Re: Server hardware advice.

[deloptes]

Steven Mainor wrote:

> I would say a server is any piece of software or hardware that serves data
> to other devices.
> 

Well strictly speaking two different things are referred as server:
hardware
software

In your case you are talking about buying hardware - correct? And if you
intend to use a PC, than the correct wording for this would be

A second hand PC that will be used as a home server.

> I have run an apache2/mariadb/php server from an old laptop with a
> headless LTS Linux for over two years without issue.
> 
> Surely you aren't saying only a rack mounted 64 core monstrosity with a TB
> of ram is qualified to be called a "server"
> 

On hardware level - yes. Any PC can be used as a server, but it is still not
a server from HW POV. There are many many technical details that make the
difference, like memory channels, caches etc.

> For my needs, I doubt anything more than a modern single board computer is
> necessary. At least as far as compute power is concerned.

Yes any modern PC would work. What was suggested that you take one with
enough CPU and RAM. I think today one could get 4-8 CPUs with 16-32GB of
RAM at a fair price.

Do not underestimate the disks. I had a terrible experience with PC style
drives. Take NAS style harddrives like the WD Red. You really want to use
RAID there and all other drives I have been using in the past had to be
replaced either because they failed or because the latency was
unacceptable. I had Seagate Baraccuda, WD Green and WD Blue. A fellow sys
admin told me they use WD Red and indeed the 2TB WD Red are very reliable,
but not the bigger once - amazing what one should know. So I replaced all
the drives over the years with WD Red 2TB. I use RAID1.

I build a backup server recently out of older Intel DG45FC board I bought
with CPU for ~100,- some years ago, gain with WD Red 2TB in RAID5, so that
there is 6TB now.

What I want to say is that not every fairly modern PC works, because you
want to attach at least two disks to build a RAID - the more SATA
connectors you have - the better.

Re: How free is Debian

[deloptes]

Shahryar Afifi wrote:

> Very well said. If debian free is not using amd64 microcode, so what
> kernel module runs my cpu as 64bit?

I was thinking the CPU is running and not something else running the CPU.
I do not think you need something special to run 64bit CPU as such.

Re: How free is Debian

[deloptes]

Joe Pfeiffer wrote:

> You may not reverse engineer, decompile, or disassemble this
> Software or any portion thereof.

The irony here is that AMD started by reverse engineering Intel.

And unfortunately the US has been protecting monopoly and fake competition
for years.
Such things as Microsoft, Apple and Google should not exist, not to speak of
Intel, IBM and many other monsters. Amazon, Uber ... many many of them - it
is cancer.
Some time ago I read good article why the Patent Law should change, but I
forgot where I found the article. The problems are in the patent law, as I
understood the article 

regards

Re: How free is Debian

[David Wright]

On Wed 07 Aug 2019 at 17:33:52 (-0700), Shahryar Afifi wrote:
> With respect to all the contributors, developers, hobbyist and users,
> who made GNU/Linux and Debian and all other distributions possible,
> here lies a humble, ignorance and yet curious question.
> 
> Are all binaries in the kernel code were writing from scratch? Are
> there any binary blobs in the kernel that it was given to developers?
> If amd64 license is not free, how is it that we have amd64 microcode in
> the debian free?

It isn't free; look:

Package: amd64-microcode
Version: 3.20160316.3
Installed-Size: 68
Maintainer: Henrique de Moraes Holschuh 
Architecture: amd64
Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs
Breaks: intel-microcode (<< 2)
Description: Processor microcode firmware for AMD CPUs
Description-md5: 093f190e183c7cfeca05b52ecd2116e3
Section: non-free/admin
 
Priority: extra
Filename: pool/non-free/a/amd64-microcode/amd64-microcode_3.20160316.3_amd64.deb
   
Size: 31116
MD5sum: 7056e449d8bac87d85a4e434379d0e6e
SHA256: f7bddaf712ffaa833ff65ef94bdd86720d55c2c56ae982c3db58181bbe70f147

> and if they are not the same, are we using the full
> potential of our hardware?

Cheers,
David.

Re: How free is Debian

[John Hasler]

Joe Pfeiffer writes:
> The LICENCE.amd-ucode file
> includes the paragraph:

>You may not reverse engineer, decompile, or disassemble this
>Software or any portion thereof.

Quite unenforceable, of course.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: How free is Debian

[Joe Pfeiffer]

Shahryar Afifi  writes:

> With respect to all the contributors, developers, hobbyist and users,
> who made GNU/Linux and Debian and all other distributions possible,
> here lies a humble, ignorance and yet curious question.
>
> Are all binaries in the kernel code were writing from scratch? Are
> there any binary blobs in the kernel that it was given to developers?
> If amd64 license is not free, how is it that we have amd64 microcode in
> the debian free? and if they are not the same, are we using the full
> potential of our hardware?
>
> I apologize in advance for my ignorance.
> Thank you.

Typically the binary blobs are not free.  If you get the source for a
package that includes a blob (for instance, amd64-microcode) you'll see
where the blob came from.  In the case of that package, it's all just
binary -- no source code for the microcode.  The LICENCE.amd-ucode file
includes the paragraph:

You may not reverse engineer, decompile, or disassemble this
Software or any portion thereof.

So... not free at all.

Re: WiFi interface unexpected response

[zetam.imap]

El 7/8/19 a las 03:48, Andrei POPESCU escribió:
> Let me rephrase that: why do you need *both* /etc/network/interfaces and
> wpa_supplicant.conf?
>
> Kind regards,
> Andrei

Thank you Andrei. Your insights driven me to solve the blob. By reading
no haste and at the right place, I can understand it. Everything was
there https://wiki.debian.org/WiFi/HowToUse

However, Patrick's quote make sense too. If you ggle out you will find a
lot of tuts teaching the configuration of both tools at the same time.
Of course keyword was wpa_ssid ;)

Finally I left empty wpa_supplicant.conf file, reboot et... voilà thinks
work fine now!

The curious detail was to verify wpa_supplicant was not running I got a
funny surprise.

  root@:~ # ps ax | grep supp
     696 ?    Ss 0:00 /sbin/wpa_supplicant -s -B -P
/run/wpa_supplicant.wlp3s0.pid -i wlp3s0 -D nl80211,wext -C
/run/wpa_supplicant

Thank you guys

Re: How free is Debian

[Judah Richardson]

You don't need a license for an ISA to compile for it. You need a license
only if you're developing a CPU that uses that ISA.

On Wed, Aug 7, 2019, 19:34 Shahryar Afifi  wrote:

> With respect to all the contributors, developers, hobbyist and users,
> who made GNU/Linux and Debian and all other distributions possible,
> here lies a humble, ignorance and yet curious question.
>
> Are all binaries in the kernel code were writing from scratch? Are
> there any binary blobs in the kernel that it was given to developers?
> If amd64 license is not free, how is it that we have amd64 microcode in
> the debian free? and if they are not the same, are we using the full
> potential of our hardware?
>
> I apologize in advance for my ignorance.
> Thank you.
>
>

Re: Trackman Marble under wayland in Buster

[Zenaan Harkness]

On Wed, Aug 07, 2019 at 11:29:48AM -0400, Henning Follmann wrote:
> Hello,
> I just updated to buster and with that comes wayland.
> I am using a Trackman marble and I do have a custom
> configuration for it to switch to scoll when I hold
> button 8 (called "EmulateWheel").
> Is there a way to do this under wayland?
> 
> here is my previous marblemouse.conf for X:
> 
> Section "InputClass"
> Identifier  "Marble Mouse"
> MatchProduct "Logitech USB Trackball"
> MatchIsPointer "on"
> MatchDevicePath "/dev/input/event*"
> Driver "evdev"
>   Option "Buttons""9"
>   Option "ButtonMapping"  "1 9 3 4 5 6 7 2 8"
> Option "EmulateWheel" "true"
> Option "EmulateWheelButton" "8"
> Option "Emulate3Buttons" "true"
> EndSection
> #

+1

BTW, why do you have buttons "9"?

My marble conf is:

Section "InputClass"
  Identifier  "Marble Mouse"
  MatchProduct "Logitech USB Trackball"
  MatchIsPointer "on"
  MatchDevicePath "/dev/input/event*"
  Driver "evdev"
  Option "ButtonMapping" "1 8 3 4 5 6 7 2 2"
  Option "EmulateWheel" "true"
  Option "EmulateWheelButton" "8"
  Option "ZAxisMapping" "4 5"
  Option "XAxisMapping" "6 7"
  Option "Emulate3Buttons" "true"
EndSection


Greatest mouse in the world once it's set up right - keep one on each
side of the keyboard too, very handy :)

Re: Buster on laptop cannot find Nokia 3 hotspot...

[nektarios]

On Wed, 07 Aug 2019 23:05:13 +0200
Nimrod  wrote:

> On Wed, 2019-08-07 at 14:45 -0400, bw wrote:
> > In-Reply-To:
> >   
> > > > 2) The output of `iwlist scan` to see if the network you
> > > > re  looking for is detected from the hardware.  
> > > This is interesting, I didn't know this command. It would rather
> > > strange if the hotspot is shown by the above command but not by
> > > Network Manager.  
> > 
> > No, it would not be strange at all.  Network-manager is in it's own
> > time-zone, and is often rather strange and hard to figure
> > out.  Sometimes you must be patient, it does not scan immediately.
> > For CLI tools I prefer 'iw' to the older iwlist command, but either
> > may help you.  If the device is scanning and finding other ap, then
> > it probably is a network-manager quirk.  It often
> > misses/adds/deletes aps from the list IME.  
> 
> I tried iw while Network Manager was not finding my hotspot, and iw
> found it instead.
> But suddenly NM found it too! Last time it worked was several days
> ago. I really can't understand. I'm happy it's working now, but I'm
> afraid it will stop working sooner or later. I restarted several
> times both laptop and hotspot, using both Gnome Shell and Mate, and
> the hotspot always appeared almost immediately, as it was used to do
> before. I then turned on another Nokia 3 hotspot (I have three
> identical smartphone, mine and those of my sons). The second one is
> still invisible, while other devices, including my own smartphone, can
> connect to it with no problems.
> Issuing iw scan now has no effect.
> For everyone who answered here is the output of dmesg | grep wl:
> [   10.811861] wlan0: Broadcom BCM4315 802.11 Hybrid Wireless
> Controller 6.30.223.271 (r587334)[   11.084358] wl :02:00.0 wls1:
> renamed from wlan0[   16.562792] IPv6: ADDRCONF(NETDEV_UP): wls1: link
> is not ready[   17.614802] IPv6: ADDRCONF(NETDEV_UP): wls1: link is
> not ready[  161.102549] IPv6: ADDRCONF(NETDEV_CHANGE): wls1: link
> becomes ready[  725.746601] IPv6: ADDRCONF(NETDEV_UP): wls1: link is
> not ready[  725.770340] ERROR @wl_cfg80211_scan : [  729.858749] IPv6:
> ADDRCONF(NETDEV_CHANGE): wls1: link becomes ready[ 1264.074169] IPv6:
> ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1537.300735] IPv6:
> ADDRCONF(NETDEV_CHANGE): wls1: link becomes ready[ 1540.111204] IPv6:
> ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1655.286877] IPv6:
> ADDRCONF(NETDEV_CHANGE): wls1: link becomes ready[ 1821.082896] IPv6:
> ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1845.425123] IPv6:
> ADDRCONF(NETDEV_CHANGE): wls1: link becomes ready[ 1849.392169] IPv6:
> ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1909.187372] IPv6:
> ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1909.219378] ERROR
> @wl_cfg80211_scan : [ 1909.248580] ERROR @wl_cfg80211_scan : 
> After the link became ready, I disabled wifi intentionally, and
> reenabled after some seconds. Also, I tried many time "iw scan".
> I can provide other data if you need it, just tell me.
> Many thanks.
> > Good Luck,bw  
> 
> 

`iwlist` command was very useful to me once debugging a raspberi pi
with failing wireless adapter (networks appearing and disappearing).

