows. Also netstat (issued from your laptop) gives insight. For example 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are root (or sudo, of course), the extra option -p tells you which process is at the other side listening. Note that the dhcp client itself (which you need to get an IP address to take part in your customer's network) puts you already at some risk, depending on how it's configured. hth - - tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlXhnTEACgkQBcgs9XrR2kaUHgCfSQhmUIZaWAbmqA52Sa/wkVdn ThQAn22cOi3CiixWjiNT10CfJKyZbgBU =zSwU -END PGP SIGNATURE-
Re: Drivers Nvidia (GTX 9X0)- Consejos, recomendaciones o experiencias.
El Sábado, 29 de agosto de 2015 06:35:22 Emmanuel Zuk idatzi: Así es, por ahora solo puedo apostar por la versión «oficial» de Nvidia, ya que es la que mejor resultados da en rendimiento y demás. Con noveau, lo veo un poco lejos de corresponder a la calidad de los privativos en que está lejos ??? para que usas la tarjeta? Has probado nouveau y has notado deficiencias? cuales? -- Agur bero bat / a greeting BasaBuru BASATU ~ basatia bihur zaitez ~ gako ID gnupg: F9044F8FC64B2544 hatz-aztarna: 13FF 7B28 D999 B957 F837 D566 F904 4F8F C64B 2544 signature.asc Description: This is a digitally signed message part.
Re: Adapter Names on Stretch
On Sat, 29 Aug 2015 11:19:24 +0100 Lisi Reisz lisi.re...@gmail.com wrote: And as for Glaswegian Many years ago my work sent me for several months to Glasgow; for the first three weeks I could not understand a word of the conversations I could hear going on around me; then one day it clicked, and I understood most of it, apart from the vocabulary that took longer to acquire; (although a good knowledge of the King James was a great help in that direction...) Most of the problem with Scots (and Gleska) for the English is the intonation, which places the emphasis on the end of the words, instead of the beginning as they do in the southern dialects. Cheers, Ron. -- When you have eliminated the impossible, whatever remains, however improbable, must be the truth. -- Sherlock Holmes -- http://www.olgiati-in-paraguay.org --
Re: Scripts init.d et mise à jour vers Jessie
bonjour , alors les tags lsb c'est ### BEGIN INIT INFO # Provides: Teamspeak # Required-Start: $local_fs $network # Required-Stop: $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Teamspeak Server # Description: Start Teampspeak Server ### END INIT INFO par-contre debian jessi c'est SystemD et plus SysV j'ai du ré écrire pas mal de scripts de lancement et le firewal j'ai pas encore trouvé du coup si quelq'un connait je suis aussi preneur mon scripts firewal c'est sa |#!/bin/sh| |### BEGIN INIT INFO| |# Provides: Firewall maison| |# Required-Start:$local_fs $remote_fs $network $syslog| |# Required-Stop: $local_fs $remote_fs $network $syslog| |# Default-Start:| |# Default-Stop:| |# X-Interactive: false| |# Short-Description: Firewall maison| |### END INIT INFO| |# Mise à 0| |iptables -t filter -F| |iptables -t filter -X| |echo| |Mise à 0| |# On bloque tout| |iptables -t filter -P INPUT DROP| |iptables -t filter -P FORWARD DROP| |iptables -t filter -P OUTPUT DROP| |echo| |Interdiction| |# Ne pas casser les connexions établies| |iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT| |iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT| |# Autorise le loopback (127.0.0.1)| |iptables -t filter -A INPUT -i lo -j ACCEPT| |iptables -t filter -A OUTPUT -o lo -j ACCEPT| |echo| |Loopback| |# ICMP (le ping)| |iptables -t filter -A INPUT -p icmp -j ACCEPT| |iptables -t filter -A OUTPUT -p icmp -j ACCEPT| |echo| |Ping ok| |# SSH IN/OUT| |iptables -t filter -A INPUT -p tcp --dport 1337 -j ACCEPT| |iptables -t filter -A OUTPUT -p tcp --dport 1337 -j ACCEPT| |echo| |SSH ok| |# DNS In/Out| |iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT| |iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT| |iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT| |iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT| |echo| |dns ok| |# NTP Out| |iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT| |echo| |ntp ok| |# HTTP + HTTPS Out| |iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT| |iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT| |# HTTP + HTTPS In| |iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT| |iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT| |iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT| |echo| |http ok| |# FTP Out| |iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT| |iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT| |# FTP In| |# imodprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH| |iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT| |iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT| |iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT| |echo| |ftp ok| |# Mail SMTP:25| |iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT| |iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT| |# Mail POP3:110| |iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT| |iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT| |# Mail IMAP:143| |iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT| |iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT| |# Mail POP3S:995| |iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT| |iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT| |echo| |mail ok| |# Monit| |iptables -t filter -A INPUT -p tcp --dport 4598 -j ACCEPT| |# Webmin| |iptables -t filter -A INPUT -p tcp --dport 1 -j ACCEPT| |echo| |monitoring ok | Le 29/08/2015 10:55, Migrec a écrit : Bonjour, Je vais planifier une mise à jour vers Jessie mais je me pose une question à propos d'un script présent dans /etc/init.d. Il s'agit d'un script de firewall crée par fwbuilder (lancé sur une autre machine et installée sur le serveur par fwbuilder via ssh). Lors d'une précédente mise à jour, j'ai eu des soucis avec ce script : insserv: warning: script '???' missing LSB tags and overrides insserv: There is a loop at service ?? if started insserv: Starting ?? depends on stop-bootlogd and therefore on system facility `$all' which can not be true! Les ?? Sont le nom des applications en question mais je ne me souviens plus lequelles. Il y avait fwbuilder, mediatomb au moins. En ajoutant des en-têtes à mon script /etc/init.d/fwbuilder, ça a fonctionné mais j'ai peur que ça recommence et que mon serveur soit down ! Merci pour toute aide ou piste !
Re: Suspend-sedation Problem
Re: Another system management tool to disappear.
Hi. On Sat, 29 Aug 2015 11:49:12 +1200 Chris Bannister cbannis...@slingshot.co.nz wrote: On Fri, Aug 28, 2015 at 07:12:32PM +0300, Reco wrote: To: Well, there have been long discussions about this, but the problem is that what su is supposed to do is very unclear. On one hand it's supposed *to open a new session* and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). I'm kind of surprised that the bug was not closed as WONTFIX. su(1) is not a full login, but it's not supposed to provide one anyway. su - name Has always worked fine for me. What's the problem? https://github.com/systemd/systemd/issues/825 says: su[1980]: pam_systemd(su-l:session): Cannot create session: Already running in a session Why the bug report implies that pam_systemd shoud create a new 'session' (whatever it means by 'session') *and* set some obscure environment variables is beyond me. Especially since su(1) directly says that su should not create session, it should reuse an existing one. Reco
Re: Adapter Names on Stretch
On Saturday 29 August 2015 03:30:18 Gene Heskett wrote: I watched about half of it, but the eu accent made it pretty hard to understand. ;-) Now you know how we feel about American accents. ;-) Especially Texan. Do you find an English accent hard to understand? Most Americans don't. And to be fair, I don't have trouble with New England accents. And I can't understand all EU accents. I can't even understand the various Irish accents. And as for Glaswegian Lisi
Re: Another system management tool to disappear.
On Saturday 29 August 2015 06:18:56 Reco wrote: Hi. On Sat, 29 Aug 2015 11:49:12 +1200 Chris Bannister cbannis...@slingshot.co.nz wrote: On Fri, Aug 28, 2015 at 07:12:32PM +0300, Reco wrote: To: Well, there have been long discussions about this, but the problem is that what su is supposed to do is very unclear. On one hand it's supposed *to open a new session* and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). I'm kind of surprised that the bug was not closed as WONTFIX. su(1) is not a full login, but it's not supposed to provide one anyway. su - name Has always worked fine for me. What's the problem? https://github.com/systemd/systemd/issues/825 says: su[1980]: pam_systemd(su-l:session): Cannot create session: Already running in a session Why the bug report implies that pam_systemd shoud create a new 'session' (whatever it means by 'session') *and* set some obscure environment variables is beyond me. Especially since su(1) directly says that su should not create session, it should reuse an existing one. Reco Now I am again confused. As the admin for my 4 machine home network, there are things that run as other users, so I'll use amanda, the backup program as an example here. In order to adjust any of its configuration, and do it without mucking with file ownerships permissions, I much first do a sudo -i to make me an immortal root. Then I can either su amanda, or su amanda -c geany filename so that for the duration of that commands execution, I am the user amanda. Some distro's setup a backup group and make amanda a member, but those distro's do not always preserve the amanda tenet of running with just enough permissions to get the job done, so I tend to steer clear and only install from the tarball. My web page in the sig is also on this machine, all running in another users sandbox, so again to manage that, I have to do the 'become root' bit, then edit and keep track of perms with chown/chmod which I can only do with the sudo -i phantom roor. If su goes away, IMNSHO, it will be such a PITA that it will encourage far more people to just give up and run their machines as root full time. And I don't believe for a millisecond that is the effect intended. So, if su goes away, how do I accomplish those tasks in a suitable manner that will not bore a hole in the user sandbox? Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Re: Another system management tool to disappear.
Hi. On Sat, 29 Aug 2015 08:55:00 -0400 Gene Heskett ghesk...@wdtv.com wrote: On Saturday 29 August 2015 06:18:56 Reco wrote: Hi. On Sat, 29 Aug 2015 11:49:12 +1200 Chris Bannister cbannis...@slingshot.co.nz wrote: On Fri, Aug 28, 2015 at 07:12:32PM +0300, Reco wrote: To: Well, there have been long discussions about this, but the problem is that what su is supposed to do is very unclear. On one hand it's supposed *to open a new session* and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). I'm kind of surprised that the bug was not closed as WONTFIX. su(1) is not a full login, but it's not supposed to provide one anyway. su - name Has always worked fine for me. What's the problem? https://github.com/systemd/systemd/issues/825 says: su[1980]: pam_systemd(su-l:session): Cannot create session: Already running in a session Why the bug report implies that pam_systemd shoud create a new 'session' (whatever it means by 'session') *and* set some obscure environment variables is beyond me. Especially since su(1) directly says that su should not create session, it should reuse an existing one. Now I am again confused. As the admin for my 4 machine home network, there are things that run as other users, so I'll use amanda, the backup program as an example here. Welcome to the club. I'm confused by this bugreport too. In order to adjust any of its configuration, and do it without mucking with file ownerships permissions, I much first do a sudo -i to make me an immortal root. Then I can either su amanda, or su amanda -c geany filename so that for the duration of that commands execution, I am the user amanda. Some distro's setup a backup group and make amanda a member, but those distro's do not always preserve the amanda tenet of running with just enough permissions to get the job done, so I tend to steer clear and only install from the tarball. My web page in the sig is also on this machine, all running in another users sandbox, so again to manage that, I have to do the 'become root' bit, then edit and keep track of perms with chown/chmod which I can only do with the sudo -i phantom roor. Kind of old-fashioned for my taste (I'd use 'sudo -u' in the first place), but perfectly sane approach. If su goes away, IMNSHO, it will be such a PITA that it will encourage far more people to just give up and run their machines as root full time. And I don't believe for a millisecond that is the effect intended. They provide some systemd-specific kludge instead of su. So it's not that bad. And, given the current systemd adoption rate in Debian, I'd say that we, stable users, have 3-4 years before that machinectl login thing will be available to us. So, if su goes away, how do I accomplish those tasks in a suitable manner that will not bore a hole in the user sandbox? If it comes to this (i.e 'su' will go away) - I just use busybox (which has perfectly working implementation of su without the fancy bits). I.e. busybox su - Reco
Re: Adapter Names on Stretch
On Saturday 29 August 2015 06:19:24 Lisi Reisz wrote: On Saturday 29 August 2015 03:30:18 Gene Heskett wrote: I watched about half of it, but the eu accent made it pretty hard to understand. ;-) Now you know how we feel about American accents. ;-) Especially Texan. Do you find an English accent hard to understand? Most Americans don't. And to be fair, I don't have trouble with New England accents. TBT it requires a great deal of concentration to get such short clipped speech translated on the fly. Texan is of course a whole nother language to many, but with the rapid fire stacatto gone, every word does get pronounced for a sufficient length of time there isn't much doubt about what was said. And I can't understand all EU accents. I can't even understand the various Irish accents. And as for Glaswegian Chuckle, we have some imports from Minnesota in northern Iowa where I was born raised, that we have referred to as Iowegians. They personally are great folks, firm believers in the credo that if they don't feel like cleaning out the cow barn, they will not ask the hired man to do it either. But the olde english they speak with a Norwegian accent does at times need a translator. :) I am reminded of, I believe it was Winston Churchill who made the quote, England and America, two great countries, separated by a common language. How true it is. Ironic that the same text when read, sounds so much different than it would if the writer read it. The text nature of the internet has served to greatly reduce the inter accent/language barriers immensely. We should give thanks for that. I also should say that as a single language speaker, I didn't go to school long enough to have taken one of the 3 languages offered, I give thanks that the defacto standard language for technical stuff, has over the last 50 years, turned into some form of English, primarily because its evolves with the technology at a faster rate than a really old language such as latin. But some of the manuals for stuff now made in China do suffer greatly when translated. We have for decades suffered thru the poor translations of Japanese we called Engrish, but I find the meanings are still hidden in the prose as if they were trying to draw a picture, requiring a second mental translation before a decent level of comprehension has been achieved. Its there, but I find I have to read that paragraph 4 or 5 times to figure out the real meaning. I think thats a natural thing because most dialects of Chinese and Japanese are in fact pictograph based, where english is not. Lisi The bottom line is that we understand each other quite well in the written word, face to face over our favorite hot beverage is likely a different thing entirely. Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Re: Another system management tool to disappear.