Tbh the errors there don't look good but not serious either. 
If the related output from `iwlist scan` shows only 2.4 Ghz networks (it
maybe detecting only networks in the 2.4 GHz - if your nic is old).

`lshw` output might be of use if you know what hardware you have in the
laptop as a driver/device mismatch might cause the device not work very
well (I ve seen it once only with usb wireless adapter).

Regards
-- 
Nektarios Katakis

Re: Server hardware advice.

[Celejar]

On Wed, 07 Aug 2019 17:12:20 +0200
deloptes  wrote:

> Michael Stone wrote:
> 
> > Newer server hardware is much more power efficient and will draw very
> > little power when idle. This is one of the drawbacks to saving money by
> > using old hardware. (You can still use old hardware, just be sure it's
> > new enough that it's from the era when power efficiency became a thing.)
> 
> I am not sure who you are answering to. I recently looked at HP DL360 and
> DL380 Gen10. Yes indeed they are more power efficient compared to Gen9 in
> terms they provide more calculation cycles for the same power, but this can
> not be compared to a PC.

This sort of stuff is discussed endlessly on the homelab subreddit, but
for some personal data points: I run Debian on a Dell R210 II, with 1
CPU with 4 cores / 8 threads and 16GB of RAM, and a single HDD: the thing
idles at about 23 watts. A Windows 10 VM (KVM / libvirt) adds about 5-7
watts, but a Debian Sid VM adds nothing. [Of course, the Debian VM is a
fairly minimal thing, with under 400 packages installed, while the
Windows installation is a pretty standard one.]

Celejar

Re: mount weirdness

[Thomas Schmitt]

Hi,

i wrote:
> >mount -v /dev/sdc /wa1
> >echo $?

Duh. "/dev/sdb2", not "/dev/sdc".
(Do as i mean, not as i write.)


Dennis Wicks wrote:
> I'll put a note in my fstab so the next time I boot I can find it if the
> mount fails again!

Did i miss the report about some miracle cure beyond the link to /wa11 ?


I did a search for "wa1" in Linux kernel git.
  https://github.com/torvalds/linux/search?utf8=%E2%9C%93=wa1=
The name seems not to be hardcoded there.
So my best guess is that it is mistaken by mount(8) for something other
than a target path.

This opportunity to be mistaken could be excluded by a test program
which uses mount(2).
I tested this program "ts_mount.c":

-
#include 
#include 
#include 
#include 
#include 

int main()
{
 int ret;

 ret = mount("/dev/sr4", "/mnt/iso", "iso9660", MS_RDONLY, "");
 if(ret == 0) {
   printf("Success\n");
   exit(0);
 }
 printf("Failed\n");
 printf("errno= %d (%s)\n", errno, strerror(errno));
 exit(1);
}
-

with a DVD drive by:

  cc -g -Wall -o ts_mount ts_mount.c
  ./ts_mount

As normal user i got

  Failed
  errno= 1 (Operation not permitted)

and as superuser

  Success

Drive noise and listed files confirm the optimistic message.
Without medium i get

  Failed
  errno= 123 (No medium found)


Have a nice day :)

Thomas

Re: Buster on laptop cannot find Nokia 3 hotspot...

[Nimrod]

On Wed, 2019-08-07 at 14:45 -0400, bw wrote:
> In-Reply-To: 
> > > 2) The output of `iwlist scan` to see if the network you
> > > re  looking for is detected from the hardware.
> > This is interesting, I didn't know this command. It would rather
> > strange if the hotspot is shown by the above command but not by
> > Network Manager.
> 
> No, it would not be strange at all.  Network-manager is in it's own
> time-zone, and is often rather strange and hard to figure
> out.  Sometimes you must be patient, it does not scan immediately.
> For CLI tools I prefer 'iw' to the older iwlist command, but either
> may help you.  If the device is scanning and finding other ap, then
> it probably is a network-manager quirk.  It often misses/adds/deletes
> aps from the list IME.

I tried iw while Network Manager was not finding my hotspot, and iw
found it instead.
But suddenly NM found it too! Last time it worked was several days ago.
I really can't understand. I'm happy it's working now, but I'm afraid
it will stop working sooner or later. I restarted several times both
laptop and hotspot, using both Gnome Shell and Mate, and the hotspot
always appeared almost immediately, as it was used to do before.
I then turned on another Nokia 3 hotspot (I have three identical
smartphone, mine and those of my sons). The second one is still
invisible, while other devices, including my own smartphone, can
connect to it with no problems.
Issuing iw scan now has no effect.
For everyone who answered here is the output of dmesg | grep wl:
[   10.811861] wlan0: Broadcom BCM4315 802.11 Hybrid Wireless
Controller 6.30.223.271 (r587334)[   11.084358] wl :02:00.0 wls1:
renamed from wlan0[   16.562792] IPv6: ADDRCONF(NETDEV_UP): wls1: link
is not ready[   17.614802] IPv6: ADDRCONF(NETDEV_UP): wls1: link is not
ready[  161.102549] IPv6: ADDRCONF(NETDEV_CHANGE): wls1: link becomes
ready[  725.746601] IPv6: ADDRCONF(NETDEV_UP): wls1: link is not
ready[  725.770340] ERROR @wl_cfg80211_scan : [  729.858749] IPv6:
ADDRCONF(NETDEV_CHANGE): wls1: link becomes ready[ 1264.074169] IPv6:
ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1537.300735] IPv6:
ADDRCONF(NETDEV_CHANGE): wls1: link becomes ready[ 1540.111204] IPv6:
ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1655.286877] IPv6:
ADDRCONF(NETDEV_CHANGE): wls1: link becomes ready[ 1821.082896] IPv6:
ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1845.425123] IPv6:
ADDRCONF(NETDEV_CHANGE): wls1: link becomes ready[ 1849.392169] IPv6:
ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1909.187372] IPv6:
ADDRCONF(NETDEV_UP): wls1: link is not ready[ 1909.219378] ERROR
@wl_cfg80211_scan : [ 1909.248580] ERROR @wl_cfg80211_scan : 
After the link became ready, I disabled wifi intentionally, and
reenabled after some seconds. Also, I tried many time "iw scan".
I can provide other data if you need it, just tell me.
Many thanks.
> Good Luck,bw

Re: mount weirdness

[David Wright]

On Wed 07 Aug 2019 at 12:44:39 (-0500), Dennis Wicks wrote:
> David Wright wrote on 8/6/19 1:48 PM:
> > On Tue 06 Aug 2019 at 12:18:21 (-0500), Dennis Wicks wrote:
> > > Thomas Schmitt wrote on 8/6/19 10:30 AM:
> > > > Dennis Wicks wrote:
> > > > > I *cannot* mount *any* partition on /wa1
> > > > > but I *can* mount *any* partition on any other mount point.
> > > > 
> > > > So what do you get from these shell commands ?
> > > I am currently running with "ln -s /wa11 /wa1" so this isn't the
> > > config I booted with. Anyway;
> > > > 
> > > > ls -ld /wa1 /wa11
> > > 
> > > wix@dgwicks:~$ ls -ld /wa1 /wa11
> > > lrwxrwxrwx  1 root root4 Aug  1 17:40 /wa1 -> wa11
> > > drwxrwxrwx 17 root root 4096 Jun 17 14:07 /wa11
> > > wix@dgwicks:~$
> > > 
> > > > 
> > > > find /wa1
> > > 
> > > wix@dgwicks:~$ cd /
> > > wix@dgwicks:/$ find /wa1
> > > /wa1
> > > wix@dgwicks:/$ lg wa1
> > > lrwxrwxrwx   1 root root 4 Aug  1 17:40 wa1 -> wa11/
> > > drwxrwxrwx  17 root root  4.0K Jun 17 14:07 wa11/
> > > lrwxrwxrwx   1 root root 7 Aug  1 17:43 www -> wa1/www/
> > > wix@dgwicks:/$
> > > 
> > > > 
> > > > What happens if you create a new /wa1 ?
> > > > 
> > > > mv /wa1 /wa1_old
> > > > mkdir /wa1
> > > > mount /dev/sdb2 /wa1
> > > > 
> > > 
> > > Same failure. One of the many things I tried to get the mount on /wa1
> > > to work, without any success.
> > 
> > Shouldn't that fail with:
> > 
> > ~# mkdir /wa1
> > ~# mount /dev/sda4 /wa1
> > mount: /dev/sda4 is already mounted or /wa1 busy
> > /dev/sda4 is already mounted on /ya
> > ~#
> 
> No, it won't fail because the first mount to /wa1 did not succeed!

No, but your sdb2 is already mounted (on /wa11):

sdb
├─sdb1 xfs  PubDtaMaster 4283d59b-8e0b-4f6a-ad33-47dff4e2198c   32.7G
86% /edrv
└─sdb2 xfs  Work-Area-1  20173008-eeaa-41cd-b862-f7d0b871895d  241.9G
65% /wa11

> And
> the system does not object or give an error when you mount the same
> partition on two diff dirs anyway!

Mine does: I just posted it.

> > > > 
> > > > 
> > > > As for your fstab, there is this "x-systemd.device-timeout=20" where
> > > > all others have "=60". But the web says this is for automounting.
> > > 
> > > This param is to stop the boot process from stopping because all of
> > > the mounts have failed, temporarily. A previous thread from a few
> > > weeks(?) back.
> > > > 
> > > > I fail to imagine any explanation for the symptoms you report. 
> > > > Especially
> > > > the silent failure riddles me.
> > 
> > Unfortunately there's too much reported speech in this thread,
> > and not enough direct speech. Some timely copy/paste might help.

And, once again, you post *reports* of what is supposed to have happened.

BTW what is lg?

Cheers,
David.

Re: Server hardware advice.

[jochen-2019-q2]

Am 07.08.2019 um 10:21 schrieb Jonas Smedegaard:

Quoting Reco (2019-08-07 08:53:52)

On Wed, Aug 07, 2019 at 01:29:21AM -0400, Steven Mainor wrote:

I'm looking for advice on how to build a home server with a primary
focus on security. I plan to run nextcloud and a mail server that
will serve 3 to 5 people at most.

My requirements are:

A server setup that can be run with completely open source software
and doesn't require any binaries to boot. I don't trust anything
closed source for this particular project.

A gigabit ethernet port.

A USB3.0 port or SATA connector to attach storage to.

Enough processor power and ram to run nextcloud and the mail server
from an encrypted hard drive (LUKS) efficiently with moderate
throughput saving and reading files from nextcloud.


  These fit all your requirements (i.e. it'll run stock buster kernel
without any additional firmware):

Helios4 - [1]. 4 SATA ports controller attached to PCI-E.
GnuBee - [2]. 6 SATA ports attached to PCI-E.
Odroid HC2 - [3]. Single SATA port, attached to USB bus.


No powerful computers exist today completely without non-free parts:
Since you point to Open Source Hardware below, beware that none of above
devices are OSHWA certified: https://certification.oshwa.org/list.html -
if however your freedom concerns are limited to _software_ parts then it
is easier: Look for boards supported in mainline Linux and u-boot, and
supported in Debian!

Disregarding OSHW I agree that above options are good highlights.
Additionally I suggest Olimex A64-Olinuxino and ESPRESSObin, both
(unlike above options) known to be mainlined and work with Debian
Buster.

Personally, for hosting mail + Nextcloud for a small team I would
tolerate USB2.0 and use the OSHWA certified board Olimex A64-Olinuxino.

Only for heavy professional demands (e.g. an advertising agency pushing
big files across a LAN all the time) I would use a Helios4.



So far I have been looking at single board computers like the ones
listed here: https://wiki.debian.org/CheapServerBoxHardware#OSHW


Happy to see that list being of use beyond the FreedomBox project and my
own competing https://solidbox.org/ :-)

Please note that above list is limited to more consumer-oriented devices
than your spec needs - e.g. must be sold with a proper case and be
cheaper than you tolerate.



That list is outdated somewhat. But it gave me good ideas back in the
day.


I just got myself a Zotac CI329 Nano. The Ethernet drivers (Realtek 
r8169 module) seem to use some binary blob. It was a bit strange as the 
system asked me for them in the debian installer, but then worked 
without providing any files...


If that is ok for the OP, this provides a powerful fanless system. It is 
very compact, has four cores and it didn't complain when it was very hot 
here, recently.


I'm using it as a router, because the FritzBox! Routers are becoming 
useless for more ambitious users. It has 2x Gigabit Ethernet and Intel 
WiFi with a single antenna. I'm also having 2x Windows Server 2016 core 
running in VMs to play around with Active Directory. The CPU is Atom 
based and officially supports only 8G, but I bought a 16GB dual channel 
kit and it works without flaw. I did the same on my QNAP, which has an 
older generation Celeron without AES instructions.


A €30 240GB Kingston SSD provides plenty of fast storage and all 
together this is a powerful, clean system using <10W.


Jochen

Re: Acceso remoto consola (simil Teamviewer)

[Paynalton]

Si un ave no rompe su huevo morirá antes de nacer.
Nosotros somos el ave y el mundo es nuestro huevo.
POR LA REVOLUCIÓN DEL MUNDO

Ciudad de México


El mié., 7 ago. 2019 a las 14:40, Guido Ignacio ()
escribió:

> A ver si entendí, te refieres a usar un tunel ssh, pero debo tener
> activo ese tunel desde mi servidor por lo cual voy a necesitar un
> servidor del otro lado que me sirva para hacer el tunel
>
> A eso vas?
>
>
No, un tunel VPN, y ya si quieres puedes usar ssh dentro del túnel vpn.

Este manual explica como implementarlo en debian:

https://wiki.debian.org/OpenVPN

Para que funcione usas un servidor VPN que puedes contratar o poner como
servicio expuesto en cualquier lado. Los equipos cliente se conectan a este
y crean interfaces virtuales que funcionan como si físicamente se
encontraran dentro de la misma red, actuando el servidor como un router.

Adicionalmente, puedes usar los equipos cliente como gateway para conectar
otras máquinas a la red VPN.

El mié., 7 ago. 2019 a las 16:29, Paynalton ()
> escribió:
> >
> > mmm, usar una vpn para poder acceder a través de un túnel a los equipos.
> >
> >
> > Si un ave no rompe su huevo morirá antes de nacer.
> > Nosotros somos el ave y el mundo es nuestro huevo.
> > POR LA REVOLUCIÓN DEL MUNDO
> >
> > Ciudad de México
> >
> >
> > El mié., 7 ago. 2019 a las 13:52, Guido Ignacio ()
> escribió:
> >>
> >> Estimados buenas tardes
> >>
> >> Les hago una consulta, tengo un servidor casero que por temas de
> >> restricción del ISP no tiene direccionamiento público por lo cual no
> >> tengo llegada desde la wan a mi lan (aun routeando y poniendo la DMZ
> >> en el router.
> >>
> >> La unica solución es usar algo similar a Teamviewer, pero necesito
> >> algo que no use las X, dado que solo tengo modo consola.
> >>
> >> Que alternativas tengo para llegar a la consola de mi servidor?
> >>
> >> GRacias!
> >>
>
>

Re: Acceso remoto consola (simil Teamviewer)

[Guido Ignacio]

A ver si entendí, te refieres a usar un tunel ssh, pero debo tener
activo ese tunel desde mi servidor por lo cual voy a necesitar un
servidor del otro lado que me sirva para hacer el tunel

A eso vas?

El mié., 7 ago. 2019 a las 16:29, Paynalton () escribió:
>
> mmm, usar una vpn para poder acceder a través de un túnel a los equipos.
>
>
> Si un ave no rompe su huevo morirá antes de nacer.
> Nosotros somos el ave y el mundo es nuestro huevo.
> POR LA REVOLUCIÓN DEL MUNDO
>
> Ciudad de México
>
>
> El mié., 7 ago. 2019 a las 13:52, Guido Ignacio () 
> escribió:
>>
>> Estimados buenas tardes
>>
>> Les hago una consulta, tengo un servidor casero que por temas de
>> restricción del ISP no tiene direccionamiento público por lo cual no
>> tengo llegada desde la wan a mi lan (aun routeando y poniendo la DMZ
>> en el router.
>>
>> La unica solución es usar algo similar a Teamviewer, pero necesito
>> algo que no use las X, dado que solo tengo modo consola.
>>
>> Que alternativas tengo para llegar a la consola de mi servidor?
>>
>> GRacias!
>>

Re: Acceso remoto consola (simil Teamviewer)

[Paynalton]

mmm, usar una vpn para poder acceder a través de un túnel a los equipos.


Si un ave no rompe su huevo morirá antes de nacer.
Nosotros somos el ave y el mundo es nuestro huevo.
POR LA REVOLUCIÓN DEL MUNDO

Ciudad de México


El mié., 7 ago. 2019 a las 13:52, Guido Ignacio ()
escribió:

> Estimados buenas tardes
>
> Les hago una consulta, tengo un servidor casero que por temas de
> restricción del ISP no tiene direccionamiento público por lo cual no
> tengo llegada desde la wan a mi lan (aun routeando y poniendo la DMZ
> en el router.
>
> La unica solución es usar algo similar a Teamviewer, pero necesito
> algo que no use las X, dado que solo tengo modo consola.
>
> Que alternativas tengo para llegar a la consola de mi servidor?
>
> GRacias!
>
>

Acceso remoto consola (simil Teamviewer)

[Guido Ignacio]

Estimados buenas tardes

Les hago una consulta, tengo un servidor casero que por temas de
restricción del ISP no tiene direccionamiento público por lo cual no
tengo llegada desde la wan a mi lan (aun routeando y poniendo la DMZ
en el router.

La unica solución es usar algo similar a Teamviewer, pero necesito
algo que no use las X, dado que solo tengo modo consola.

Que alternativas tengo para llegar a la consola de mi servidor?

GRacias!

Re: mais ou est passee la place manquante ?

[Pascal Hambourg]

Le 07/08/2019 à 00:17, hamster a écrit :

Pascal Hambourg a écrit :

Le 06/08/2019 à 12:48, hamster a écrit :


if [[ "$(grep "/home" /etc/mtab | cut -d" " -f3)" = "ext?" ]]


Cette expression n'est pas assez sélective. Elle prend en compte
n'importe quel montage contenant "/home" dans le point de montage
(/home/data) ou le périphérique (/dev/vg/home).


Très juste. Je pense que rajouter des espaces résout le problème :
if [[ "$(grep " /home " /etc/mtab | cut -d" " -f3)" = "ext?" ]]


C'est mieux, et probablement suffisant. Pour provoquer un faux positif 
il faudrait un chemin contenant des espaces, ce qui n'est pas courant.

Re: mount weirdness

[Greg Wooledge]

On Wed, Aug 07, 2019 at 12:44:39PM -0500, Dennis Wicks wrote:
> And the
> system does not object or give an error when you mount the same partition on
> two diff dirs anyway!

Sadly.  And *very* surprisingly.  You can only wish that it did.

Re: mount weirdness

[Dennis Wicks]

Thomas Schmitt wrote on 8/6/19 1:58 PM:

Hi,

more ideas: exit value, verbous mode.

   mount -v /dev/sdc /wa1
   echo $?

A nominally successful mount command would yield 0 as "$?".
Maybe -v yields some extra insight.


Have a nice day :)

Thomas




Thanks, Thomas!
I'll put a note in my fstab so the next time I boot I can 
find it if the mount fails again!