On Sat, Aug 29, 2015 at 12:25 AM, claude juif claude.j...@gmail.com wrote: Hi, 2015-08-28 17:16 GMT+02:00 Renaud OLGIATI ren...@olgiati-in-paraguay.org: Systemd-Linux to get rid of su: https://tlhp.cf/lennart-poettering-su/ Is this a trend to make _all_ the GNU-Linux tools disappear, and have _everything_ incorporated into systemd ? Troll mode: ON What he explains in the blogpost you link make sense. So let's give it a try ;) So, do you mean to say that, when you say the blog post linked to makes sense, you are intending to be trolling? -- Joel Rees Be careful when you look at conspiracy. Arm yourself with knowledge of yourself, as well: http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html
Re: Drivers Nvidia (GTX 9X0)- Consejos, recomendaciones o experiencias.
El 28/08/2015 a las 07:52, Camaleón escibió: El Thu, 27 Aug 2015 16:33:45 -0600, Emmanuel escribió: Bueno, iré al grano, quisiera saber quién ha tenido experiencias positivas instalando el driver privativo desde las fuentes originales de Nvidia —la web oficial— a la hora de trabajar con la línea de GTX 9X0. En principio, y salvo causas de fuerza mayor, siempre es recomendable instalar el driver disponible en los repos de Debian para evitar tener que recompilar manualmente el módulo de nvidia al actualizar el kernel. Les comento que he visto varias conversaciones aquí mismo sobre controladores y configuraciones de generaciones previas de estas tarjetas, pero no he visto —quizá no he buscado bien— alguno relacionado directamente al soporte de la familia nueva. Ahora, me he tratado de empapar con el tema, ya que soy nuevo en esa área de las GPUs y demás, así que al menos sé que los controladores «oficiales» de Debian, no dan soporte para la generación nueva. Encontré que la versión mínima era la 346.35 (1*), y Debian ofrece la versión 340.65-2 cuyo soporte llega hasta la generación 8X0 de estas pequeñas. Eso parece. Tampoco el paquete que hay en los backports (340.76) parece que admite esos modelos por lo que si quieres instalar el driver propietario en este caso tendrías que descargarlo de la web de nvidia. Existen los controladores de la versión experimental en la versión 352.30-1, pero dado que es una versión muy superior a la que uso (Jessie up to date) sé que podría ser un problema. Ahora, conozco la salida más «arriesgada» que es actualizar directo desde Nvidia.com y seguir los pasos que dan. No, no conviene que hagas eso con paquetes que incluyen módulos del kernel (como los controladores de las gráficas o virtualbox, por ejemplo) porque se compilan para versiones concretas del kernel. Sé que por ejemplo en Ubuntu se puede agregar un PPA y trabajar más a gusto con estas tarjetas, pero no quiero dejar Debian :-( son muchos años de trabajar a gusto con esta distro, pero quiero tener opiniones o experiencias que me guíen a tomar una decisión. Al menos tengo espacio para Ubuntu en caso de ser la mejor opción y trabajar ambos sistemas, aunque un único config para Debian sería lo óptimo. :-) (...) Si quieres usar el driver propietario en lugar del libre (recuerda que también puedes usar nouveau aunque parece que aún está un poco verde) yo instalaría el paquete de nvidia (352.41) sin pensarlo, sigue las instrucciones que están muy bien explicadas¹ y listo :-) ¹http://us.download.nvidia.com/XFree86/Linux-x86_64/352.41/README/ index.html Saludos, Hola, Camaleón. Gracias por sacar el tiempo de responder. :-) Efectivamente, lo mejor siempre sería trabajar con lo que da la distro, pero por ahora, es imposible, ya que la tarjeta salió este mismo año —no así la arquitectura— por lo que quedó fuera de la congelación de Jessie. Así es, por ahora solo puedo apostar por la versión «oficial» de Nvidia, ya que es la que mejor resultados da en rendimiento y demás. Con noveau, lo veo un poco lejos de corresponder a la calidad de los privativos, por desgracia Nvidia no es que ayude mucho al FOSS y por ahora ocupo rendimiento por sobre libertad... aunque suene algo tétrico. Saludos y muchas gracias.
Re: Another system management tool to disappear.
On Sat 29 Aug 2015 at 08:55:00 -0400, Gene Heskett wrote: [Snip] So, if su goes away, how do I accomplish those tasks in a suitable manner that will not bore a hole in the user sandbox? su is not going away. Please take no notice of the misinformation being spread in the first post and read https://github.com/systemd/systemd/issues/825
Re: Another system management tool to disappear.
On Saturday 29 August 2015 09:24:52 Reco wrote: Hi. On Sat, 29 Aug 2015 08:55:00 -0400 Gene Heskett ghesk...@wdtv.com wrote: On Saturday 29 August 2015 06:18:56 Reco wrote: Hi. On Sat, 29 Aug 2015 11:49:12 +1200 Chris Bannister cbannis...@slingshot.co.nz wrote: On Fri, Aug 28, 2015 at 07:12:32PM +0300, Reco wrote: To: Well, there have been long discussions about this, but the problem is that what su is supposed to do is very unclear. On one hand it's supposed *to open a new session* and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). I'm kind of surprised that the bug was not closed as WONTFIX. su(1) is not a full login, but it's not supposed to provide one anyway. su - name Has always worked fine for me. What's the problem? https://github.com/systemd/systemd/issues/825 says: su[1980]: pam_systemd(su-l:session): Cannot create session: Already running in a session Why the bug report implies that pam_systemd shoud create a new 'session' (whatever it means by 'session') *and* set some obscure environment variables is beyond me. Especially since su(1) directly says that su should not create session, it should reuse an existing one. Now I am again confused. As the admin for my 4 machine home network, there are things that run as other users, so I'll use amanda, the backup program as an example here. Welcome to the club. I'm confused by this bugreport too. In order to adjust any of its configuration, and do it without mucking with file ownerships permissions, I much first do a sudo -i to make me an immortal root. Then I can either su amanda, or su amanda -c geany filename so that for the duration of that commands execution, I am the user amanda. Some distro's setup a backup group and make amanda a member, but those distro's do not always preserve the amanda tenet of running with just enough permissions to get the job done, so I tend to steer clear and only install from the tarball. My web page in the sig is also on this machine, all running in another users sandbox, so again to manage that, I have to do the 'become root' bit, then edit and keep track of perms with chown/chmod which I can only do with the sudo -i phantom roor. Kind of old-fashioned for my taste (I'd use 'sudo -u' in the first place), but perfectly sane approach. ISTR I read that someplace, tried it, but it needed a root password, which does not exist on any of these machines, hence the two stage approach to getting the job done. If su goes away, IMNSHO, it will be such a PITA that it will encourage far more people to just give up and run their machines as root full time. And I don't believe for a millisecond that is the effect intended. They provide some systemd-specific kludge instead of su. So it's not that bad. I don't recall recognizing that being discussed yet. And, given the current systemd adoption rate in Debian, I'd say that we, stable users, have 3-4 years before that machinectl login thing will be available to us. So, if su goes away, how do I accomplish those tasks in a suitable manner that will not bore a hole in the user sandbox? If it comes to this (i.e 'su' will go away) - I just use busybox (which has perfectly working implementation of su without the fancy bits). I.e. busybox su - Command not found. Wheezy 32 bit install. Thanks. Reco Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Re: Another system management tool to disappear.
On Saturday 29 August 2015 09:49:55 Gene Heskett wrote: On Saturday 29 August 2015 09:24:52 Reco wrote: Hi. [...] Kind of old-fashioned for my taste (I'd use 'sudo -u' in the first place), but perfectly sane approach. ISTR I read that someplace, tried it, but it needed a root password, which does not exist on any of these machines, hence the two stage approach to getting the job done. So I just now played some more, and did make it work. Its an option that ought to be better explained in the man page. Thank you, I learned something today. Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Re: [postfix] Añadir cabecera a una copia creada con recipient_bcc_maps
El Sat, 29 Aug 2015 16:53:12 +0200, José Miguel (sio2) escribió: Antes de nada, un saludo a la lista. Me gustaría resulver el siguiente problema con postfix: Pongamos que hay una cuenta (usua...@dominio.com) cuyos mensajes de recepción, aparte de serle entregados, son copiados a una cuenta externa (usua...@gmail.com) que pertenece a la misma persona. Esto sé que se puede resolver usando recipient_bcc_maps. La razón de querer hacer esto es que la cuenta usua...@dominio.com no se revisa habitualmente, mientras que la cuenta usua...@gmail.com, sí. ¿Por qué no creas un alias (desdoblamiento de cuenta) mejor? El problema es que por descuido se puede estar tentado a responder desde usua...@hmail.com, cuando lo suyo es que se responda desde usua...@dominio.com. Así que se me ha ocurrido que sería buena idea añadir una cabecera Reply-To: Este usuario no es el destinatario original no.reply@no.responder a fin de que nunca se produzca este olvido. Sé que puedo resolverlo olvidándome de la parte postfix y haciendo todo esto tras la entrega al usuario (por ejemplo con procmail). Hum... no lo pillo. No creo que sea necesario ya que Postfix no te modificará el Reply-To: que seguirá siendo el destinatario original ¿lo has comprobado? :-? Por otra parte, cuando el usuario de Gmail reciba el correo, ¿qué le impide que responda desde su cuenta Gmail? Los servidores de Gmail no los gestiona tu Postfix. Saludos, -- Camaleón
Re: Another system management tool to disappear.
On 2015-08-29, Reco recovery...@gmail.com wrote: https://packages.debian.org/wheezy/busybox Spooned. https://packages.debian.org/wheezy/busybox-static 'busybox' in Debian is dynamically-linked, which kind of defeats the purpose of the busybox. So - 'busybox-static'. Reco Ah ok.
Re: CD DVD drive docs
Hi, do...@mail.com wrote: Also, should I get a copy of the various coloured books? Orange, Red, etc? Only if you can (*), and are interested in antique CD specs beyond what is told in SCSI volumes MMC-1 to MMC-3. Since MMC-4, CD info is vanishing from MMC. See for a list of topics: https://en.wikipedia.org/wiki/Rainbow_Books (*) They are not simply at sale. A good old university library might have them in the electrical engineering department. i wrote: No lock function and no open(2) flag is really safe. This sounds like bug could you forward or in some way enlighten me as to the facts behind this conclusion? http://libburnia-project.org/browser/libburn/trunk/doc/ddlp.txt It reflects the situation of 2007. Replace in URLs libburnia.pykix.org by libburnia-project.org. I have to leave my computer while it burns because it can't stand another task running and set the speed for DVD to 4x and CD to 10x. Vulnerable are CD-R[W] and DVD-R[W]. You should try to find the culprit who gropes your drive while it is burning. If there is any and if it uses the kernel then btrace(8) should show its activities. Obviously it needs you at the input devices to take this as reason to inspect the CD drive. Another remedy would be to use DVD+R instead of DVD-R. If speed influences the problem, then it is probably rather due to drive-and-media problems. (You aren't using olde IDE disk and burner as master and slave at the same controller, are you ?) Have a nice day :) Thomas
Re: laptop protection in an office network
On Sat, August 29, 2015 6:53 am, to...@tuxteam.de wrote: Also netstat (issued from your laptop) gives insight. For example 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are root (or sudo, of course), the extra option -p tells you which process is at the other side listening. With synaptic, I see the following Debian packages, but no plain netstat: netstat-nat nicstat vnstat
localhost sin acceso
Saludos, hace un tiempo intente montar un servidor web, de ese intento quedo inutilizado localhost, como puedo volver a habilitar el acceso a localhost,gracias
Re: localhost sin acceso
Podría ser cosa del /etc/hosts/ y ver que tenga lo siguiente: 127.0.0.1 localhost El 29 de agosto de 2015, 12:33, Ricardo Mendoza pgsql...@gmail.com escribió: Saludos, hace un tiempo intente montar un servidor web, de ese intento quedo inutilizado localhost, como puedo volver a habilitar el acceso a localhost,gracias
Re: Another system management tool to disappear.
On 2015-08-29, Gene Heskett ghesk...@wdtv.com wrote: If it comes to this (i.e 'su' will go away) - I just use busybox (which has perfectly working implementation of su without the fancy bits). I.e. busybox su - Command not found. Wheezy 32 bit install. https://packages.debian.org/wheezy/busybox Spooned.
Re: Another system management tool to disappear.