You too!
Dennnis

Re: Exim4 as a smarthost : Unrouteable address

[Joe]

On Wed, 7 Aug 2019 18:37:05 +0200
rudu  wrote:

> Thank you Dan for your input.
> 
> Le 07/08/2019 à 17:28, Dan Purgert a écrit :
> > rudu wrote:  
> >> Hi all,
> >>
> >> Until recently my machines running debian testing used to send me
> >> e-mails as reports from cron tasks or from LAMP applications.
> >> This is not working anymore.
> >> I did of course a dpkg-reconfigure exim4-config to get this
> >> /etc/exim4/update-exim4.conf.conf file :
> >> [...]
> >> # This is a Debian specific file
> >>
> >> dc_eximconfig_configtype='satellite'
> >> dc_other_hostnames='*'  
> > Not sure if it makes a difference or not; but my exim satellite
> > configs have this entry (dc_other_hostnames) set to the local
> > system's name.
> >
> > [...]  
> >> dc_smarthost='mail.myprovider.fr::465'  
> > This is another problem I noticed.  My satellite configs simply
> > state dc_smarthost='mail.djph.net'; without any port
> > configurations.  
> As you suggested, I changed both parameters and this is what I get :
> 
> 
> $ echo 'Hello there !!' | mail my.n...@domain.org -s Test13 -v
> LOG: MAIN
>    <= j...@example.org U=jean P=local S=453
> jean@poste1:~$ delivering 1hvOe8-000392-5m
> R: smarthost for my.n...@domain.org
> T: remote_smtp_smarthost for my.n...@domain.org
> Connecting to mail.myprovider.fr [91.217.154.228]:25 ... connected
>    SMTP<< 220 mx0.myprovider.fr ESMTP Postfix (Debian/GNU)
>    SMTP>> EHLO example.org
>    SMTP<< 250-mx0.myprovider.fr
>   250-PIPELINING
>   250-SIZE 18442404
>   250-VRFY
>   250-ETRN
>   250-AUTH PLAIN LOGIN
>   250-AUTH=PLAIN LOGIN
>   250-ENHANCEDSTATUSCODES
>   250-8BITMIME
>   250-DSN
>   250 SMTPUTF8
>    SMTP>> MAIL FROM: SIZE=1490
>    SMTP>> RCPT TO:
>    SMTP>> DATA
>    SMTP<< 250 2.1.0 Ok
>    SMTP<< 554 5.7.1 Service unavailable; Client host [109.12.75.40] 
> blocked using lk55tga7gkjpcy432ojwxtvvim.zen.dq.spamhaus.net; 
> https://www.spamhaus.org/query/ip/109.12.75.40
>    SMTP<< 554 5.5.1 Error: no valid recipients
>    SMTP>> QUIT
>    SMTP(close)>>
> LOG: MAIN
>    ** my.n...@domain.org R=smarthost T=remote_smtp_smarthost 
> H=mail.myprovider.fr [91.217.154.228]: SMTP error from remote mail 
> server after RCPT TO:: 554 5.7.1 Service 
> unavailable; Client host [109.12.75.40] blocked using 
> lk55tga7gkjpcy432ojwxtvvim.zen.dq.spamhaus.net; 
> https://www.spamhaus.org/query/ip/109.12.75.40
> LOG: MAIN
>    <= <> R=1hvOe8-000392-5m U=Debian-exim P=local S=2163
> delivering 1hvOe8-000395-GS
> R: system_aliases for j...@example.org
> R: hub_user for j...@example.org
> R: system_aliases for j...@example.org
> R: hub_user_smarthost for j...@example.org
> T: remote_smtp_smarthost for j...@example.org
> LOG: MAIN
>    Completed
> Connecting to mail.myprovider.fr [91.217.154.228]:25 ... connected
>    SMTP<< 220 mx0.myprovider.fr ESMTP Postfix (Debian/GNU)
>    SMTP>> EHLO example.org
>    SMTP<< 250-mx0.myprovider.fr
>   250-PIPELINING
>   250-SIZE 18442404
>   250-VRFY
>   250-ETRN
>   250-AUTH PLAIN LOGIN
>   250-AUTH=PLAIN LOGIN
>   250-ENHANCEDSTATUSCODES
>   250-8BITMIME
>   250-DSN
>   250 SMTPUTF8
>    SMTP>> MAIL FROM:<> SIZE=3243
>    SMTP>> RCPT TO:
>    SMTP>> DATA
>    SMTP<< 250 2.1.0 Ok
>    SMTP<< 554 5.7.1 Service unavailable; Client host [109.12.75.40] 
> blocked using lk55tga7gkjpcy432ojwxtvvim.zen.dq.spamhaus.net; 
> https://www.spamhaus.org/query/ip/109.12.75.40
>    SMTP<< 554 5.5.1 Error: no valid recipients
>    SMTP>> QUIT
>    SMTP(close)>>
> LOG: MAIN
>    ** j...@example.org R=hub_user_smarthost T=remote_smtp_smarthost 
> H=mail.myprovider.fr [91.217.154.228]: SMTP error from remote mail 
> server after RCPT TO:: 554 5.7.1 Service
> unavailable; Client host [109.12.75.40] blocked using 
> lk55tga7gkjpcy432ojwxtvvim.zen.dq.spamhaus.net; 
> https://www.spamhaus.org/query/ip/109.12.75.40
> LOG: MAIN
>    Frozen (delivery error message)
> 
> I understand that I've been rejected as a spammer.
> My provider insist on using port 465 though and maybe I didn't tell 
> exim4 to use ssl/tls ??
> Where should I look ?
> 

Here's one of many how-tos:

https://somoit.net/linux/linux-exim-authenticated-and-tls-mail-through-smarthost

I have done it in the past for a client, but too long ago to remember
anything.

-- 
Joe

Re: mount weirdness

[Dennis Wicks]

David Wright wrote on 8/6/19 1:48 PM:

On Tue 06 Aug 2019 at 12:18:21 (-0500), Dennis Wicks wrote:

Thomas Schmitt wrote on 8/6/19 10:30 AM:

Dennis Wicks wrote:

I *cannot* mount *any* partition on /wa1
but I *can* mount *any* partition on any other mount point.


So what do you get from these shell commands ?

I am currently running with "ln -s /wa11 /wa1" so this isn't the
config I booted with. Anyway;


ls -ld /wa1 /wa11


wix@dgwicks:~$ ls -ld /wa1 /wa11
lrwxrwxrwx  1 root root4 Aug  1 17:40 /wa1 -> wa11
drwxrwxrwx 17 root root 4096 Jun 17 14:07 /wa11
wix@dgwicks:~$



find /wa1


wix@dgwicks:~$ cd /
wix@dgwicks:/$ find /wa1
/wa1
wix@dgwicks:/$ lg wa1
lrwxrwxrwx   1 root root 4 Aug  1 17:40 wa1 -> wa11/
drwxrwxrwx  17 root root  4.0K Jun 17 14:07 wa11/
lrwxrwxrwx   1 root root 7 Aug  1 17:43 www -> wa1/www/
wix@dgwicks:/$



What happens if you create a new /wa1 ?

mv /wa1 /wa1_old
mkdir /wa1
mount /dev/sdb2 /wa1



Same failure. One of the many things I tried to get the mount on /wa1
to work, without any success.


Shouldn't that fail with:

~# mkdir /wa1
~# mount /dev/sda4 /wa1
mount: /dev/sda4 is already mounted or /wa1 busy
/dev/sda4 is already mounted on /ya
~#


No, it won't fail because the first mount to /wa1 did not 
succeed! And the system does not object or give an error 
when you mount the same partition on two diff dirs anyway!







As for your fstab, there is this "x-systemd.device-timeout=20" where
all others have "=60". But the web says this is for automounting.


This param is to stop the boot process from stopping because all of
the mounts have failed, temporarily. A previous thread from a few
weeks(?) back.


I fail to imagine any explanation for the symptoms you report. Especially
the silent failure riddles me.


Unfortunately there's too much reported speech in this thread,
and not enough direct speech. Some timely copy/paste might help.


Me too! Happens during boot and when done manually!


Cheers,
David.

Re: WiFi interface unexpected response

[Patrick Bartek]

On Wed, 7 Aug 2019 09:48:03 +0300
Andrei POPESCU  wrote:

> On Ma, 06 aug 19, 18:13:02, zetam.imap wrote:
> >   
> > > Why do you need this if you configure wpa in /etc/network/interfaces?  
> > 
> > Normally the wireless interface is activated when a user accesses their
> > account on the graphical interface.
> > This host has to perform unattended tasks on that network even if no
> > user is logged in.  
> 
> Let me rephrase that: why do you need *both* /etc/network/interfaces and 
> wpa_supplicant.conf?

I wondered this, too.  But every doc, wiki or article I read about
manually setting up wireless with encryption said that's the way you
do it.  However, just to find out, I commented out the network stanza
for my USB wireless dongle in wpa_supplicant.conf, and rebooted.
Wireless works fine just with the basic info
from /etc/network/interfaces. Only thing left not commented out in
wpa_supplicant.conf is the config to enable wpa_cli, which doesn't run
by default.

FWIW: My system, a box under the desk, not a laptop, is very basic with
an atypical install of Stretch -- window manager only, sysvinit, no
wired Ethernet -- built part by part from a terminal-only install. Boots
to terminal, login there, then startx to bring up GUI.

B

Re: Server hardware advice.

[Steven Mainor]

I would say a server is any piece of software or hardware that serves data to 
other devices.

I have run an apache2/mariadb/php server from an old laptop with a headless LTS 
Linux for over two years without issue.

Surely you aren't saying only a rack mounted 64 core monstrosity with a TB of 
ram is qualified to be called a "server"

For my needs, I doubt anything more than a modern single board computer is 
necessary. At least as far as compute power is concerned.

--
Steven Mainor

On August 7, 2019 10:53:52 AM EDT, deloptes  wrote:

Steven Mainor wrote:

I would like to keep the budget under $500 not including the hard drive(s)
I already have drives. Less is better.


When I read server hardware I understand also server hardware. It has many
CPUs a lot of ram, redundant power supply etc. It consumes a lot of power
and costs a lot.
For under 500 you can not get any of this and for your use case you do not
need this as well.

Years ago I build one to serve our needs at home. It has 4 virtual CPU and
32GB RAM - it uses 85Watt of power when not under load and it goes to above
100 if I compile software on it. It uses 10Watt more if I run a virtual
machine (virtual box or vmware - I do not test containers, but I assume
this will add overhead). The disks (I have 8) use also 3-5Watt each. Buying
newer - larger disks, pays off, but it is insignificant what you save on
power per year, most is burned by the CPU, so choose CPU and mainboard
carefully.
Unless you do not have to, avoid virtualization - it costs more energy.