On Sat, 29 Aug 2015 14:27:37 + (UTC) Curt cu...@free.fr wrote: On 2015-08-29, Gene Heskett ghesk...@wdtv.com wrote: If it comes to this (i.e 'su' will go away) - I just use busybox (which has perfectly working implementation of su without the fancy bits). I.e. busybox su - Command not found. Wheezy 32 bit install. https://packages.debian.org/wheezy/busybox Spooned. https://packages.debian.org/wheezy/busybox-static 'busybox' in Debian is dynamically-linked, which kind of defeats the purpose of the busybox. So - 'busybox-static'. Reco
Re: CD DVD drive docs
Forgive my absence, my internet connection is intermittent. I tried to contact the kernel devs, no luck so far. It was nice of you to recommend using the digests, but then I can't reply. I tried signing up and got the same reply as before 5.7.1 Hello [74.208.4.201], for your MAIL FROM address do...@mail.com policy analysis reported: Your address is not liked source for email I read the FAQ and it says that they block email addresses in bulk no matter who or what they are (html/asci/rfc/etc). I'll sign up for different services and see if I can get through. Worst case scenario, I set up my own temporary email server and sign up for the digests. Also, should I get a copy of the various coloured books? Orange, Red, etc? On Sat, 22 Aug 2015 14:45:13 + (UTC) Thomas Schmitt wrote: This led to an interesting private discussion with Ted T'so which finally yielded that there is indeed no reliable method in Linux to force exclusive access to a burner drive. No lock function and no open(2) flag is really safe. This sounds like bug could you forward or in some way enlighten me as to the facts behind this conclusion? I've been bitten by this, or so I suspect. I always thought that it was due to the MBs bus being saturated and so the RT wodim burn task was put on hold as a necessity. This occurs independent of media, drive or kernel (2.26.X, 3.X.X,I have not tried 4.X.X) though it manifests much more frequently at higher speeds. As a result, I have to leave my computer while it burns because it can't stand another task running and set the speed for DVD to 4x and CD to 10x. The only error, is that some drives info is in an orange forum, or some such thing, that costs money to get info from. Well, I think I'm at the end of what I can do on this end, I'll play the part of the hydra. I'll hunt this bug down. Don't expect to have this fixed tomorrow though, as I said several posts ago, I'm new to optical media drive tech and though I've always wanted to, I never looked into the kernel's source. When I have something solid I'll hit them with it (so to speak). Thanks, David
Re: Adapter Names on Stretch
Quoting Chris Bannister (cbannis...@slingshot.co.nz): On Fri, Aug 28, 2015 at 10:22:58AM -0500, David Wright wrote: Quoting Ric Moore (wayward4...@gmail.com): From my own experience, if you replace a network card, udev will automagically name it /dev/eth +1 so eth0 becomes eth1. I'm using eth1 right now. Bugs the hell out of me but the network works, :) That's because you didn't clear the previous card's eth0 entry in /etc/udev/rules.d/70-persistent-net.rules before you booted up the new card. I think you can delete the file and it will get regenerated on boot. Well, it used to be that way, probably best to save a copy first in case it doesn't work that way any more. I was being conservative. /etc/udev/rules.d/70-persistent-net.rules may contain other information. I have an Acer laptop that for some reason names the wifi interface as another eth unless I keep a line in there. Cheers, David.
Re: laptop protection in an office network
On Sat, 29 Aug 2015 11:12:07 -0500 rlhar...@oplink.net wrote: On Sat, August 29, 2015 6:53 am, to...@tuxteam.de wrote: Also netstat (issued from your laptop) gives insight. For example 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are root (or sudo, of course), the extra option -p tells you which process is at the other side listening. With synaptic, I see the following Debian packages, but no plain netstat: netstat-nat nicstat vnstat net-tools is the package which contains netstat, and I would expect it to be a core Debian package. You should have it installed. A number of command-line utilities are part of a larger package. When in doubt, try man utility and the parent package will be named at the end of the text. -- Joe
Re: [postfix] Añadir cabecera a una copia creada con recipient_bcc_maps
El Sat, 29 de Aug de 2015, a las 04:10:52PM +, Camaleón dijo: Ya, quieres que la cuenta que reciba la copia tenga un remitente erróneo pero en ese caso tendrías que modificar también el campo From: me temo, ya que los clientes de correo también lo toman como dirección de respuesta válida (en el RFC correspondiente lo tendrás mejor especificado). Más que erróneo, inexistente. Algo así como no-re...@no-where.com. MIraré a ver qué dice el RFC: mi experiencia con clientes es que si hay From: y Reply-To: los clientes usan la dirección de Reply-To preferentemente. En cuanto a Postfix, mira la documentación de header_checks¹ y address rewriting² teniendo en cuenta que sólo debe afectarle a la copia que reciba la dirección donde se duplican los mensajes manteniendo el otro correo intacto. Creo que ya he dado con la tecla: smtp_header_checks, que se usa para el correo saliente: /^To:.*@midominio.com\b/ PREPEND Reply-To: no-re...@nowhere.com Como el destinatario es una cuenta de mi propio dominio, si el correo está saliendo de mi servidor, es que sale rebotado hacia otra cuenta externa. Un saludo y gracias por el tiempo. -- Como todo al fin se sabe yo he sabido la verdad. --- Muñoz Seca ---
Re: Another system management tool to disappear.
On Saturday 29 August 2015 09:29:47 Brian wrote: On Sat 29 Aug 2015 at 08:55:00 -0400, Gene Heskett wrote: [Snip] So, if su goes away, how do I accomplish those tasks in a suitable manner that will not bore a hole in the user sandbox? su is not going away. Please take no notice of the misinformation being spread in the first post and read https://github.com/systemd/systemd/issues/825 Well, if it did, I wonder how long it will be before someone replaces all that typing with a script named su? There are far more ways to skin that cat than the cats supposedly nine lives can account for. That is not written in jest. I have automated quite a few of the daily ditch digging tasks on this machine so that when something see's a trigger, there's a bash script, launched as a daemon, waiting to handle it, all in the background, often without making me even aware of it. It just gets done. That is after all, one of the things computers should be good at, so I use the heck out of its ability to save me keystrokes or button clicks. For instance, to reply to this mail which showed up already sorted to the correct folder as if by magic, all I have to do is click the correct reply button. And click on send, or ctl+return when I am done. Litterally everything else is done for me by scripts that tie mailfilter and fetchmail, feeding procmail, which in turn checks that mail with spamassassin, clamscan feeds the survivors to /var/spool/mail/$user. The closing of that file triggers another script that tells kmail to go get the new mail from that local inbox. So kmail doesn't go to sleep for 30 seconds while I am in the middle of typing a reply, a fraction of a second is all. Whats not to like? Another furinstance. I have a 30 yo computer setup in the basement that I yet do software development on in the wintertime. I run a java app that hooks it up to this machine, so I can have a file here that looks like a whole drive to that machine, up to 100's of them in fact. Or if I want to print a listing of some of my assembly language scribblings, the printer driver in its os has been swapped out for one that uses one of the channels this java app, called drivewire has, so I list filename /p, and this machine does all the work, spitting out that listing at 19 pages a minute on a small Brother laser printer that actually lives on the desk that computer is sitting on. All tied together with a lng USB cable, and done automatically and 20x faster by this machine. Also much easier to read than the old dot matrix printers that machine once drove. That is what computers are supposed to do. So I have no qualms about making them do it. It gives me more time to be creative in other ways. Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
java script error in iceweasel
Hi, I just tried using Jessie with the new Iceweasel. I went to several web sites that worked before and I can't seem to get the java scripts associated with buttons to work. I tried installing java, openjdk and icedtea with no results. Can't supply anymore information other than clean install of Jessie with no saved or restored data used. Went back to Wheezy and everything works. Is there a bug or am I missing something?? I would like to use Jessie, but can't lose the web access. Thanks Harold Meneley
systemd and encrypted partition (was: grub and encrypted partition problem)
Hello list, I am having still the problem that my encrypted partition are not opened at boot and thus cannot be mounted. I believe, it might be a problem with systemd, but i am not experienced with systemd, to have a clue, where to look. IMO this is the related error message of systemd: Aug 29 16:18:16 protheus2 systemd-default-display-manager- generator[200]: */lib/systemd/system/kdm.service is not a systemd unit, we disable th* *rpcbind.target: Dependency Before=rpcbind.target dropped* *[/run/systemd/generator/systemd-cryptsetup@home.service:13] Failed to add required mount for, ignoring: * *open-vm-tools.service: Cannot add dependency job, ignoring: Unit open- vm-tools.service failed to load: N* *display-manager.service: Cannot add dependency job, ignoring: Unit display-manager.service is masked.* *display-manager.service: Cannot add dependency job, ignoring: Unit display-manager.service is masked.* Also I get an error message by creating a new initrd: update-initramfs -u -k all I looked, if /dev/sda8 is in /etc/uswusp.conf, but as it is correct, /dev/sda5 is named in it (which is swap). It would be nice, if someone could give me a clue, how to initialise the crypt related configurations. Thank you very much. Best regards Hans
Re: [postfix] Añadir cabecera a una copia creada con recipient_bcc_maps
El Sat, 29 Aug 2015 19:26:55 +0200, José Miguel (sio2) escribió: El Sat, 29 de Aug de 2015, a las 04:10:52PM +, Camaleón dijo: Ya, quieres que la cuenta que reciba la copia tenga un remitente erróneo pero en ese caso tendrías que modificar también el campo From: me temo, ya que los clientes de correo también lo toman como dirección de respuesta válida (en el RFC correspondiente lo tendrás mejor especificado). Más que erróneo, inexistente. Algo así como no-re...@no-where.com. MIraré a ver qué dice el RFC: mi experiencia con clientes es que si hay From: y Reply-To: los clientes usan la dirección de Reply-To preferentemente. Intenta respetar la normativa. Lo digo porque no sé si el uso de una cuenta inexistente (o que no sea enrutable, del tipo usua...@linux.site) está permitido. En cualquier caso recuerda que Gmail permite las cuentas de tipo usuario+n...@gmail.com que luego puedes filtrar. Y en relación a los campos para el remitente: https://tools.ietf.org/html/rfc2822#section-3.6.2 En cuanto a Postfix, mira la documentación de header_checks¹ y address rewriting² teniendo en cuenta que sólo debe afectarle a la copia que reciba la dirección donde se duplican los mensajes manteniendo el otro correo intacto. Creo que ya he dado con la tecla: smtp_header_checks, que se usa para el correo saliente: /^To:.*@midominio.com\b/ PREPEND Reply-To: no-re...@nowhere.com Como el destinatario es una cuenta de mi propio dominio, si el correo está saliendo de mi servidor, es que sale rebotado hacia otra cuenta externa. Consideraciones: 1/ Con esa regla también se vería afectado el mensaje al remitente original (recuerda que las expresiones regulares de header checks permiten el uso del IF) 2/ Me parece que sólo puede haber un campo Reply-To/From, por lo que considera REPLACE en lugar de PREPEND. Saludos, -- Camaleón
Re: Suspend-sedation Problem
John Hasler wrote: I'm trying to get suspend-sedation working on my Gateway 450SX4 with Jessie installed. Suspend and Hibernate work. I'm following the instructions at https://wiki.debian.org/SystemdSuspendSedation When I close the lid the machine suspends properly and wakes up and runs the script after the timeout. However, it does not hibernate. It executes the else clause, exits, goes back to suspend (expected as the lid is closed) and then repeats, leaving this in the log each time: Jul 30 10:11:36 gateway systemd-sleep[14022]: System resumed. Jul 30 10:11:36 gateway systemd[1]: Requested transaction contradicts existing jobs: File exists Jul 30 10:11:37 gateway sh[14029]: suspend-sedation: Woke up before alarm - normal wakeup. FWIW I had the same problem. This Works For Me™ in Debian Jessie: ExecStart=/usr/sbin/rtcwake --seconds $ALARM_SEC --auto --mode no ExecStop=/bin/sh -c '\ -if [ -z $(cat $WAKEALARM) ]; then \ +ALARM=$(cat $WAKEALARM); \ +NOW=$(date +%%s); \ +if [ $NOW -ge $ALARM ]; then \ echo suspend-sedation: Woke up - no alarm set. Hibernating...; \ systemctl hibernate; \ else \ signature.asc Description: Digital signature
Re: Another system management tool to disappear.
Hi. On Sat, 29 Aug 2015 09:49:55 -0400 Gene Heskett ghesk...@wdtv.com wrote: If su goes away, IMNSHO, it will be such a PITA that it will encourage far more people to just give up and run their machines as root full time. And I don't believe for a millisecond that is the effect intended. They provide some systemd-specific kludge instead of su. So it's not that bad. I don't recall recognizing that being discussed yet. Please read the bugreport. It's all there. https://github.com/systemd/systemd/issues/825 And, given the current systemd adoption rate in Debian, I'd say that we, stable users, have 3-4 years before that machinectl login thing will be available to us. So, if su goes away, how do I accomplish those tasks in a suitable manner that will not bore a hole in the user sandbox? If it comes to this (i.e 'su' will go away) - I just use busybox (which has perfectly working implementation of su without the fancy bits). I.e. busybox su - Command not found. Wheezy 32 bit install. Obviously for this command to work it's required to install busybox. I'd recommend busybox-static package. Reco
Re: java script error in iceweasel
On Fri, Aug 28, 2015 at 06:47:03AM -0500, Harold M. Meneley wrote: Hi, I just tried using Jessie with the new Iceweasel. I went to several web sites that worked before and I can't seem to get the java scripts associated with buttons to work. I tried installing java, openjdk and icedtea with no results. Can't supply anymore information other than clean install of Jessie with no saved or restored data used. Went back to Wheezy and everything works. Is there a bug or am I missing something?? I would like to use Jessie, but can't lose the web access. Thanks Harold Meneley Java or javascript? Can you give us an example of a problematic site?
Re: logrotate permissions problem
Hi. On Sat, 29 Aug 2015 09:43:27 -0600 D. R. Evans doc.ev...@gmail.com wrote: Ever since the upgrade from wheezy to jessie a few days ago, I have been receiving the following every day: /etc/cron.daily/logrotate: error: error setting owner of /var/log/polipo/polipo.log.1.gz to uid 13 and gid 13: Operation not permitted run-parts: /etc/cron.daily/logrotate exited with return code 1 The directory /var/log/polipo has the permissions: drwxr-sr-x 2 proxy adm 4096 Aug 29 07:39 polipo and right now the contents of that directory look like this: root@homebrew:/var/log/polipo# ls -al total 64 drwxr-sr-x 2 proxy adm4096 Aug 29 07:39 . drwxr-xr-x 19 root root 4096 Aug 29 07:39 .. -rw--- 1 proxy adm 18854 Aug 29 09:11 polipo.log -rw-r- 1 proxy proxy 6025 Aug 26 07:40 polipo.log.1 -rw--- 1 proxy adm 0 Aug 29 07:39 polipo.log.1.gz -rw-r- 1 proxy proxy 255 Aug 25 07:11 polipo.log.2.gz -rw-r- 1 proxy proxy 425 Aug 24 07:11 polipo.log.3.gz -rw-r- 1 proxy proxy 279 Aug 23 07:11 polipo.log.4.gz -rw-r- 1 proxy proxy 328 Aug 22 07:11 polipo.log.5.gz -rw-r- 1 proxy proxy 273 Aug 21 07:11 polipo.log.6.gz -rw-r- 1 proxy proxy 288 Aug 20 07:11 polipo.log.7.gz -rw-r- 1 proxy proxy 166 Aug 19 07:11 polipo.log.8.gz root@homebrew:/var/log/polipo# Does anyone have a suggestion as to what I should do to stop the error message being produced every day? In case it needs to be said: this problem did not exist when I was running wheezy, and I haven't changed anything in the default installation related to logrotate or polipo. I am a bit puzzled as to why no one else seems to have reported this problem. Googling has not helped suggest the cause or the correct fix. Your /etc/logrotate.d/polipo should contain this line: su proxy adm It means that all polipo.log rotation should be done as user proxy with primary group adm. During the rotation polipo.log should be renamed to polipo.log.1 and then it should be gzipped to polipo.log.1.gz. The owner and group of the new file result proxy:adm. Since the original file (polipo.log) owner and group are proxy:proxy - logrotate tries to change group of polipo.log.1.gz to proxy - and fails (since during the rotation the primary group of logrotate is adm, and arbitrary group switching is permitted to root only). The solution of this problem should be as simple as: chgrp adm /var/log/polipo/pol* rm -f /var/log/polipo/polipo.log.1.gz Reco
Re: systemd and encrypted partition (was: grub and encrypted partition problem)
On 2015-08-29 08:23:25 PM, Hans wrote: It would be nice, if someone could give me a clue, how to initialise the crypt related configurations. How did you set up your partitions? Do you use cryptsetup? Did you fill out the relevant entries in /etc/cryptab? What happens if you run cryptdists_start? Yes, I did this command (which I used on all my other computers as well): cryptsetup -c aes-lrw-benbi -y -s 384 luksFormat /dev/sdaX then I opened it with cryptsetup luksOpen /dev/sdaX myname and at last I formatted it with mkfs.ext4 /dev/mapper/myname. In /etc/crypttab I got he correct entry myname UUID=UUID_of_/dev/mapper/mynameblabla none luks,retry=1,cipher=aes- lrb-benbi:sha256 The UUID should be the UUID of the encrypted device (/dev/sdaX above), not the decrypted device (/dev/mapper/myname). Does running the command cryptdisks_start work? AFAIK that is what gets called during startup, so you can check your configuration without rebooting. Hope this helps, MM
Re: laptop protection in an office network
On Sat, August 29, 2015 2:01 pm, Brian wrote: There is much value in mDNS in an office network with CUPS nowadays. Simply out of custom and the influence of the guru who helped me get started in Debian, I use static ip addresses for everything (including the printer) in my LAN, except the laptop. And I routinely connect the laptop with ethernet, rather than via WiFi. And every time I install or reinstall Debian on a machine, one of the first things I do is configure CUPS to use the laser as the default printer for the machine. In view of the fact that the configuration of CUPS takes only two or three minutes, I do not enable sharing of the printer. And all my printing is done locally, on the laser printer. So I do not understand how avahi or mDNS could benefit me with this tiny personal LAN. If it is something which I should be using, please enlighten me. RLH
Re: laptop protection in an office network
On Sat 29 Aug 2015 at 22:18:00 +0300, Reco wrote: Hi. On Sat, 29 Aug 2015 20:01:40 +0100 Brian a...@cityscape.co.uk wrote: On Sat 29 Aug 2015 at 21:39:21 +0300, Reco wrote: Hi. On Sat, 29 Aug 2015 13:25:28 -0500 rlhar...@oplink.net wrote: On Sat, August 29, 2015 6:53 am, to...@tuxteam.de wrote: Also netstat (issued from your laptop) gives insight. For example 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are root (or sudo, of course), the extra option -p tells you which process is at the other side listening. Note that the dhcp client itself (which you need to get an IP address to take part in your customer's network) puts you already at some risk, depending on how it's configured. Here is the output from the laptop: # netstat -lntup Active Internet connections (only servers) Prot Rec Snd Local AddressForeign State PID/Program name skip # Regrettably, the formatting of the output does not consider the need to include the output in the body of an e-mail, so editing was required to remove excess spaces so as to prevent every line from being wrapped. Something like this should save you from the most troubles provided that you don't plan to use your laptop as a print server or NFS: skip Of course, it's *very* simplistic set of rules (for example, someone may consider accepting ssh connections from arbitrary hosts a bad idea), but it should work. Why does he need any iptables rules? I see nothing at risk there. It seems to me he can be confident his computer is safe. You need to look better. As of now, this laptop: 1) Has NFS portmapper open for no good reason. 2) Has some (possibly badly configured) tcp service port . 3) Has possibly misconfigured SSH (i.e. PasswordAuthentication yes - a bad idea for untrusted network). Covering up such problems with iptables doesn't tackle such problems. Why not fix them at source? Two things I'm unsure of are: 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office network), but YMMV. There is much value in mDNS in an office network with CUPS nowadays. Provided that an office network allows multicasts *and* it's not a all-Windows shop *and* they did not forget to allow dnssd server-side - it's a possibility. Chances for all this are slim IMO. No mDNS then. No printing.
Re: laptop protection in an office network
On Sat 29 Aug 2015 at 14:25:17 -0500, rlhar...@oplink.net wrote: On Sat, August 29, 2015 2:01 pm, Brian wrote: There is much value in mDNS in an office network with CUPS nowadays. Simply out of custom and the influence of the guru who helped me get started in Debian, I use static ip addresses for everything (including the printer) in my LAN, except the laptop. And I routinely connect the laptop with ethernet, rather than via WiFi. And every time I install or reinstall Debian on a machine, one of the first things I do is configure CUPS to use the laser as the default printer for the machine. In view of the fact that the configuration of CUPS takes only two or three minutes, I do not enable sharing of the printer. And all my printing is done locally, on the laser printer. So I do not understand how avahi or mDNS could benefit me with this tiny personal LAN. If it is something which I should be using, please enlighten me. mDNS does nothing nothing for local printers which are not shared. If you think it has no benefit for you in that situation you are correct. But your question was about taking your laptop onto a foreign network. Which goalposts do you want to aim for? What is your point if we take this into account?
Re: laptop protection in an office network
On Sat, 29 Aug 2015 15:42:08 -0500 rlhar...@oplink.net wrote: To get back to the reason I started this thread, my goal is to be able to go into a foreign network (most likely all-Windows, but there always is the possibility that someone is running a Macintosh) and come back home disease-free. You could always get a Raspberry-Pi B ( _NOT_ the 2 recent release) ! ) and install on this the IpFire dedicated firewall distribution; depending on whether you connect by Wifi or Ethernet to the office LAN, you will need a USB Wifi interface, or a USB-to-RJ45 adapter. Just make sure those dont need an unobtainable driver to run under Linux ;-3) Not very bulky, can be run off the laptop USB, easy to configure, and should keep you reasonably safe from the nasties who lurk in the outside darkness Cheers, Ron. PS http://www.ipfire.org/ -- What is a magician but a practising theorist ? -- Obi-Wan Kenobi -- http://www.olgiati-in-paraguay.org --
Re: laptop protection in an office network
On Sat 29 Aug 2015 at 22:58:57 +0300, Reco wrote: Hi. On Sat, 29 Aug 2015 20:40:47 +0100 Brian a...@cityscape.co.uk wrote: On Sat 29 Aug 2015 at 22:18:00 +0300, Reco wrote: Hi. On Sat, 29 Aug 2015 20:01:40 +0100 Brian a...@cityscape.co.uk wrote: On Sat 29 Aug 2015 at 21:39:21 +0300, Reco wrote: Hi. On Sat, 29 Aug 2015 13:25:28 -0500 rlhar...@oplink.net wrote: On Sat, August 29, 2015 6:53 am, to...@tuxteam.de wrote: Also netstat (issued from your laptop) gives insight. For example 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are root (or sudo, of course), the extra option -p tells you which process is at the other side listening. Note that the dhcp client itself (which you need to get an IP address to take part in your customer's network) puts you already at some risk, depending on how it's configured. Here is the output from the laptop: # netstat -lntup Active Internet connections (only servers) Prot Rec Snd Local AddressForeign State PID/Program name skip # Regrettably, the formatting of the output does not consider the need to include the output in the body of an e-mail, so editing was required to remove excess spaces so as to prevent every line from being wrapped. Something like this should save you from the most troubles provided that you don't plan to use your laptop as a print server or NFS: skip Of course, it's *very* simplistic set of rules (for example, someone may consider accepting ssh connections from arbitrary hosts a bad idea), but it should work. Why does he need any iptables rules? I see nothing at risk there. It seems to me he can be confident his computer is safe. You need to look better. As of now, this laptop: 1) Has NFS portmapper open for no good reason. 2) Has some (possibly badly configured) tcp service port . 3) Has possibly misconfigured SSH (i.e. PasswordAuthentication yes - a bad idea for untrusted network). Covering up such problems with iptables doesn't tackle such problems. On the contrary, it does. Since nobody can connect to the problem service from the outside - it's irrelevant whenever the service is secure or not. Why not fix them at source? I dunno. Some people are reluctant to remove stuff. Especially if the stuff in question is installed by Standard task of d-i. Adding stuff on top of standard installation is easier to grasp. I hadn't appreciated that iptables main function is papering over the cracks. Two things I'm unsure of are: 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office network), but YMMV. There is much value in mDNS in an office network with CUPS nowadays. Provided that an office network allows multicasts *and* it's not a all-Windows shop *and* they did not forget to allow dnssd server-side - it's a possibility. Chances for all this are slim IMO. No mDNS then. No printing. Clarification needed. Are you suggesting that disabling Avahi also disables CUPS? It's not true. Are you suggesting that with disabling Avahi CUPS looses ability to print? It's not true too. Or are you suggesting that with Avahi disabled a client is unable to print using *known* CUPS over the network? It's also a false statement. None of these. Bonjour plays a central role in printing over a network. Discarding it as a very useful tool isn't very helpful.
Re: laptop protection in an office network
On Sat 29 Aug 2015 at 22:56:50 +0200, to...@tuxteam.de wrote: On Sat, Aug 29, 2015 at 01:25:28PM -0500, rlhar...@oplink.net wrote: # netstat -lntup Active Internet connections (only servers) Prot Rec Snd Local AddressForeign State PID/Program name -Q -Q Address Quite a mouthful. Other answers very insightful, especially the proposals of blocking the relevant ports via firewall (I'd try the opposite approach though: block every connection from outside except those you explicitly want) tcp 0 00.0.0.0:0.0.0.0:* LIS 561/inetd As others noted: what's inetd doing on ? Do have a look at its config files (somewhere in /etc/inetd.conf). tcp 0 00.0.0.0:111 0.0.0.0:* LIS 530/rpcbind tcp 0 00.0.0.0:46225 0.0.0.0:* LIS 540/rpc.statd RPC is typically needed for NFS. If you don't want to mount your laptop's file systems from other machines, it's probably superfluous. So get rid of it. tcp 0 00.0.0.0:22 0.0.0.0:* LIS 568/sshd Common wisdom is to keep that (but to secure it properly, by disabling root logins and possibly passwrd logins). Perhaps you can ssh into your laptop should the UI become unresponsive for some reason (e.g. X botches the graphics card but you still have some running programs you'd want to finalize in an orderly mode). Common wisdom or old-wives tales? He probably has no need for it. Purge. tcp 0 0127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd Are you using your laptop as a print server? If not, the cups-client package might be enough. Its only listening on localhost. What's the problem? cups-client alone is insufficient to print to a printer attached to the machine. tcp 0 0127.0.0.1:5432 0.0.0.0:* LIS 675/postgres tcp 0 0127.0.0.1:250.0.0.0:* LIS 1063/exim4 Database server, mail server. What are they doing? For postgres, you could configure it to just serve over an UNIX domain socket, if the only applications around connect locally. Your call. For exim4 (mail server)... depends on your mail setup. Both are only listening on localhost. Perfectly safe. tcp 0 0127.0.0.1:2628 0.0.0.0:* LIS 599/0 Uh -- what is *this*? A process called 0? Looks really strange to me. tcp6 0 0:::111 :::* LIS 530/rpcbind tcp6 0 0:::38930:::* LIS 540/rpc.statd tcp6 0 0:::22 :::* LIS 568/sshd tcp6 0 0::1:631 :::* LIS 1248/cupsd tcp6 0 0::1:5432:::* LIS 675/postgres tcp6 0 0::1:25 :::* LIS 1063/exim4 Those are IPV6 variants of some of the above. udp 0 00.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r Avahi: this is a service discovery service: your laptop is broadcasting to the network hey, here's a [printer, database, whatnot]. Wanna play with me? That's one of the things I ban from my computer. Broadcating is one thing. Allowing access to a service is another. udp 0 00.0.0.0:631 0.0.0.0:* 647/cups-browsed Here cups is announcing its availability. Down with it :-) CUPS isn't doing anything. Have another go. :)
Re: laptop protection in an office network
On Sun 30 Aug 2015 at 01:22:16 +0300, Reco wrote: On Sat, 29 Aug 2015 23:00:51 +0100 Brian a...@cityscape.co.uk wrote: I hadn't appreciated that iptables main function is papering over the cracks. It's the most common usage of iptables IMO, and, to some extent it's Unix-style. I.e. you don't touch so called base system, you merely write your own kludges around it. I prefer a sensible Debian-style approach without kludges, Close down all unwanted services by purging the relevant packages. IMHO the OP's laptop has no obvious security defects. Take it to work and use it confidently.