I hope this helps


--
Steven Mainor

On August 7, 2019 10:53:52 AM EDT, deloptes  wrote:
>Steven Mainor wrote:
>
>> I would like to keep the budget under $500 not including the hard
>drive(s)
>> I already have drives. Less is better.
>
>When I read server hardware I understand also server hardware. It has
>many
>CPUs a lot of ram, redundant power supply etc. It consumes a lot of
>power
>and costs a lot.
>For under 500 you can not get any of this and for your use case you do
>not
>need this as well.
>
>Years ago I build one to serve our needs at home. It has 4 virtual CPU
>and
>32GB RAM - it uses 85Watt of power when not under load and it goes to
>above
>100 if I compile software on it. It uses 10Watt more if I run a virtual
>machine (virtual box or vmware - I do not test containers, but I assume
>this will add overhead). The disks (I have 8) use also 3-5Watt each.
>Buying
>newer - larger disks, pays off, but it is insignificant what you save
>on
>power per year, most is burned by the CPU, so choose CPU and mainboard
>carefully.
>Unless you do not have to, avoid virtualization - it costs more energy.
>
>I hope this helps

Re: Exim4 as a smarthost : Unrouteable address

[rudu]

Thank you Dan for your input.

Le 07/08/2019 à 17:28, Dan Purgert a écrit :

rudu wrote:

Hi all,

Until recently my machines running debian testing used to send me
e-mails as reports from cron tasks or from LAMP applications.
This is not working anymore.
I did of course a dpkg-reconfigure exim4-config to get this
/etc/exim4/update-exim4.conf.conf file :
[...]
# This is a Debian specific file

dc_eximconfig_configtype='satellite'
dc_other_hostnames='*'

Not sure if it makes a difference or not; but my exim satellite configs
have this entry (dc_other_hostnames) set to the local system's name.

[...]

dc_smarthost='mail.myprovider.fr::465'

This is another problem I noticed.  My satellite configs simply state
dc_smarthost='mail.djph.net'; without any port configurations.

As you suggested, I changed both parameters and this is what I get :


$ echo 'Hello there !!' | mail my.n...@domain.org -s Test13 -v
LOG: MAIN
  <= j...@example.org U=jean P=local S=453
jean@poste1:~$ delivering 1hvOe8-000392-5m
R: smarthost for my.n...@domain.org
T: remote_smtp_smarthost for my.n...@domain.org
Connecting to mail.myprovider.fr [91.217.154.228]:25 ... connected
  SMTP<< 220 mx0.myprovider.fr ESMTP Postfix (Debian/GNU)
  SMTP>> EHLO example.org
  SMTP<< 250-mx0.myprovider.fr
 250-PIPELINING
 250-SIZE 18442404
 250-VRFY
 250-ETRN
 250-AUTH PLAIN LOGIN
 250-AUTH=PLAIN LOGIN
 250-ENHANCEDSTATUSCODES
 250-8BITMIME
 250-DSN
 250 SMTPUTF8
  SMTP>> MAIL FROM: SIZE=1490
  SMTP>> RCPT TO:
  SMTP>> DATA
  SMTP<< 250 2.1.0 Ok
  SMTP<< 554 5.7.1 Service unavailable; Client host [109.12.75.40] 
blocked using lk55tga7gkjpcy432ojwxtvvim.zen.dq.spamhaus.net; 
https://www.spamhaus.org/query/ip/109.12.75.40

  SMTP<< 554 5.5.1 Error: no valid recipients
  SMTP>> QUIT
  SMTP(close)>>
LOG: MAIN
  ** my.n...@domain.org R=smarthost T=remote_smtp_smarthost 
H=mail.myprovider.fr [91.217.154.228]: SMTP error from remote mail 
server after RCPT TO:: 554 5.7.1 Service 
unavailable; Client host [109.12.75.40] blocked using 
lk55tga7gkjpcy432ojwxtvvim.zen.dq.spamhaus.net; 
https://www.spamhaus.org/query/ip/109.12.75.40

LOG: MAIN
  <= <> R=1hvOe8-000392-5m U=Debian-exim P=local S=2163
delivering 1hvOe8-000395-GS
R: system_aliases for j...@example.org
R: hub_user for j...@example.org
R: system_aliases for j...@example.org
R: hub_user_smarthost for j...@example.org
T: remote_smtp_smarthost for j...@example.org
LOG: MAIN
  Completed
Connecting to mail.myprovider.fr [91.217.154.228]:25 ... connected
  SMTP<< 220 mx0.myprovider.fr ESMTP Postfix (Debian/GNU)
  SMTP>> EHLO example.org
  SMTP<< 250-mx0.myprovider.fr
 250-PIPELINING
 250-SIZE 18442404
 250-VRFY
 250-ETRN
 250-AUTH PLAIN LOGIN
 250-AUTH=PLAIN LOGIN
 250-ENHANCEDSTATUSCODES
 250-8BITMIME
 250-DSN
 250 SMTPUTF8
  SMTP>> MAIL FROM:<> SIZE=3243
  SMTP>> RCPT TO:
  SMTP>> DATA
  SMTP<< 250 2.1.0 Ok
  SMTP<< 554 5.7.1 Service unavailable; Client host [109.12.75.40] 
blocked using lk55tga7gkjpcy432ojwxtvvim.zen.dq.spamhaus.net; 
https://www.spamhaus.org/query/ip/109.12.75.40

  SMTP<< 554 5.5.1 Error: no valid recipients
  SMTP>> QUIT
  SMTP(close)>>
LOG: MAIN
  ** j...@example.org R=hub_user_smarthost T=remote_smtp_smarthost 
H=mail.myprovider.fr [91.217.154.228]: SMTP error from remote mail 
server after RCPT TO:: 554 5.7.1 Service unavailable; 
Client host [109.12.75.40] blocked using 
lk55tga7gkjpcy432ojwxtvvim.zen.dq.spamhaus.net; 
https://www.spamhaus.org/query/ip/109.12.75.40

LOG: MAIN
  Frozen (delivery error message)

I understand that I've been rejected as a spammer.
My provider insist on using port 465 though and maybe I didn't tell 
exim4 to use ssl/tls ??

Where should I look ?

Thanks
Rudu

Re: Comment faire - set upload_tmp_dir to a non-world-readable directory

[Eric Degenetais]

D'autres utilisateurs que www-data peuvent appartenir au groupe www-data.
Il est possible que das ce cas l'outil trouve que c'est trop large parce
que seul l'utilisateur www-data, sans exception, devrait pouvoir lire (il
est le seul utilisateur censé créer et utiliser ces fichiers) .
=> 0700

Cordialement
__
Éric Dégenètais
Henix

http://www.henix.com
http://www.squashtest.org



Le mer. 7 août 2019 à 17:29, G2PC  a écrit :

>
> Mais, en attendant, sur le système debian, les droits sont de 1777 sur
> les dossiers tmp /tmp et /var/tmp
>
> À noter, le 1 de départ, le sticky bit, qui veut dire que tout le monde peut 
> créer un fichier
> mais que le fichier créé ne peut ensuite être modifié que par son proprio 
> (`man chmod` pour le
> détail).
>
>
> Dès lors, pourquoi le dossier /upload_tmp_dir pour php ne serait t'il
> pas lui aussi en 1777 ?
>
> Tout le monde doit pouvoir écrire dans /tmp, c'est l'OS qui te met à dispo un 
> endroit où tu
> peux écrire, mais pour php y'a aucune raison que qqun d'autre que php puisse 
> lire / écrire dans
> un dossier qui lui est réservé.
>
> En général on met ce dossier en 700 ou 750, en mettant en proprio le user qui 
> fait tourner php
> (ça dépend de ton installation de php).
>
>
> Je vois, merci pour tes explications, ça semble logique.
> Donc, dans mon cas, c'est www-data qui fait tourner PHP, avec Apache.
>
> Dès lors, je crée mon dossier dans /var/www/dossier_pour_tmp_php
> chown www-data:www-data -R /var/www/dossier_pour_tmp_php/
>
> chmod 750 -R /var/www/dossier_pour_tmp_php
>
> ( Ou éventuellement 1750 ? )
>
> ça semble être acceptable comme conf ? Mais, alors, qu'en est t'il si
> Joomla me crie une erreur rendant la page inaccessible ?
> Je vais sur mon domaine, le site Joomla ne charge plus et affiche Error
> Par contre, d'autres contenu sont accessibles ( domaine.ext/phpsecinfo/ )
>
> Idem si je le met en 755.
> Le site ne fonctionne que si je met les droits en 777
>
> Après test, je me rend compte que je me trompe ! Le dossier temporaire
> était donné à root:root
>
> Maintenant, il est bien donné à www-data:www-data en 750 et le site Joomla
> est accessible !
>
>
> Par contre, depuis phpsecinfo j'ai toujours le message en orange, qui
> considère les conditions comme non réalisées :
> Notice
> upload_tmp_dir is disabled, or is set to a common world-writable
> directory. This typically allows other users on this server to access
> temporary copies of files uploaded via your PHP scripts. You should set
> upload_tmp_dir to a non-world-readable directory
>
> Current Value: /var/www/dossier_pour_tmp_php (0750)
> Recommended Value: A non-world readable/writable directory
>
>
> Pour ça, si vous utilisez PHP et que vous pensez que votre configuration
> est fonctionnelle, merci de tester ce script, il suffit de le télécharger
> https://github.com/ZerooCool/phpsecinfo/tree/phpsecinfo-zeroocool-v0.2.1
>
> Le test est effectué ligne 71 :
>
> https://github.com/ZerooCool/phpsecinfo/blob/phpsecinfo-zeroocool-v0.2.1/20070406-phpsecinfo-v0.2.1/PhpSecInfo/Test/Core/upload_tmp_dir.php
>
> Merci de vos avis.
>

Re: Server hardware advice.

[ghe]

Depends on what you're trying to do.

I run a small domain on a T1 without pictures or audio, so I'm using a
Raspberry Pi 3 as a server. Quite a bit faster than the old PDP-11s the
'Net started out with, and significantly less expensive. And smaller.

My domain used to be a lot larger, but still a T1 and very little
video/audio. I used the bottom-of-the-line Dell servers back then, and
bought my own RAM (Dell gets a lot for a RAM stick). The biggest
advantage to the Dell servers, aside from the reliability of the
components (over 15 years, I never had one fail), was that they could be
bought without the Windows tax.

If you're looking to do a full blown Google level server on a 10G
connection, advice there is above my pay scale...

-- 
Glenn English

Re: Server hardware advice.

[Michael Stone]

On Wed, Aug 07, 2019 at 05:12:20PM +0200, deloptes wrote:

Michael Stone wrote:

Newer server hardware is much more power efficient and will draw very
little power when idle. This is one of the drawbacks to saving money by
using old hardware. (You can still use old hardware, just be sure it's
new enough that it's from the era when power efficiency became a thing.)


I am not sure who you are answering to. 


What's confusing about the attribution and text that I quoted?


I recently looked at HP DL360 and
DL380 Gen10. Yes indeed they are more power efficient compared to Gen9 in
terms they provide more calculation cycles for the same power, but this can
not be compared to a PC.