Re: Okay thanks michael and tim but.......
On Sat, 29 Aug 2015 15:43:47 -0400 Betterthan You betterthanyou...@gmail.com wrote: My dad restricts me to package games only. So when you said metro redux and those other games i knew i couldent get them. I have seen those games before on youtube but i cant get them myself. (Plus they cost and my dad would never let me). Can you guys tell me games from the synaptic package manager? I'm only 12 so I dont really know what to upload and what not too. Also heres a link to my channel :// www.youtube.com/channel/UCliVN9ANuzm7u4KpxnqWRNg Here's a good way to find package games: 1. Install the debtags package 2. In a terminal, run the command debtags tagsearch game 3. You'll see a list of categories, like game::adventure, game::arcade and game::rpg. 4. If you want to look at the RPG games, for example, you'd run the command debtags search game::rpg. If you want to look at the arcade games, you'd run the command debtags search game::arcade. P.s. I have asked my dad if i could get games from steam but he says no. He doesent trust them on our system beacuse he doesent know who makes the game and who runs steam. Can you please tell me tye anser that way I can make a aurgument up against my dad? I really do want to use steam and alot of my friends use it too. Thanks! Steam is made by Valve Software. You might want to tell your Dad that Debian has a steam package. https://packages.debian.org/stretch/steam pgpWZ32jhp6OP.pgp Description: PGP signature
Re: laptop protection in an office network
On Sat, August 29, 2015 1:39 pm, Reco wrote: Something like this should save you from the most troubles provided that you don't plan to use your laptop as a print server or NFS: I am not sure how print server is defined. I installed CUPS so that I can print to a laser printer in my home network. And if my client gives me a URL which I view on the laptop, it would be nice to be able to bookmark the URL and, once I am back home, bring up and print the web page directly from the laptop. As to NSF, I had to search with google to find the definition. No, on the laptop and in my LAN the only drives accessed are internal, formatted with ext4, and an external USB. iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT iptables -P FORWARD DROP ip6tables -P INPUT DROP ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP ip6tables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT ip6tables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT ip6tables -A INPUT -p udp --dport 123 -j ACCEPT ip6tables -P FORWARD DROP Of course, it's *very* simplistic set of rules (for example, someone may consider accepting ssh connections from arbitrary hosts a bad idea), but it should work. And I thank you. Two things I'm unsure of are: 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office network), but YMMV. I have been running Debian for thirteen years, but I know absolutely nothing about avahi. It must have been installed by default, or else, perhaps as a dependency of some other package. 2) Whatever thing you're listening for on tcp with inetd. Ah! is the port used by the approx server. Months ago I had to install Debian on a system in another location which had a substandard DSL connection. And whenever I do a Debian netinst, I always use approx, just in case. So that is why I installed approx on the laptop. RLH
[OT] Re: llista de correu, trobades a Catalunya
El 26/08/15 a les 11:05, Aniol Martí ha escrit: Bon dia, Aquests dies concideixen amb el Saló del Manga, no sé si això pot fer que vingui menys gent, almenys jo no podria venir :'(. Salut! Enviat des del mòbil. Això depèn de les preferències de cadascú. Jo no he anat mai al Saló del Manga, tot i haver estat convidat per tres persones diferents i en repetides ocasions, precisament perquè coincidia amb les fires i festes de Sant Narcís. I és que si se'm deixa a triar entre disfressar-me de Son Goku o cantar el Girona m'enamora a les escales de la catedral, l'elecció és més que clara :-) El cas és que sigui qui sigui el cap de setmana que s'escolleixi, hi haurà algun altre acte interessant en un altre punt de Catalunya que algú preferirà abans de venir a aquesta trobada. Jo fixaria una data i només la canviaria en cas que hi hagués un nombre significatiu de persones a qui no li anés bé. Si algú no pot anar a una, mala sort i ja vindrà a la propera; si esperem una data que vagi bé a tothom, no farem mai cap trobada. Ho dic per experiència.
Okay thanks michael and tim but.......
My dad restricts me to package games only. So when you said metro redux and those other games i knew i couldent get them. I have seen those games before on youtube but i cant get them myself. (Plus they cost and my dad would never let me). Can you guys tell me games from the synaptic package manager? I'm only 12 so I dont really know what to upload and what not too. Also heres a link to my channel :// www.youtube.com/channel/UCliVN9ANuzm7u4KpxnqWRNg P.s. I have asked my dad if i could get games from steam but he says no. He doesent trust them on our system beacuse he doesent know who makes the game and who runs steam. Can you please tell me tye anser that way I can make a aurgument up against my dad? I really do want to use steam and alot of my friends use it too. Thanks!
VLC transcode ne fonctionne pas
Bonjour, J'essaie de faire une opération très simple avec VLC 2.2.0~rc2-2+deb8u1 : faire pivoter une vidéo de 90° et enregistrer le résultat. J'ai consulté divers tutoriels sur ce point, par exemple http://www.linternaute.com/hightech/micro/tutoriel-vlc/ J'obtiens toujours un résultat de 0 octets avec un fichier de départ de 8 Mo. Manifestement j'ai un problème de configuration de VLC. J'ai beaucoup testé sans rien trouver. Quelqu'un aurait-il une piste ? Voici le log issu de ma dernière tentative. Il y a d'autres messages très répétitifs à la suite, mais ça semble bloquer dès le démarrage avec l'impossibilité de créer le flux de sortie. Aug 29 21:38:45 pc-jean-debian vlc.desktop[2304]: [00cc9118] core libvlc: Lancement de vlc avec l'interface par défaut. Utilisez « cvlc » pour démarrer VLC sans interface. Aug 29 21:38:47 pc-jean-debian vlc.desktop[2304]: Got bus address: unix:abstract=/tmp/dbus-BVTeCy63Xt,guid=16f5d1f50b424aef1dc0408a55e1ddbf Aug 29 21:38:47 pc-jean-debian vlc.desktop[2304]: Connected to accessibility bus at: unix:abstract=/tmp/dbus-BVTeCy63Xt,guid=16f5d1f50b424aef1dc0408a55e1ddbf Aug 29 21:38:47 pc-jean-debian vlc.desktop[2304]: Registered DEC: true Aug 29 21:38:47 pc-jean-debian gnome-session[1066]: (gnome-shell:1205): mutter-WARNING **: STACK_OP_ADD: window 0x1e3 already in stack Aug 29 21:38:47 pc-jean-debian gnome-session[1066]: (gnome-shell:1205): mutter-WARNING **: STACK_OP_ADD: window 0x1e3 already in stack Aug 29 21:38:47 pc-jean-debian vlc.desktop[2304]: Registered event listener change listener: true Aug 29 21:38:50 pc-jean-debian vlc.desktop[2304]: QSpiAccessible::accessibleEvent not handled: 6 obj: QMenu(0x7f317025d130) Aug 29 21:38:53 pc-jean-debian vlc.desktop[2304]: QSpiAccessible::accessibleEvent not handled: 7 obj: QMenu(0x7f317025d130) Aug 29 21:38:53 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog start. Aug 29 21:38:59 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog end. Aug 29 21:39:02 pc-jean-debian vlc.desktop[2304]: QSpiAccessible::accessibleEvent not handled: 6 obj: QMenu(0x7f317025d130) Aug 29 21:39:03 pc-jean-debian vlc.desktop[2304]: QSpiAccessible::accessibleEvent not handled: 7 obj: QMenu(0x7f317025d130) Aug 29 21:39:04 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog start. Aug 29 21:39:12 pc-jean-debian vlc.desktop[2304]: QSpiAccessible::accessibleEvent not handled: 8008 obj: QObject(0x0) invalid interface! Aug 29 21:39:59 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog end. Aug 29 21:40:02 pc-jean-debian vlc.desktop[2304]: QSpiAccessible::accessibleEvent not handled: 6 obj: QMenu(0x7f317029f7b0) Aug 29 21:40:05 pc-jean-debian vlc.desktop[2304]: QSpiAccessible::accessibleEvent not handled: 7 obj: QMenu(0x7f317029f7b0) Aug 29 21:40:05 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog start. Aug 29 21:40:13 pc-jean-debian gnome-session[1066]: ** (zeitgeist-datahub:1306): WARNING **: recent-manager-provider.vala:132: Desktop file for file:///home/jean/Images/Capture%20d'%C3%A9cran%20de%202015-08-17%2019:26:31.png was not found, exec: gnome-settings-daemon, mime_type: image/png Aug 29 21:40:15 pc-jean-debian vlc.desktop[2304]: QSpiAccessible::accessibleEvent not handled: 6 obj: QMenu(0x7f3170401a10) Aug 29 21:40:16 pc-jean-debian vlc.desktop[2304]: QSpiAccessible::accessibleEvent not handled: 7 obj: QMenu(0x7f3170401a10) Aug 29 21:40:16 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog end. Aug 29 21:40:16 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog start. Aug 29 21:40:16 pc-jean-debian gnome-session[1066]: Window manager warning: Invalid WM_TRANSIENT_FOR window 0x1e00095 specified for 0x1e000ad (Convertir). Aug 29 21:40:30 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog start. Aug 29 21:40:39 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog end. Aug 29 21:40:52 pc-jean-debian gnome-session[1066]: ** (zeitgeist-datahub:1306): WARNING **: recent-manager-provider.vala:132: Desktop file for file:///home/jean/Images/Capture%20d'%C3%A9cran%20de%202015-08-17%2019:26:31.png was not found, exec: gnome-settings-daemon, mime_type: image/png Aug 29 21:40:57 pc-jean-debian vlc.desktop[2304]: FIXME: handle dialog end. Aug 29 21:40:58 pc-jean-debian vlc.desktop[2304]: [7f314002dce8] ts demux: HDMV registration not implemented for pid 0x1100 type 0x81 Aug 29 21:40:58 pc-jean-debian vlc.desktop[2304]: [7f3140003e38] core mux error: cannot add this stream Aug 29 21:40:58 pc-jean-debian vlc.desktop[2304]: [7f3140cbf6a8] core decoder error: cannot create packetizer output (bdpg) Aug 29 21:40:58 pc-jean-debian vlc.desktop[2304]: [7f3140003e38] core mux error: cannot add this stream Aug 29 21:40:58 pc-jean-debian vlc.desktop[2304]: [7f3140cb9738] core decoder error: cannot create packetizer output (a52 ) Aug 29 21:40:58 pc-jean-debian vlc.desktop[2304]: [7f3128000db8] x264 encoder: using cpu
Re: laptop protection in an office network
On Sat, August 29, 2015 6:53 am, to...@tuxteam.de wrote: Also netstat (issued from your laptop) gives insight. For example 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are root (or sudo, of course), the extra option -p tells you which process is at the other side listening. Note that the dhcp client itself (which you need to get an IP address to take part in your customer's network) puts you already at some risk, depending on how it's configured. Here is the output from the laptop: # netstat -lntup Active Internet connections (only servers) Prot Rec Snd Local AddressForeign State PID/Program name -Q -Q Address tcp 0 00.0.0.0:0.0.0.0:* LIS 561/inetd tcp 0 00.0.0.0:111 0.0.0.0:* LIS 530/rpcbind tcp 0 00.0.0.0:46225 0.0.0.0:* LIS 540/rpc.statd tcp 0 00.0.0.0:22 0.0.0.0:* LIS 568/sshd tcp 0 0127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd tcp 0 0127.0.0.1:5432 0.0.0.0:* LIS 675/postgres tcp 0 0127.0.0.1:250.0.0.0:* LIS 1063/exim4 tcp 0 0127.0.0.1:2628 0.0.0.0:* LIS 599/0 tcp6 0 0:::111 :::* LIS 530/rpcbind tcp6 0 0:::38930:::* LIS 540/rpc.statd tcp6 0 0:::22 :::* LIS 568/sshd tcp6 0 0::1:631 :::* LIS 1248/cupsd tcp6 0 0::1:5432:::* LIS 675/postgres tcp6 0 0::1:25 :::* LIS 1063/exim4 udp 0 00.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r udp 0 00.0.0.0:631 0.0.0.0:* 647/cups-browsed udp 0 00.0.0.0:689 0.0.0.0:* 530/rpcbind udp 0 0127.0.0.1:716 0.0.0.0:* 540/rpc.statd udp 0 00.0.0.0:57106 0.0.0.0:* 540/rpc.statd udp 0 00.0.0.0:111 0.0.0.0:* 530/rpcbind udp 0 0192.168.1.99:1230.0.0.0:* 664/ntpd udp 0 0127.0.0.1:123 0.0.0.0:* 664/ntpd udp 0 00.0.0.0:123 0.0.0.0:* 664/ntpd udp 0 00.0.0.0:53530.0.0.0:* 612/avahi-daemon:r udp6 0 0:::689 :::*530/rpcbind udp6 0 0:::43913:::*540/rpc.statd udp6 0 0:::111 :::*530/rpcbind udp6 0 0fe80::ba70:f4ff:fe2:123 :::*664/ntpd udp6 0 0::1:123 :::*664/ntpd udp6 0 0:::123 :::*664/ntpd udp6 0 0:::5353 :::*612/avahi-daemon:r udp6 0 0:::44274:::*612/avahi-daemon:r # Regrettably, the formatting of the output does not consider the need to include the output in the body of an e-mail, so editing was required to remove excess spaces so as to prevent every line from being wrapped. RLH
Re: localhost sin acceso
- Original Message - From: uriel antony ciau To: Ricardo Mendoza Cc: debian-user-spanish Sent: Saturday, August 29, 2015 1:43 PM Subject: Re: localhost sin acceso Podría ser cosa del /etc/hosts/ y ver que tenga lo siguiente: 127.0.0.1 localhost El 29 de agosto de 2015, 12:33, Ricardo Mendoza pgsql...@gmail.com escribió: Saludos, hace un tiempo intente montar un servidor web, de ese intento quedo inutilizado localhost, como puedo volver a habilitar el acceso a localhost,gracias Tus sitios locales los pusiste dentro de /var/www/html Saludos | ISMAEL | Only for the small landowners and Cubans companies Website: www.sisconge.byethost15.com www.sisconge.hol.es
Re: laptop protection in an office network
On Sat 29 Aug 2015 at 21:39:21 +0300, Reco wrote: Hi. On Sat, 29 Aug 2015 13:25:28 -0500 rlhar...@oplink.net wrote: On Sat, August 29, 2015 6:53 am, to...@tuxteam.de wrote: Also netstat (issued from your laptop) gives insight. For example 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are root (or sudo, of course), the extra option -p tells you which process is at the other side listening. Note that the dhcp client itself (which you need to get an IP address to take part in your customer's network) puts you already at some risk, depending on how it's configured. Here is the output from the laptop: # netstat -lntup Active Internet connections (only servers) Prot Rec Snd Local AddressForeign State PID/Program name -Q -Q Address tcp 0 00.0.0.0:0.0.0.0:* LIS 561/inetd tcp 0 00.0.0.0:111 0.0.0.0:* LIS 530/rpcbind tcp 0 00.0.0.0:46225 0.0.0.0:* LIS 540/rpc.statd tcp 0 00.0.0.0:22 0.0.0.0:* LIS 568/sshd tcp 0 0127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd tcp 0 0127.0.0.1:5432 0.0.0.0:* LIS 675/postgres tcp 0 0127.0.0.1:250.0.0.0:* LIS 1063/exim4 tcp 0 0127.0.0.1:2628 0.0.0.0:* LIS 599/0 tcp6 0 0:::111 :::* LIS 530/rpcbind tcp6 0 0:::38930:::* LIS 540/rpc.statd tcp6 0 0:::22 :::* LIS 568/sshd tcp6 0 0::1:631 :::* LIS 1248/cupsd tcp6 0 0::1:5432:::* LIS 675/postgres tcp6 0 0::1:25 :::* LIS 1063/exim4 udp 0 00.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r udp 0 00.0.0.0:631 0.0.0.0:* 647/cups-browsed udp 0 00.0.0.0:689 0.0.0.0:* 530/rpcbind udp 0 0127.0.0.1:716 0.0.0.0:* 540/rpc.statd udp 0 00.0.0.0:57106 0.0.0.0:* 540/rpc.statd udp 0 00.0.0.0:111 0.0.0.0:* 530/rpcbind udp 0 0192.168.1.99:1230.0.0.0:* 664/ntpd udp 0 0127.0.0.1:123 0.0.0.0:* 664/ntpd udp 0 00.0.0.0:123 0.0.0.0:* 664/ntpd udp 0 00.0.0.0:53530.0.0.0:* 612/avahi-daemon:r udp6 0 0:::689 :::*530/rpcbind udp6 0 0:::43913:::*540/rpc.statd udp6 0 0:::111 :::*530/rpcbind udp6 0 0fe80::ba70:f4ff:fe2:123 :::*664/ntpd udp6 0 0::1:123 :::*664/ntpd udp6 0 0:::123 :::*664/ntpd udp6 0 0:::5353 :::*612/avahi-daemon:r udp6 0 0:::44274:::*612/avahi-daemon:r # Regrettably, the formatting of the output does not consider the need to include the output in the body of an e-mail, so editing was required to remove excess spaces so as to prevent every line from being wrapped. Something like this should save you from the most troubles provided that you don't plan to use your laptop as a print server or NFS: iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT iptables -P FORWARD DROP ip6tables -P INPUT DROP ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP ip6tables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT ip6tables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT ip6tables -A INPUT -p udp --dport 123 -j ACCEPT ip6tables -P FORWARD DROP Of course, it's *very* simplistic set of rules (for example, someone may consider accepting ssh connections from arbitrary hosts a bad idea), but it should work. Why does he need any iptables rules? I see nothing at risk there. It seems to me he can be confident his computer is safe. Two things I'm unsure of are: 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office network), but YMMV. There is much value in mDNS in an office network with CUPS nowadays. 2) Whatever thing you're listening for on tcp with inetd. Ditto.
Re: laptop protection in an office network
On Sat, August 29, 2015 2:26 pm, Reco wrote: is the port used by the approx server. Months ago I had to install Debian on a system in another location which had a substandard DSL connection. And whenever I do a Debian netinst, I always use approx, just in case. So that is why I installed approx on the laptop. Oh. Then it's definitely should be shielded with iptables. Unless, of course, you plan to provide Debian packages to anyone on your LAN. It would be nice to have approx running and configured on a laptop, in case that I again have need to install Debian outside of my own LAN. But that is not very likely. For installations -- and for updates to machines within the LAN -- I have been running approx on a desktop machine. So I would be willing to uninstall approx on the laptop, if you so advise. Then, again, this is my first encounter with iptables, and I am finding this thread interesting. RLH
Re: laptop protection in an office network
On Sat, August 29, 2015 2:52 pm, Brian wrote: But your question was about taking your laptop onto a foreign network. Which goalposts do you want to aim for? What is your point if we take this into account? When I go into the other guy's office, he takes his windows laptop computer and is going to various web sites to show me this and that (maps, real-estate listings, business web sites, and so forth). And I become frustrated, because we are on opposite sides of the desk, and he controls the keyboard. It is awkward for me to say, let me have the computer for a minute, so that I can show him things which I think are pertinent, important, or interesting. However, if I pack along my own laptop and ethernet cable, it is not awkward to ask permission to plug into his router (or to access his LAN via Wi-FI). Then I can find this or that web site on my machine and show him, as well as bookmarking whatever web sites he shows me. I simply am trying to facilitate communication. In the foreign network I have no need to print, no need to send or receive mail (except perhaps via a webmail interface), no need for ftp. My only need is to browse. RLH
Re: laptop protection in an office network
On Sat, August 29, 2015 3:28 pm, rlhar...@oplink.net wrote: (addendum to my previous post) To get back to the reason I started this thread, my goal is to be able to go into a foreign network (most likely all-Windows, but there always is the possibility that someone is running a Macintosh) and come back home disease-free. Back home, I would like to be able to plug my laptop into my own network, browse and print the web pages which the other guy showed me and I bookmarked, and be confident that in doing so I am not compromising my other machines. RLH
Re: laptop protection in an office network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Aug 29, 2015 at 01:25:28PM -0500, rlhar...@oplink.net wrote: On Sat, August 29, 2015 6:53 am, to...@tuxteam.de wrote: Also netstat (issued from your laptop) gives insight. For example 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are root (or sudo, of course), the extra option -p tells you which process is at the other side listening. Note that the dhcp client itself (which you need to get an IP address to take part in your customer's network) puts you already at some risk, depending on how it's configured. Here is the output from the laptop: # netstat -lntup Active Internet connections (only servers) Prot Rec Snd Local AddressForeign State PID/Program name -Q -Q Address Quite a mouthful. Other answers very insightful, especially the proposals of blocking the relevant ports via firewall (I'd try the opposite approach though: block every connection from outside except those you explicitly want) tcp 0 00.0.0.0:0.0.0.0:* LIS 561/inetd As others noted: what's inetd doing on ? Do have a look at its config files (somewhere in /etc/inetd.conf). tcp 0 00.0.0.0:111 0.0.0.0:* LIS 530/rpcbind tcp 0 00.0.0.0:46225 0.0.0.0:* LIS 540/rpc.statd RPC is typically needed for NFS. If you don't want to mount your laptop's file systems from other machines, it's probably superfluous. tcp 0 00.0.0.0:22 0.0.0.0:* LIS 568/sshd Common wisdom is to keep that (but to secure it properly, by disabling root logins and possibly passwrd logins). Perhaps you can ssh into your laptop should the UI become unresponsive for some reason (e.g. X botches the graphics card but you still have some running programs you'd want to finalize in an orderly mode). tcp 0 0127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd Are you using your laptop as a print server? If not, the cups-client package might be enough. tcp 0 0127.0.0.1:5432 0.0.0.0:* LIS 675/postgres tcp 0 0127.0.0.1:250.0.0.0:* LIS 1063/exim4 Database server, mail server. What are they doing? For postgres, you could configure it to just serve over an UNIX domain socket, if the only applications around connect locally. Your call. For exim4 (mail server)... depends on your mail setup. tcp 0 0127.0.0.1:2628 0.0.0.0:* LIS 599/0 Uh -- what is *this*? A process called 0? Looks really strange to me. tcp6 0 0:::111 :::* LIS 530/rpcbind tcp6 0 0:::38930:::* LIS 540/rpc.statd tcp6 0 0:::22 :::* LIS 568/sshd tcp6 0 0::1:631 :::* LIS 1248/cupsd tcp6 0 0::1:5432:::* LIS 675/postgres tcp6 0 0::1:25 :::* LIS 1063/exim4 Those are IPV6 variants of some of the above. udp 0 00.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r Avahi: this is a service discovery service: your laptop is broadcasting to the network hey, here's a [printer, database, whatnot]. Wanna play with me? That's one of the things I ban from my computer. udp 0 00.0.0.0:631 0.0.0.0:* 647/cups-browsed Here cups is announcing its availability. Down with it :-) udp 0 00.0.0.0:689 0.0.0.0:* 530/rpcbind udp 0 0127.0.0.1:716 0.0.0.0:* 540/rpc.statd udp 0 00.0.0.0:57106 0.0.0.0:* 540/rpc.statd udp 0 00.0.0.0:111 0.0.0.0:* 530/rpcbind See above. udp 0 0192.168.1.99:1230.0.0.0:* 664/ntpd udp 0 0127.0.0.1:123 0.0.0.0:* 664/ntpd udp 0 00.0.0.0:123 0.0.0.0:* 664/ntpd Providing time services? udp 0 00.0.0.0:53530.0.0.0:* 612/avahi-daemon:r See above. udp6 0 0:::689 :::*530/rpcbind udp6 0 0:::43913:::*540/rpc.statd udp6 0 0:::111 :::*530/rpcbind udp6 0 0fe80::ba70:f4ff:fe2:123 :::*664/ntpd udp6 0 0::1:123 :::*664/ntpd udp6 0 0:::123 :::*664/ntpd udp6 0 0:::5353 :::*612/avahi-daemon:r udp6 0 0:::44274:::*612/avahi-daemon:r IPV6 variants of some of the above. Regrettably, the formatting of the output does not consider the need to include the output in the body of an e-mail, so editing was required to remove excess spaces so as to prevent every line from being wrapped. I feel your pain :-) I'd disable/uninstall many of those. OTOH, you might need them in other settings, so firewalling them out might be the right choice (and a chance to learn
Re: something at init is taking about 31s to finish
bri...@aracnet.com wrote: it almost looks like something is timing out, and yet the system works fine, so whatever it is that the process is waiting on it doesn't seem to matter. i have a bad feeling it's the dreade ethernet firmware loading thing (just a guess) since that's the message that comes up immediately after the wait finishes. There's no way anyone can help until i can get a trace of what's going on at boot. Jessie or newer? With systemd? systemd-analyze blame Grüße, Sven. -- Sigmentation fault. Core dumped.
Re: Adapter Names on Stretch [OT]
Quoting Gene Heskett (ghesk...@wdtv.com): He may have been, but it wasn't enough that he sent our loaned guns back when the festivities were over in 1945. Instead, they were all collected on a barge, taken out in the middle of the channel, and shoveled overboard. The hunters amd sportsmen of the USA loaned the English those weapons so that the english might have something to defend your land with should the Germans attempt an invasion, with the understanding they would be tracked, and returned to their rightfull owner when no longer needed. I think the idea of tracking small arms in private hands in wartime Britain is a little unlikely, so I tried to follow up this story because I've read it here before. I can find references to an organisation in the US that collected guns and another in Britain that is said to have distributed them. (How? To whom?) However, no mention is made of returning the weapons. Here are a couple of cut-and-pasteable extracts: 'The committee sent an urgent appeal--which appeared in the American Rifleman magazine--for Americans to donate Pistols--Rifles--Revolvers--Shotguns--Binoculars because British civilians, faced with the threat of invasion, desperately need arms for the defense of their homes. 'Thousands of American arms were donated and shipped to the Civilian Committee for the Protection of Homes in Birmingham, sorted for their suitability and from there distributed to members of the LDV. 'Despite the lessons of the preceding years, the British government's anti-gun paranoia remained undiminished and after the disbanding of the Home Guard in 1944, their arms were collected and those not considered suitable for storage as war reserves were disposed of in 1945 and 1946 by dumping them into the North Sea!' and Send a gun to defend a British home. British civilians, faced with the threat of invasion, desperately need arms to the defence of their homes. This committee has organized to collect gifts of pistols, rifles, revolvers, shotguns and binoculars from American civilians who wish to answer the call and aid in defence of British homes. These arms are being shipped with the full consent of the British government, to the Civilian Committee for the Protection of Homes, Birmingham, England. But an interesting thing about the transcribed articles (as opposed to the newspaper cuttings) is that they appear in documents bewailing the folly of British (and, by implication, any) gun control. My grandfather loaned 2 shotguns, top of the line Parkers that at auction today would have a starting bid of at least $2500 each. They were his most prized firearms possessions. He, and several thousand other Americans never saw their weapons again, thanks to Churchill. All the references that I can find use the words donations and gifts, not loans. In one case there is an individual who appears to have used these two organisations to solve the problem of a legal way to ship a gun to his brother in Kent. If it ever got there, perhaps he even got it back! Cheers, David.