HP g9 and g10 are both well past the dawn of the era of low idle 
consumption so there aren't huge differences to be found there. The base 
power consumption of that class of system is rather higher than a small 
desktop primarily because of redundancy and BMC (IPMI/remote 
management)--not the CPU. A different server chassis & motherboard 
choice will result in much lower base consumption, if the redundancy and 
remote management aren't needed. But even the HP DLs of the g9/g10 era 
can idle at around half the 85W you mentioned. (Whereas a comparable g6 
might have idled over 100W, and even older servers idled at 300 or 
400W.) The point is that it's not correct to assume that a "server" will 
have a high idle consumption, and if power efficiency is a goal it's 
achievable through reasonable selection of components. (Conversely, a 
"desktop" may have higher power consumption if it has a beefy GPU, and 
older desktops have much higher idle power just like older servers.)

Re: Exim4 as a smarthost : Unrouteable address

[Dan Purgert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

rudu wrote:
> Hi all,
>
> Until recently my machines running debian testing used to send me 
> e-mails as reports from cron tasks or from LAMP applications.
> This is not working anymore.
> I did of course a dpkg-reconfigure exim4-config to get this 
> /etc/exim4/update-exim4.conf.conf file :
> [...]
> # This is a Debian specific file
>
> dc_eximconfig_configtype='satellite'
> dc_other_hostnames='*'

Not sure if it makes a difference or not; but my exim satellite configs
have this entry (dc_other_hostnames) set to the local system's name.

[...]
> dc_smarthost='mail.myprovider.fr::465'

This is another problem I noticed.  My satellite configs simply state
dc_smarthost='mail.djph.net'; without any port configurations.

Here's what I get in a log when sending from a test VM:

2019-08-07 11:25:40 1hvNoq-0007iY-NR <= d...@ironhide.djph.net U=dan
P=local S=471
2019-08-07 11:25:40 1hvNoq-0007iY-NR => d...@djph.net
 R=smarthost T=remote_smtp_smarthost
H=mail.djph.net [192.168.10.55]
X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes DN="CN=djph.net" C="250
2.0.0 Ok: queued as D20325FB0E"
2019-08-07 11:25:40 1hvNoq-0007iY-NR Completed


-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl1K7gsACgkQjhHd8xJ5
ooHvmgf/TD5v/YZmqyy4swp8feYF2SieOMrUQasUIehqm5jJkt8ksFjV/Um3ML36
47Yj1HsANxJQM6eWiMO8/4v3d/vPx0P+Rza3YRN8507iSXUGQa33K5W91WtlV7k7
k/DXJMt/wgVfnoa4bNYMnaUuGuguJ8tXMwh03Jb0Ro/hA0VS62zcyhYxCmRqLjvM
xZplAplJfQg/Sp8/zLB59QQi95EkIBprEBxsZScN2z1HBI4bWfeA7kwA+zBsPuEB
Gxuf6dRUpYOEhy8PAfeJBHruRwgUVzOTeNE8yl+F8Nip8GPXUHyFArm/he75qi7C
6P1v/pyf3qMLpvPY6wPysLArqBrXhw==
=4iwV
-END PGP SIGNATURE-

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Trackman Marble under wayland in Buster

[Henning Follmann]

Hello,
I just updated to buster and with that comes wayland.
I am using a Trackman marble and I do have a custom
configuration for it to switch to scoll when I hold
button 8 (called "EmulateWheel").
Is there a way to do this under wayland?

here is my previous marblemouse.conf for X:

Section "InputClass"
Identifier  "Marble Mouse"
MatchProduct "Logitech USB Trackball"
MatchIsPointer "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
Option "Buttons""9"
Option "ButtonMapping"  "1 9 3 4 5 6 7 2 8"
Option "EmulateWheel" "true"
Option "EmulateWheelButton" "8"
Option "Emulate3Buttons" "true"
EndSection
#
TIA
-H


-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: Comment faire - set upload_tmp_dir to a non-world-readable directory

[G2PC]

>> Mais, en attendant, sur le système debian, les droits sont de 1777 sur
>> les dossiers tmp /tmp et /var/tmp
> À noter, le 1 de départ, le sticky bit, qui veut dire que tout le monde peut 
> créer un fichier
> mais que le fichier créé ne peut ensuite être modifié que par son proprio 
> (`man chmod` pour le
> détail).
>
>> Dès lors, pourquoi le dossier /upload_tmp_dir pour php ne serait t'il
>> pas lui aussi en 1777 ?
> Tout le monde doit pouvoir écrire dans /tmp, c'est l'OS qui te met à dispo un 
> endroit où tu
> peux écrire, mais pour php y'a aucune raison que qqun d'autre que php puisse 
> lire / écrire dans
> un dossier qui lui est réservé.
>
> En général on met ce dossier en 700 ou 750, en mettant en proprio le user qui 
> fait tourner php
> (ça dépend de ton installation de php).


Je vois, merci pour tes explications, ça semble logique.
Donc, dans mon cas, c'est www-data qui fait tourner PHP, avec Apache.

Dès lors, je crée mon dossier dans /var/www/dossier_pour_tmp_php
chown www-data:www-data -R /var/www/dossier_pour_tmp_php/

chmod 750 -R /var/www/dossier_pour_tmp_php

( Ou éventuellement 1750 ? )

ça semble être acceptable comme conf ? Mais, alors, qu'en est t'il si
Joomla me crie une erreur rendant la page inaccessible ?
Je vais sur mon domaine, le site Joomla ne charge plus et affiche Error
Par contre, d'autres contenu sont accessibles ( domaine.ext/phpsecinfo/ )

Idem si je le met en 755.
Le site ne fonctionne que si je met les droits en 777

Après test, je me rend compte que je me trompe ! Le dossier temporaire
était donné à root:root

Maintenant, il est bien donné à www-data:www-data en 750 et le site
Joomla est accessible !


Par contre, depuis phpsecinfo j'ai toujours le message en orange, qui
considère les conditions comme non réalisées :

Notice
upload_tmp_dir is disabled, or is set to a common world-writable
directory. This typically allows other users on this server to access
temporary copies of files uploaded via your PHP scripts. You should set
upload_tmp_dir to a non-world-readable directory

Current Value:  /var/www/dossier_pour_tmp_php (0750)
Recommended Value:  A non-world readable/writable directory


Pour ça, si vous utilisez PHP et que vous pensez que votre configuration
est fonctionnelle, merci de tester ce script, il suffit de le télécharger
https://github.com/ZerooCool/phpsecinfo/tree/phpsecinfo-zeroocool-v0.2.1

Le test est effectué ligne 71 :
https://github.com/ZerooCool/phpsecinfo/blob/phpsecinfo-zeroocool-v0.2.1/20070406-phpsecinfo-v0.2.1/PhpSecInfo/Test/Core/upload_tmp_dir.php

Merci de vos avis.

Re: Buster on laptop cannot find Nokia 3 hotspot...

[Nimrod]

On Aug 7, 2019 11:38, Nektarios Katakis  wrote:On Wed, 07 Aug 2019 10:42:09 +0200

Nimrod  wrote:



> Hi,

> 

> my (very old) laptop has been working like a charm until I updated

> from Stretch to Buster. Among the other, the issue in the subject is

> very relevant for me.

> 

> Here is what happens when I turn on wi-fi hotspot on Nokia 3

> smartphone (Android up to date):

> 

> 1) any smartphone or tablet in the family can connect to my Nokia 3

> hotspot.

> 

> 2) my laptop can connect at least to a tablet hotspot (the tablet has

> a rather old Android version, I guess 6 or even less, and it cannot be

> updated); also, my laptop finds a lot of wi-fi networks around

> (currently I'm in a building in the small town of Anzio, Italy, but

> almost every corner of the town is full of wi-fi networks)

> 

> 3) my laptop cannot even see any hotspot provided by a Nokia 3

> smartphone with Android up to date; we have three of them, and I

> checked everyone one of them: they all can be used by the tablet in

> point 2) above, and none of them are even found by my laptop.

> 

> It seems there is something wrong with my laptop and Nokia 3 when they

> try to communicate. Currently I'm still using my Nokia 3 as a modem

> via Bluetooth, but the connection is rather slow. When the wi-fi

> hotspot was working the speed was much higher.

> 

> Some data:

> 

> - the laptop is a HP 6730s, quite slow but incredibly robust; Buster

> is up to date

> - all the Nokia 3 have Android 9 July update

> 

> Thanks in advance for any hint.

> 

> 



A good place to check your wireless issues is the excellent wifi howto

page from debian docs https://wiki.debian.org/WiFi/HowToUse.


I'll certainly take a look at it.
You re not mentioning what software you re using to connect to wifi.


Just Gnome Shell interface, which I guess is just a GUI for Network Manager.From the right upper corner of the screen I can look at all wifi networks available. There are many, my wife's tablet hotspot immediately appears if turned on, but none of our three Nokia 3 even appears there when hotspot is turned on, not even after many many minutes.But my wife's tablet immediately connects to any of the Nokia 3 hotspot. So does her Alcatel smartphone, a very low level device. Ah, the laptop even connects without problem at all with my wife's Alcatel hotspot.
For your case I would check 2 things: 1) `dmesg` output to check if you

see any errors from your network card driver or if its loaded correctly.
I definitely exclude any problems with the network card driver, because it perfectly works with many other wifi devices, as I told above. Nevertheless I'll follow your suggestion as soon as I come back home.
2) The output of `iwlist scan` to see if the network you re  looking

for is detected from the hardware.


This is interesting, I didn't know this command. It would rather strange if the hotspot is shown by the above command but not by Network Manager.Thanks a lots.
Regards



-- 

Nektarios Katakis

Re: Server hardware advice.

[deloptes]

Michael Stone wrote:

> Newer server hardware is much more power efficient and will draw very
> little power when idle. This is one of the drawbacks to saving money by
> using old hardware. (You can still use old hardware, just be sure it's
> new enough that it's from the era when power efficiency became a thing.)

I am not sure who you are answering to. I recently looked at HP DL360 and
DL380 Gen10. Yes indeed they are more power efficient compared to Gen9 in
terms they provide more calculation cycles for the same power, but this can
not be compared to a PC.

Re: Server hardware advice.

[Michael Stone]

On Wed, Aug 07, 2019 at 04:53:52PM +0200, deloptes wrote:

Years ago I build one to serve our needs at home. It has 4 virtual CPU and
32GB RAM - it uses 85Watt of power when not under load and it goes to above
100 if I compile software on it. It uses 10Watt more if I run a virtual
machine (virtual box or vmware - I do not test containers, but I assume
this will add overhead). 


Newer server hardware is much more power efficient and will draw very 
little power when idle. This is one of the drawbacks to saving money by 
using old hardware. (You can still use old hardware, just be sure it's 
new enough that it's from the era when power efficiency became a thing.)