Re: laptop protection in an office network
Quoting Gene Heskett (ghesk...@wdtv.com): I found an ACER keyboard that at first seemed to be ideal for such an environment, but one often picks up the keyboard and takes it to the machine so you can see what you are doing much more precisely when doing the setup to run a job. Unfortunately it has rows of extra media keys along the edges, and picking it up without pressing one of those is well nigh impossible. Can you not find out teir codes and redefine them no no-ops or something harmless? (I do this in my window manager.) Cheers, David.
Re: laptop protection in an office network
On Saturday 29 August 2015 22:20:45 rlhar...@oplink.net wrote: On Sat, August 29, 2015 8:33 pm, Gene Heskett wrote: On Saturday 29 August 2015 21:24:47 rlhar...@oplink.net wrote: Forgive me; my fingers are dyslexic. So are mine. They don't type what I tell them to lots of the time. Coulnd't be the accumulated years (nearly 81) could it? Not necessarily. From time to time, I have found a sudden, large increase in the number of typographical errors in the documents which I produce. And several times, investigation has revealed that the problem lies in a worn-out keyboard. Back in the 1960's and 1970's, manufacturers such as Honeywell and Cherry made keyswitches with a life rating in the tens of millions or even hundreds of millions of keystrokes. Nowadays, it is becoming difficult to find a keyboard with a rating in the tens of thousands of keystrokes. Many manufacturers today have a poor keyswitch design which utilizes low-quality plastics; they depend upon a lubricant such as wax to keep the plunger working freely. And when the wax wears away, the plunger begins to stick. And when the plunger does not depress freely, the result is a multitude of typographical errors. RLH One of the things I am always in search of, is a keyboard that will keep on working when its up to the family tools in metallic sawdust, aka swarf. Space is also a premium, and lately I have migrated this machine and my 3 cnc machines to a logitek k360 board, whose key sides are vertical as opposed to the usual tapered side keys, which allow a curlyque of cut steel to follow the key down, and then wedge it down. The K360 helps in that regard tremendously. I found an ACER keyboard that at first seemed to be ideal for such an environment, but one often picks up the keyboard and takes it to the machine so you can see what you are doing much more precisely when doing the setup to run a job. Unfortunately it has rows of extra media keys along the edges, and picking it up without pressing one of those is well nigh impossible. So its back to the K360, with its oddly placed pageup pagedown keys which are normally used to raise or lower the head on a milling machine. It Just Works(TM) if I can get used to the compact layout. ;-) Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Re: what is the static ip address I assigned to eth0?
Quoting Brian (a...@cityscape.co.uk): On Fri 28 Aug 2015 at 14:45:32 +0300, Reco wrote: On Fri, 28 Aug 2015 12:09:08 +0100 Brian a...@cityscape.co.uk wrote: On Fri 28 Aug 2015 at 10:01:59 +, Curt wrote: On 2015-08-28, David Wright deb...@lionunicorn.co.uk wrote: $ host localhost Host localhost not found: 3(NXDOMAIN) $ ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.032 ms curty@einstein:~$ host localhost localhost has address 127.0.0.1 localhost has IPv6 address ::1 To complete the picture: brian@desktop:~$ dig -x 127.0.0.1 ; DiG 9.9.5-9-Debian -x 127.0.0.1 [...] ;; ANSWER SECTION: 1.0.0.127.in-addr.arpa. 10800 IN PTR localhost. [...] host and dig use only the DNS. Elimar's suggestion to use 'host $(hostname)' will work if hostname is a FQDN. But it shouldn't (or wouldn't) be on a stock Debian system. Not unless said 'stock Debian system' has 'search domain' stanza in /etc/resolv.conf. Does search example.org count? :) What is not understandable (to me) is why 'host localhost' resolves for some but not for others Is it as simple as: routers with a caching nameserver can resolve hostnames (because they've either been told it or issued it) whereas those without can't (even if they issued it with their DHCP server). and why it is thought 'host $(hostname)' should resolve in the DNS. Is it because, having no dots, the router's caching nameserver should not query the external nameservers, but can resolve the name itself, so it does so (à la RFC6761). In my own instance, hostname == domainname (and no search), and my router has no DNS function, only DHCP. Cheers, David.
Re: something at init is taking about 31s to finish
On Sun, 30 Aug 2015 04:25:36 +0200 Sven Hartge s...@svenhartge.de wrote: bri...@aracnet.com wrote: it almost looks like something is timing out, and yet the system works fine, so whatever it is that the process is waiting on it doesn't seem to matter. i have a bad feeling it's the dreade ethernet firmware loading thing (just a guess) since that's the message that comes up immediately after the wait finishes. There's no way anyone can help until i can get a trace of what's going on at boot. Jessie or newer? With systemd? systemd-analyze blame 29.597s networking.service 3.256s systemd-suspend.service aha. So I need to dig deeper into networking.service i've been playing around with systemd-analyze but i can't seem to figure out how to resolve what i'm sure must be the pieces living inside networking.service. Brian
Re: laptop protection in an office network
On 08/29/2015 09:20 PM, rlhar...@oplink.net wrote: On Sat, August 29, 2015 8:33 pm, Gene Heskett wrote: On Saturday 29 August 2015 21:24:47 rlhar...@oplink.net wrote: Forgive me; my fingers are dyslexic. So are mine. They don't type what I tell them to lots of the time. Coulnd't be the accumulated years (nearly 81) could it? Not necessarily. From time to time, I have found a sudden, large increase in the number of typographical errors in the documents which I produce. And several times, investigation has revealed that the problem lies in a worn-out keyboard. Back in the 1960's and 1970's, manufacturers such as Honeywell and Cherry made keyswitches with a life rating in the tens of millions or even hundreds of millions of keystrokes. Nowadays, it is becoming difficult to find a keyboard with a rating in the tens of thousands of keystrokes. Many manufacturers today have a poor keyswitch design which utilizes low-quality plastics; they depend upon a lubricant such as wax to keep the plunger working freely. And when the wax wears away, the plunger begins to stick. And when the plunger does not depress freely, the result is a multitude of typographical errors. RLH What you need is an IBM model M keyboard. They are refurbished and sold by Clicky Keys: http://www.clickykeyboards.com/ as well as some other designs that use prime components. I am using three model M keyboards here, on two desktops and on one in-place laptop. I got these 15 or more years ago, as surplus from office closings, etc. They have never been refurbished and work perfectly, and they will surely be working perfectly long after I'm dead, if some nincompoop doesn't throw them out for not having Windows keys. (You can get a keyboard modifier program to make some hardly-used key into a Win key. I have selected the * above the number block.) You probably don't need the right Windows key--that would be a good key to make into a Compose key, but since I don't have that key either, I use the right ALT key for Compose. Do not be bummed by the price: you buy that once and you will never need another! --doug
Re: Adapter Names on Stretch [OT]
On Sunday 30 August 2015 00:07:44 David Wright wrote: This is quite off topic, and I probably should have just STHU. Quoting Gene Heskett (ghesk...@wdtv.com): He may have been, but it wasn't enough that he sent our loaned guns back when the festivities were over in 1945. Instead, they were all collected on a barge, taken out in the middle of the channel, and shoveled overboard. The hunters amd sportsmen of the USA loaned the English those weapons so that the english might have something to defend your land with should the Germans attempt an invasion, with the understanding they would be tracked, and returned to their rightfull owner when no longer needed. I think the idea of tracking small arms in private hands in wartime Britain is a little unlikely, so I tried to follow up this story because I've read it here before. You may well be correct, but to my grandfather they were loaned. I do know that when they left, each was equipt with a good sturdy tag/label bareing the owners name address, well sealed against the elements. I would suspect that the possibility of a little history rewriting may have been done over the last 70 years to lesson the language from loan to gift. Recall as always, that the history of a war is written by the winners. I can find references to an organisation in the US that collected guns and another in Britain that is said to have distributed them. (How? To whom?) However, no mention is made of returning the weapons. Here are a couple of cut-and-pasteable extracts: 'The committee sent an urgent appeal--which appeared in the American Rifleman magazine--for Americans to donate Pistols--Rifles--Revolvers--Shotguns--Binoculars because British civilians, faced with the threat of invasion, desperately need arms for the defense of their homes. 'Thousands of American arms were donated and shipped to the Civilian Committee for the Protection of Homes in Birmingham, sorted for their suitability and from there distributed to members of the LDV. 'Despite the lessons of the preceding years, the British government's anti-gun paranoia remained undiminished and after the disbanding of the Home Guard in 1944, their arms were collected and those not considered suitable for storage as war reserves were disposed of in 1945 and 1946 by dumping them into the North Sea!' and Send a gun to defend a British home. British civilians, faced with the threat of invasion, desperately need arms to the defence of their homes. This committee has organized to collect gifts of pistols, rifles, revolvers, shotguns and binoculars from American civilians who wish to answer the call and aid in defence of British homes. These arms are being shipped with the full consent of the British government, to the Civilian Committee for the Protection of Homes, Birmingham, England. But an interesting thing about the transcribed articles (as opposed to the newspaper cuttings) is that they appear in documents bewailing the folly of British (and, by implication, any) gun control. My grandfather loaned 2 shotguns, top of the line Parkers that at auction today would have a starting bid of at least $2500 each. They were his most prized firearms possessions. He, and several thousand other Americans never saw their weapons again, thanks to Churchill. All the references that I can find use the words donations and gifts, not loans. In one case there is an individual who appears to have used these two organisations to solve the problem of a legal way to ship a gun to his brother in Kent. If it ever got there, perhaps he even got it back! Cheers, David. Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Re: laptop protection in an office network
On Sat, August 29, 2015 8:33 pm, Gene Heskett wrote: On Saturday 29 August 2015 21:24:47 rlhar...@oplink.net wrote: Forgive me; my fingers are dyslexic. So are mine. They don't type what I tell them to lots of the time. Coulnd't be the accumulated years (nearly 81) could it? Not necessarily. From time to time, I have found a sudden, large increase in the number of typographical errors in the documents which I produce. And several times, investigation has revealed that the problem lies in a worn-out keyboard. Back in the 1960's and 1970's, manufacturers such as Honeywell and Cherry made keyswitches with a life rating in the tens of millions or even hundreds of millions of keystrokes. Nowadays, it is becoming difficult to find a keyboard with a rating in the tens of thousands of keystrokes. Many manufacturers today have a poor keyswitch design which utilizes low-quality plastics; they depend upon a lubricant such as wax to keep the plunger working freely. And when the wax wears away, the plunger begins to stick. And when the plunger does not depress freely, the result is a multitude of typographical errors. RLH
Re: laptop protection in an office network
On Sun, August 30, 2015 10:42 pm, Doug wrote: What you need is an IBM model M keyboard. They are refurbished and sold by Clicky Keys: http://www.clickykeyboards.com/ (You can get a keyboard modifier program to make some hardly-used key into a Win key. I have selected the * above the number block.) You probably don't need the right Windows key--that would be a good key to make into a Compose key, but since I don't have that key either, I use the right ALT key for Compose. This is a Windows-free environment (except for a Windows machine which I keep in the closet but hardly ever turn on anymore). Besides, I use the Dvorak Classic keymap. Thanks; these look good. RLH
Re: laptop protection in an office network
On Sunday 30 August 2015 00:38:49 David Wright wrote: Quoting Gene Heskett (ghesk...@wdtv.com): I found an ACER keyboard that at first seemed to be ideal for such an environment, but one often picks up the keyboard and takes it to the machine so you can see what you are doing much more precisely when doing the setup to run a job. Unfortunately it has rows of extra media keys along the edges, and picking it up without pressing one of those is well nigh impossible. Can you not find out teir codes and redefine them no no-ops or something harmless? (I do this in my window manager.) Cheers, David. That thought crossed my mind, very fleetingly though as it was a PS2 wired keyboard, and the cord as always, was about 4 feet too short. I have the workstation, monitor etc that runs it about 4 feet away just to help keep that area clean. Clean however is relative. ;-) The air hose gets used, frequently. Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Re: Too many system names