Re: Server hardware advice.

[deloptes]

Steven Mainor wrote:

> I would like to keep the budget under $500 not including the hard drive(s)
> I already have drives. Less is better.

When I read server hardware I understand also server hardware. It has many
CPUs a lot of ram, redundant power supply etc. It consumes a lot of power
and costs a lot.
For under 500 you can not get any of this and for your use case you do not
need this as well.

Years ago I build one to serve our needs at home. It has 4 virtual CPU and
32GB RAM - it uses 85Watt of power when not under load and it goes to above
100 if I compile software on it. It uses 10Watt more if I run a virtual
machine (virtual box or vmware - I do not test containers, but I assume
this will add overhead). The disks (I have 8) use also 3-5Watt each. Buying
newer - larger disks, pays off, but it is insignificant what you save on
power per year, most is burned by the CPU, so choose CPU and mainboard
carefully.
Unless you do not have to, avoid virtualization - it costs more energy.

I hope this helps

Re: Buster on laptop cannot find Nokia 3 hotspot...

[Andrea Giuliano]

On Aug 7, 2019 16:15, Curt  wrote:On 2019-08-07, Nimrod  wrote:

>

>

> It seems there is something wrong with my laptop and Nokia 3 when they

> try to communicate. Currently I'm still using my Nokia 3 as a modem via

>

> Thanks in advance for any hint.

>



I really have no idea, but I was just reading that if it's a 5 ghz

hotspot you've created, an older device might not be able see it.
I thought so too, but my hotspot is 2.4 GHz, and I can't even change that.


-- 

“We are all in the gutter, but some of us are looking at the stars.” 

― Oscar Wilde, Lady Windermere's Fan

Re: Where do I find the Debian CAs?

[Dan Ritter]

Stephan Seitz wrote: 
> On Di, Aug 06, 2019 at 06:57:51 -0400, Dan Ritter wrote:
> > Stephan Seitz wrote:
> > > I’ve noticed that the Debian mailing list server is offering a
> > > certificate as a client:
> > > Client CN „clientcerts/bendel.debian.org”, Issuer „Debian SMTP CA”
> > > 
> > > I can’t verify it because I can’t find the CA. There doesn’t seem to be a
> > > package with internal CAs.
> > > 
> > > Where can I find them?
> > 
> > dpkg -S /etc/ssl/certs
> > will show you:
> > ssl-cert, ca-certificates, openssl
> 
> I think there is a misunderstanding. I know about /etc/ssl/certs, but there
> isn’t a Debian SMTP CA.
> 
> So I would like to know where I can download this CA (or others as well) and
> then put them in /etc/ssl/certs.

Ah. You can't.

Connection converted to SSL
SSLVersion in use: TLSv1_2
Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
Certificate 1 of 2 in chain: Cert VALIDATION ERROR(S):
self signed certificate in certificate chain
So email is encrypted but the recipient domain is not
verified
Cert Hostname VERIFIED (bendel.debian.org =
bendel.debian.org)


Not Valid Before: Apr  1 11:07:15 2019 GMT



Not Valid After: Mar 31 11:07:15 2020 GMT

subject= /C=NA/ST=NA/L=Ankh Morpork/O=Debian
SMTP/OU=Debian SMTP CA/CN=bendel.debian.org
issuer= /C=NA/ST=NA/L=Ankh Morpork/O=Debian
SMTP/OU=Debian SMTP CA/CN=Debian SMTP CA
Certificate 2 of 2 in chain: Cert VALIDATION ERROR(S):
self signed certificate in certificate chain
So email is encrypted but the recipient domain is not
verified


Not Valid Before: Mar 31 12:54:52 2019 GMT



Not Valid After: Mar 28 12:54:52 2029 GMT

subject= /C=NA/ST=NA/L=Ankh Morpork/O=Debian
SMTP/OU=Debian SMTP CA/CN=Debian SMTP CA
issuer= /C=NA/ST=NA/L=Ankh Morpork/O=Debian
SMTP/OU=Debian SMTP CA/CN=Debian SMTP CA

That's a self-signed cert. Note that it's from Ankh Morpork, a
city on the Discworld. You can't verify that, and they don't
expect you to be able to do so.

-dsr-

Re: Buster on laptop cannot find Nokia 3 hotspot...

[Curt]

On 2019-08-07, Nimrod  wrote:
>
>
> It seems there is something wrong with my laptop and Nokia 3 when they
> try to communicate. Currently I'm still using my Nokia 3 as a modem via
>
> Thanks in advance for any hint.
>

I really have no idea, but I was just reading that if it's a 5 ghz
hotspot you've created, an older device might not be able see it.

-- 
“We are all in the gutter, but some of us are looking at the stars.” 
― Oscar Wilde, Lady Windermere's Fan

Exim4 as a smarthost : Unrouteable address

[rudu]

Hi all,

Until recently my machines running debian testing used to send me 
e-mails as reports from cron tasks or from LAMP applications.

This is not working anymore.
I did of course a dpkg-reconfigure exim4-config to get this 
/etc/exim4/update-exim4.conf.conf file :

[...]
# This is a Debian specific file

dc_eximconfig_configtype='satellite'
dc_other_hostnames='*'
dc_local_interfaces='127.0.0.1;192.168.0.20'
dc_readhost='example.org'
dc_relay_domains='*'
dc_minimaldns='false'
dc_relay_nets='192.168.0.0/24'
dc_smarthost='mail.myprovider.fr::465'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

But here is an attempt to actually send a mail :

~$ echo 'Hello there !!' | mail my.n...@domain.org -s Test13 -v
LOG: MAIN
  <= j...@example.org U=jean P=local S=453
jean@poste1:~$ delivering 1hvLI6-0001yn-GI
R: system_aliases for my.n...@domain.org
LOG: MAIN
  ** my.n...@domain.org: Unrouteable address
LOG: MAIN
  <= <> R=1hvLI6-0001yn-GI U=Debian-exim P=local S=1668
delivering 1hvLI6-0001yp-Kr
R: system_aliases for j...@example.org
R: hub_user for j...@example.org
R: system_aliases for j...@example.org
R: hub_user_smarthost for j...@example.org
T: remote_smtp_smarthost for j...@example.org
LOG: MAIN
  Completed
LOG: retry_defer MAIN
  == j...@example.org R=hub_user_smarthost T=remote_smtp_smarthost 
defer (-53): retry time not reached for any host for 'example.org'


I keep getting this "Unrouteable address" whatever address I try to 
write to, addresses who do receive mails via thunderbird.
Thunderbird is also successfully using the smtp server credentials I 
feed exim4 with ...


I must be missing something obvious here but I'm completely in the dark.

Thanks for any help,
Rudu

Re: Server hardware advice.

[mick crane]

On 2019-08-07 11:13, Nektarios Katakis wrote:

On Wed, 07 Aug 2019 02:08:30 -0400
Steven Mainor  wrote:


You are correct. That was an oversight.

Of all the items on that page I could probably afford the screwdriver
and the heatsinks.

I would like to keep the budget under $500 not including the hard
drive(s) I already have drives. Less is better. --
Steven Mainor

On August 7, 2019 1:52:15 AM EDT, Richard Hector
 wrote:
>On 7/08/19 5:29 PM, Steven Mainor wrote:
>> Hi all,
>>
>> I'm looking for advice on how to build a home server with a
>> primary
>focus on
>> security. I plan to run nextcloud and a mail server that will
>> serve 3
>to 5
>> people at most.
>>
>> My requirements are:
>>
>> A server setup that can be run with completely open source
>> software
>and
>> doesn't require any binaries to boot. I don't trust anything
>> closed
>source for
>> this particular project.
>>
>> A gigabit ethernet port.
>>
>> A USB3.0 port or SATA connector to attach storage to.
>>
>> Enough processor power and ram to run nextcloud and the mail
>> server
>from an
>> encrypted hard drive (LUKS) efficiently with moderate throughput
>saving and
>> reading files from nextcloud.
>>
>> I would just build something x86 based but the amd/intel Platform
>Security
>> Processor/IME stuff makes me nervous.
>>
>> So far I have been looking at single board computers like the
>> ones
>listed
>> here: https://wiki.debian.org/CheapServerBoxHardware#OSHW
>>
>> I like the OLinuXino A20 LIME2 but I am not sure the processor
>> will
>be enough
>> to handle the overhead from an encrypted hard drive. I also don't
>like that it
>> is only 32-bit since that will limit the file size nextcloud can
>handle as I
>> understand it.
>>
>> Is there anything similar to the OLinuXino A20 LIME2 but more
>powerful or is
>> there a better option I haven't read about yet?
>
>You haven't mentioned a budget, but strong emphasis on security and
>openness ...
>
>https://www.raptorcs.com/TALOSII/ ?
>
>Richard


I have a similar home setup and have to say that with the mail service
and seafile server (and a few smaller services) running in docker the
setup the PC is already consuming 1G of ram. I m using an old PC. I
wouldnt suggest a less powerful box as you will run out of ram.
If you need fanless checkout an intel nuc. Debian should run fine with
it although I think it will need some drivers from the non-free repos.

Regards,


I use old Lenovos which are quiet and so cheap (20UKP)you can have one 
for each job.

Don't bother with cloud but scp files about.
Don't know how the webmail would manage with multiple connections.

mick
--
Key ID4BFEBB31

Re: Comment faire - set upload_tmp_dir to a non-world-readable directory

[Daniel Caillibaud]

Le 07/08/19 à 13:38, G2PC  a écrit :
> Mais, en attendant, sur le système debian, les droits sont de 1777 sur
> les dossiers tmp /tmp et /var/tmp

À noter, le 1 de départ, le sticky bit, qui veut dire que tout le monde peut 
créer un fichier
mais que le fichier créé ne peut ensuite être modifié que par son proprio (`man 
chmod` pour le
détail).

> Dès lors, pourquoi le dossier /upload_tmp_dir pour php ne serait t'il
> pas lui aussi en 1777 ?

Tout le monde doit pouvoir écrire dans /tmp, c'est l'OS qui te met à dispo un 
endroit où tu
peux écrire, mais pour php y'a aucune raison que qqun d'autre que php puisse 
lire / écrire dans
un dossier qui lui est réservé.

En général on met ce dossier en 700 ou 750, en mettant en proprio le user qui 
fait tourner php
(ça dépend de ton installation de php).