Quoting Jochen Spieker (m...@well-adjusted.de): David Wright: Quoting Jochen Spieker (m...@well-adjusted.de): Where's the problem in Apache using your router's DNS? Is it just that the router doesn't resolve unqualified names (supercrunch without the domain)? I didn't know bog-standard domestic routers ran a DNS server. I think all of them do. They have simple caching-only DNS servers that just ask your ISP's DNS resolver for all but local hostnames. Your computers should request an IP address and at the same time register what they think is their local hostname on the router (all via DHCP). Yes, all that happens. I have the same hostname written in three places: 1) the router, which has a list of IP#s/device names/MAC addresses in order that it always issues the same IP# for a given device via (DHCP), 2) /etc/hosts: 127.0.1.1 here or 192.168.1.N elsewhere, 3) wicd configuration. This way your router's DNS server should be able to resolve local hostnames for other clients, rendering your editing of hosts files unnecessary. Yes, but a bog-standard one doesn't appear to have even a simple caching-only DNS server, only a DHCP one. Usually your router also tells the DHCP clients the name of the network they are in. My AVM Fritzbox (German manufacturer) hands out .fritz.box which I find so horrible that I run a separate DNS/DHCP server (dnsmasq) on another box. At some time IIRC Debian put localnet 192.168.1.0 into /etc/networks but I'm not sure if that's still true. Hosts that have that line may be cruft-laden as a result of being upgraded over several distributions (squeeze is now my earliest dist origin.) I thought they just asked the external nameservers, either set up automatically from the ISP or manually configured if using public ones. That plus resolution of local hostnames. ... if they themselves run a nameserver. Using an IP address as ServerName is odd. You have to use the hostname that you want to use in URLs here. The latter seems odd, seeing as the first thing you would normally do with a hostname is look it up and turn it into an IP address. Yes, but most people are better at remembering names than IP addresses and the lookup is performed automatically whenever you use it. (Tell me about it! That's why I've always argued that the Grub scripts ought to treat LABELs on a par with UUIDs as they're much easier for humans to handle.) How often do you open http://173.194.116.166 in order to go to Google? Or, god forbid, http://[2a00:1450:4001:80e::1009] (in case you already have IPv6)? Never, for google etc. That was not my point, which was that the first thing *computers* do is look up the IP#. I think you'd be surprised if your browser *couldn't* handle, say, http://173.194.115.80/ but *could* handle http://www.google.com/. (However, my computers all have Acquire::http::Proxy http://192.168.1.19:3142/;; in /etc/apt/apt.conf because at installation time they have no way of looking up that computer's hostname.) So why would 127.0.0.1 be any odder than localhost? My browsers are quite happy with any of http://localhost:3142/acng-report.html http://127.0.0.1:3142/acng-report.html http://192.168.1.19:3142/acng-report.html http://alum:3142/acng-report.html http://127.0.1.1:3142/acng-report.html I don't know how you have your LAN configured. I use DHCP from the router, which assigns fixed IP#s by MAC address. That way, I can list my own hosts in /etc/hosts and avoid needing a DNS server to resolve their names: 127.0.0.1 localhost 127.0.1.1 thishost 192.168.1.1 router 192.168.1.11otherhosta 192.168.1.12otherhostb 192.168.1.31HP0C00E0hp8000 … and you have to keep that file in sync on all hosts. I use DHCP as well and make sure my clients send their hostname when requesting an IP address vie DHCP. Debian does this automatically. Then all clients in the local network can resolve their names just fine and I don't need to edit hosts files. Obviously you have something which many people don't have. So I can't do it that way. I do use fixed IPs for a few hosts as well, but mostly because I use port forwardings or local services that I want to bind to a specific address. But this is just a configuration on the DHCP server and nothing I have to repeat on all boxes in my network. All my hosts (and the TVs/Roku boxes/printers.mobiles) have fixed IP#s set by the router as at (1) above. If this sounds as if I had an awful lot of computers: no, I don't think so. It's just an awful lot of, well, _devices_ with wired/wireless networking capability: Yes, likewise. 14 MAC addresses in the router, a slightly different mix. [...] Yes, I may be guilty of overengineering a few things. But I now spend considerably less time with this than a few years ago and I think this is related to the way I have set things up. I use scripts to configure my Debian systems so it's
Re: laptop protection in an office network
On Sat, August 29, 2015 3:56 pm, to...@tuxteam.de wrote: tcp 0 00.0.0.0:0.0.0.0:* LIS 561/inetd As others noted: what's inetd doing on ? Do have a look at its config files (somewhere in /etc/inetd.conf). As I noted previously, port is the approx server; there is a line for it in /etc/inetd.conf: #:OTHER: Other services stream tcp nowait approx /usr/sbin/approx /usr/sbin/approx tcp 0 00.0.0.0:22 0.0.0.0:* LIS 568/sshd Common wisdom is to keep that (but to secure it properly, by disabling root logins and possibly passwrd logins). Perhaps you can ssh into your laptop should the UI become unresponsive for some reason (e.g. X botches the graphics card but you still have some running programs you'd want to finalize in an orderly mode). On the desktop, I do use screen over ssh to access another desktop, but I can do without ssh access to the laptop. tcp 0 0127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd Are you using your laptop as a print server? If not, the cups-client package might be enough. Then should I unistall the cups-daemon and cups-server-common packages? tcp 0 0127.0.0.1:5432 0.0.0.0:* LIS 675/postgres tcp 0 0127.0.0.1:250.0.0.0:* LIS 1063/exim4 Database server, mail server. What are they doing? For postgres, you could configure it to just serve over an UNIX domain socket, if the only applications around connect locally. Your call. For exim4 (mail server)... depends on your mail setup. I thought that I had left mail unconfigured, but perhaps not. tcp 0 0127.0.0.1:2628 0.0.0.0:* LIS 599/0 Uh -- what is *this*? A process called 0? Looks really strange to me. 2628 turns out to be the port for the dictionary server; I am using localhost as the server. udp 0 0192.168.1.99:1230.0.0.0:* 664/ntpd udp 0 0127.0.0.1:123 0.0.0.0:* 664/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 664/ntpd Providing time services? No. I simply was trying to make the laptop synchronize its clock whenever it connects to the Internet. It appears that the package ntpdate is adequate for a laptop, and that is the package I should have installed; but I installed package ntp, which obviates the need for ntpdate. I'd disable/uninstall many of those. OTOH, you might need them in other settings, so firewalling them out might be the right choice (and a chance to learn iptables :-) At this point, I think that I should make a fresh installation, keeping in mind the comments which you and others have made. RLH
Configure Postfix *as* a smart host?
I have an instance of Wheezy running on a VPS (for years) and only now have decided I want to take advantage of the possibility of using it as a smarthost for my home machines, instead of what my cable company makes available, which I confess works just fine. For example, I have a Jessie system here at home running Alpine, which is very flexible in how one may specify an SMTP host. Of course, I don't need authentication (or the submit port) to use my cable company's smarthost. But when I point alpine at my VPS for smtp services (as it were) it tells me that authentication is not offered, this despite my following to the letter (or so I thought) the directions for setting up SASL on Postfix. I have cleared the way for port 587 both ways on both the VPS and on my home router. Here's what happens (with phonied-up data): $ telnet boris.fuzzywuzzy.com 587 Trying 12.34.123.123... Connected to boris.fuzzywuzzy.com. Escape character is '^]'. 220 boris.fuzzywuzzy.com ESMTP Postfix (Debian/GNU) ^] telnet quit Connection closed. Not a hint of the Postfix config I've done, under the inspiration, mostly, of this page: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html Extra-Credit question: why does debian ship postfix with an empty /etc/postfix/sasl directory? Thanks, -- Bob Bernstein
Re: Another system management tool to disappear.
On Saturday 29 August 2015 10:39:07 Reco wrote: Hi. On Sat, 29 Aug 2015 09:49:55 -0400 Gene Heskett ghesk...@wdtv.com wrote: If su goes away, IMNSHO, it will be such a PITA that it will encourage far more people to just give up and run their machines as root full time. And I don't believe for a millisecond that is the effect intended. They provide some systemd-specific kludge instead of su. So it's not that bad. I don't recall recognizing that being discussed yet. Please read the bugreport. It's all there. https://github.com/systemd/systemd/issues/825 And, given the current systemd adoption rate in Debian, I'd say that we, stable users, have 3-4 years before that machinectl login thing will be available to us. So, if su goes away, how do I accomplish those tasks in a suitable manner that will not bore a hole in the user sandbox? If it comes to this (i.e 'su' will go away) - I just use busybox (which has perfectly working implementation of su without the fancy bits). I.e. busybox su - Command not found. Wheezy 32 bit install. Obviously for this command to work it's required to install busybox. I'd recommend busybox-static package. Reco Installed it, suid problems: gene@coyote:~$ busybox su amanda su: must be suid to work properly gene@coyote:~$ busybox su - su: must be suid to work properly Is it still finding the system su first? Thanks Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Re: laptop protection in an office network
On Saturday 29 August 2015 15:05:57 rlhar...@oplink.net wrote: On Sat, August 29, 2015 1:39 pm, Reco wrote: Something like this should save you from the most troubles provided that you don't plan to use your laptop as a print server or NFS: I am not sure how print server is defined. I installed CUPS so that I can print to a laser printer in my home network. And if my client gives me a URL which I view on the laptop, it would be nice to be able to bookmark the URL and, once I am back home, bring up and print the web page directly from the laptop. As to NSF, I had to search with google to find the definition. No, on the laptop and in my LAN the only drives accessed are internal, formatted with ext4, and an external USB. NSF is incorrect, its NFS, aka Network File System. iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT iptables -P FORWARD DROP ip6tables -P INPUT DROP ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP ip6tables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT ip6tables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT ip6tables -A INPUT -p udp --dport 123 -j ACCEPT ip6tables -P FORWARD DROP Of course, it's *very* simplistic set of rules (for example, someone may consider accepting ssh connections from arbitrary hosts a bad idea), but it should work. And I thank you. Two things I'm unsure of are: 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office network), but YMMV. I have been running Debian for thirteen years, but I know absolutely nothing about avahi. It must have been installed by default, or else, perhaps as a dependency of some other package. 2) Whatever thing you're listening for on tcp with inetd. Ah! is the port used by the approx server. Months ago I had to install Debian on a system in another location which had a substandard DSL connection. And whenever I do a Debian netinst, I always use approx, just in case. So that is why I installed approx on the laptop. RLH Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
something at init is taking about 31s to finish
it almost looks like something is timing out, and yet the system works fine, so whatever it is that the process is waiting on it doesn't seem to matter. i have a bad feeling it's the dreade ethernet firmware loading thing (just a guess) since that's the message that comes up immediately after the wait finishes. There's no way anyone can help until i can get a trace of what's going on at boot. Can someone point me to the appropriate log files or tell me how to generate them ? Thanks, Brian
Re: Adapter Names on Stretch
On Saturday 29 August 2015 17:35:28 Lisi Reisz wrote: On Saturday 29 August 2015 14:34:40 Gene Heskett wrote: On Saturday 29 August 2015 06:19:24 Lisi Reisz wrote: On Saturday 29 August 2015 03:30:18 Gene Heskett wrote: I watched about half of it, but the eu accent made it pretty hard to understand. ;-) Now you know how we feel about American accents. ;-) Especially Texan. I am reminded of, I believe it was Winston Churchill who made the quote, England and America, two great countries, separated by a common language. quote England and America are two countries separated by a common language. George Bernard Shaw Irish dramatist socialist (1856 - 1950) /quote http://www.quotationspage.com/quote/897.html Quips are usually quotes from either Wilde or Shaw. Churchill was, of course, half American. Lisi Thanks for clarifying the attribution. He may have been, but it wasn't enough that he sent our loaned guns back when the festivities were over in 1945. Instead, they were all collected on a barge, taken out in the middle of the channel, and shoveled overboard. The hunters amd sportsmen of the USA loaned the English those weapons so that the english might have something to defend your land with should the Germans attempt an invasion, with the understanding they would be tracked, and returned to their rightfull owner when no longer needed. My grandfather loaned 2 shotguns, top of the line Parkers that at auction today would have a starting bid of at least $2500 each. They were his most prized firearms possessions. He, and several thousand other Americans never saw their weapons again, thanks to Churchill. There are long memories, and there are lessons learned. It would not happen again today even if my cabinet is about average I could spare one... That is absolutely no reflection on you personally Lisi. But I don't trust my government, nor yours, to ever do the right thing. And that is indeed a sad state of affairs. Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Re: localhost sin acceso
no tengo idea El 29 de agosto de 2015, 16:46, Walter Reverdito kronno...@gmail.com escribió: Esta permitido en el apache o en el .htaccess? El sáb., 29 de agosto de 2015 15:12, Ricardo Mendoza pgsql...@gmail.com escribió: el problema esta en el acceso a la direccion localhost en el url del navegador, cuando intento cargar paginas que estan ubicadas en /var/ww/. El 29 de agosto de 2015, 12:48, Camaleón noela...@gmail.com escribió: El Sat, 29 Aug 2015 12:33:11 -0500, Ricardo Mendoza escribió: (ese html...) Saludos, hace un tiempo intente montar un servidor web, de ese intento quedo inutilizado localhost, como puedo volver a habilitar el acceso a localhost,gracias ¿En qué sentido quedó inutilizado? Si explicas un poco más lo que sucede y lo que quieres hacer, mejor :-) Saludos, -- Camaleón
Re: laptop protection in an office network
On Sat, August 29, 2015 7:35 pm, Gene Heskett wrote: NSF is incorrect, its NFS, aka Network File System. Forgive me; my fingers are dyslexic. RLH -- Bumper Sticker: DYSLEXICS UNTIE!
Re: laptop protection in an office network
On Saturday 29 August 2015 21:24:47 rlhar...@oplink.net wrote: On Sat, August 29, 2015 7:35 pm, Gene Heskett wrote: NSF is incorrect, its NFS, aka Network File System. Forgive me; my fingers are dyslexic. RLH So are mine. They don't type what I tell them to lots of the time. Coulnd't be the accumulated years (nearly 81) could it? Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