-- 
Daniel

Un homme qui a réussi est un homme qui gagne plus d’argent 
que sa femme n’en dépense. Et une femme qui a réussi est 
une femme qui a trouvé un tel homme.
Lana Turner

Re: Comment faire - set upload_tmp_dir to a non-world-readable directory

[G2PC]

Le 07/08/2019 à 13:13, Daniel Caillibaud a écrit :
> Le 07/08/19 à 12:49, G2PC  a écrit :
 Avant toute chose, j'aimerais réellement trouver de l'information sur ce
 qu'est, officiellement, un dossier dit " A non-world readable/writable
 directory ".  
 C'est un dossier dans lequel tout le monde ne peut pas lire/écrire, donc 
 un chmod xx1 max.

 drwxrwx--x
  ^^^ le proprio peut lire / écrire / entrer
 ^^^ le groupe peut lire / écrire / entrer
^^^ les autres ne peuvent pas lire / écrire, seulement entrer  
>> - Donc tu dois faire un chmod 700 ou 750 ou ce que tu veux mais avec du xxy 
>> ou y vaut 0 ou 1
>> Daniel Caillibaud 
>>
>> - Essaie `chmod 407` sur le répertoire temporaire.
> Et pour trancher => `man chmod`
>
>
> Un 407 ne devrait pas marcher puisque le proprio ne pourrait plus entrer dans 
> le dossier
> mais que n'importe qui pourrait entrer, lire et écrire… 
>
> Et ça parait curieux de refuser tous les droits au groupe et de les
> accepter pour tout le monde, mais on peut faire ça pour justement donner 
> "tous les droits sauf
> pour un groupe".
>
> Je pense que jm pensais au masque, le complémentaire, un masque de 407 
> donnerait un chmod 370,
> qui est curieux (moins de droits pour le proprio que le groupe) mais serait 
> d'équerre avec la
> demande initiale de ne pas avoir de "world writable".
>
>> Une chose est sur c'est que si les droits du /tmp_upload
>> pour les " autres " n'est pas égal à 7, Joomla me hurle dessus avec un
>> message d'erreur. Je ne peux dès lors plus naviguer sur le CMS Joomla.
> Donc Joomla n'est pas compatible avec des réglages de sécurité minimaux, mais 
> ça c'est pas une
> nouvelle :-D (ça me surprend quand même, mais on en voit de belles tous les 
> jours)
>
> Car ce 7 signifie justement rwx pour "other", donc tout le monde peut 
> lire/écrire/entrer

Mais, en attendant, sur le système debian, les droits sont de 1777 sur
les dossiers tmp /tmp et /var/tmp
Dès lors, pourquoi le dossier /upload_tmp_dir pour php ne serait t'il
pas lui aussi en 1777 ?

Re: lenteur maladive

[Daniel Caillibaud]

Le 05/08/19 à 19:59, hamster  a écrit :
> De temps en temps, le processeur se bloque a 800 MHz, c'est dans ces
> moments la qu'il est particulièrement lent. Pourtant toutes les
> températures sont en dessous de 60 °C.

Alors tu as peut-être qqchose qui fait passer ton processeur en mode économe en 
énergie,
regarde dans les réglages d'énergie.

Ou alors c'est un réglage bios ou OS qui le fait passer dans ce mode quand la 
batterie est
faible…

-- 
Daniel

L'homme est imparfait, mais ce n'est pas étonnant si l'on songe à 
l'époque où il fut créé.
Alphonse Allais

Re: Comment faire - set upload_tmp_dir to a non-world-readable directory

[Daniel Caillibaud]

Le 07/08/19 à 12:49, G2PC  a écrit :
> >> Avant toute chose, j'aimerais réellement trouver de l'information sur ce
> >> qu'est, officiellement, un dossier dit " A non-world readable/writable
> >> directory ".  
> 
> >> C'est un dossier dans lequel tout le monde ne peut pas lire/écrire, donc 
> >> un chmod xx1 max.
> >>
> >> drwxrwx--x
> >>  ^^^ le proprio peut lire / écrire / entrer
> >> ^^^ le groupe peut lire / écrire / entrer
> >>^^^ les autres ne peuvent pas lire / écrire, seulement entrer  
> 
> - Donc tu dois faire un chmod 700 ou 750 ou ce que tu veux mais avec du xxy 
> ou y vaut 0 ou 1
> Daniel Caillibaud 
> 
> - Essaie `chmod 407` sur le répertoire temporaire.
> jm
> 
> Bon, au final, vous vous contredisez, et, ça me rassure un peu, 

Tant mieux, c'est une très bonne illustration de l'adage "ne JAMAIS lancer une 
commande lue qq
part sans comprendre ce que ça fait !"

Et pour trancher => `man chmod`


Un 407 ne devrait pas marcher puisque le proprio ne pourrait plus entrer dans 
le dossier
mais que n'importe qui pourrait entrer, lire et écrire… 

Et ça parait curieux de refuser tous les droits au groupe et de les
accepter pour tout le monde, mais on peut faire ça pour justement donner "tous 
les droits sauf
pour un groupe".

La règle est assez simple, pour un chmod xyz, x donne les droits du proprio, y 
ceux du groupe
et z ceux pour tous les autres. La combinaison de droits se fait en additionnant
4 : r / lecture (read)
2 : w / modification (write), pour un dossier ça veut dire pouvoir le 
renommer/supprimer ou
créer un fichier/dossier dedans
1 : x / exécution, pour un dossier ça signifie pouvoir entrer dedans

donc ici le 407 donne :
4 : r-- pour le proprio
0 : --- pour le groupe
7 : rwx pour tous les autres

Je pense que jm pensais au masque, le complémentaire, un masque de 407 
donnerait un chmod 370,
qui est curieux (moins de droits pour le proprio que le groupe) mais serait 
d'équerre avec la
demande initiale de ne pas avoir de "world writable".

> Une chose est sur c'est que si les droits du /tmp_upload
> pour les " autres " n'est pas égal à 7, Joomla me hurle dessus avec un
> message d'erreur. Je ne peux dès lors plus naviguer sur le CMS Joomla.

Donc Joomla n'est pas compatible avec des réglages de sécurité minimaux, mais 
ça c'est pas une
nouvelle :-D
(ça me surprend quand même, mais on en voit de belles tous les jours)

Car ce 7 signifie justement rwx pour "other", donc tout le monde peut 
lire/écrire/entrer

-- 
Daniel

Apprendre, pour Socrate, c'est se ressouvenir de ce qu'on a oublié.
Platon

Re: Server hardware advice.

[Reco]

Hi.

On Wed, Aug 07, 2019 at 05:58:57AM -0400, Steven Mainor wrote:
> Thanks for the reply. Those seem like options to consider. The
> pre-orders for the helios4 seem to be sold out for now. 

They are currently at fourth "campaign", i.e. they're manufacturing a
fourth batch. Supply is limited (they produce like a thousand boards per
batch), your best bet is a preorder (I got mine at their second
"campaign").

Hopefully they do fifth.

Reco

Re: Comment faire - set upload_tmp_dir to a non-world-readable directory

[G2PC]

>> Avant toute chose, j'aimerais réellement trouver de l'information sur ce
>> qu'est, officiellement, un dossier dit " A non-world readable/writable
>> directory ".

>> C'est un dossier dans lequel tout le monde ne peut pas lire/écrire, donc un 
>> chmod xx1 max.
>>
>> drwxrwx--x
>>  ^^^ le proprio peut lire / écrire / entrer
>> ^^^ le groupe peut lire / écrire / entrer
>>^^^ les autres ne peuvent pas lire / écrire, seulement entrer

- Donc tu dois faire un chmod 700 ou 750 ou ce que tu veux mais avec du xxy ou 
y vaut 0 ou 1
Daniel Caillibaud 

- Essaie `chmod 407` sur le répertoire temporaire.
jm

Bon, au final, vous vous contredisez, et, ça me rassure un peu, ça ne
semble pas évident pour tout le monde. Un "A non-world readable/writable
directory " Une chose est sur c'est que si les droits du /tmp_upload
pour les " autres " n'est pas égal à 7, Joomla me hurle dessus avec un
message d'erreur. Je ne peux dès lors plus naviguer sur le CMS Joomla.
La proposition de faire un 407 pourrait être plus adapté, je n'ai pas
encore testé. Quoi qu'il en soit, j'invite les utilisateurs de PHP à
tester ce script :
https://github.com/ZerooCool/phpsecinfo/tree/phpsecinfo-zeroocool-v0.2.1
C'est la version de PhpSecInfo officielle, améliorée pour intégrer
phpinfo() et la fin de ligne Unix sur les fichiers. Un simple wget sur
votre serveur, pour observer ce qu'il vous dit sur les droits accordés à
ce dossier Upload_tmp. Voir si du coup, vous êtes au vert, ou non ? Le
premier qui passe au vert, sans message d'erreur, gagne une bière.

Re: Server hardware advice.

[Jonas Smedegaard]

Quoting Steven Mainor (2019-08-07 12:04:35)
> Perhaps you are right about usb 2.0. And the Olimex A64-OLinuXino does 
> seem like a solid option otherwise.
> 
> I wasn't able to verify which usb the Olimex A64-OLinuXino had. It 
> didn't specifically say on the specs page. And the github link for the 
> schematic seems to be broken.
> 
> https://github.com/OLIMEX/OLINUXINO/blob/master/HARDWARE/A64-OLinuXino/A64-OlinuXino_Rev_C.pdf

They reorganized and updated that git.  Try step back to 
https://github.com/OLIMEX/OLINUXINO/tree/master/HARDWARE/A64-OLinuXino

See also https://linux-sunxi.org/Olimex_A64-OLinuXino


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Server hardware advice.

[Nektarios Katakis]

On Wed, 07 Aug 2019 02:08:30 -0400
Steven Mainor  wrote:

> You are correct. That was an oversight.
> 
> Of all the items on that page I could probably afford the screwdriver
> and the heatsinks.
> 
> I would like to keep the budget under $500 not including the hard
> drive(s) I already have drives. Less is better. --
> Steven Mainor
> 
> On August 7, 2019 1:52:15 AM EDT, Richard Hector
>  wrote:
> >On 7/08/19 5:29 PM, Steven Mainor wrote:  
> >> Hi all,
> >> 
> >> I'm looking for advice on how to build a home server with a
> >> primary  
> >focus on   
> >> security. I plan to run nextcloud and a mail server that will
> >> serve 3  
> >to 5   
> >> people at most.
> >> 
> >> My requirements are:
> >> 
> >> A server setup that can be run with completely open source
> >> software  
> >and   
> >> doesn't require any binaries to boot. I don't trust anything
> >> closed  
> >source for   
> >> this particular project.
> >> 
> >> A gigabit ethernet port.
> >> 
> >> A USB3.0 port or SATA connector to attach storage to.
> >> 
> >> Enough processor power and ram to run nextcloud and the mail
> >> server  
> >from an   
> >> encrypted hard drive (LUKS) efficiently with moderate throughput  
> >saving and   
> >> reading files from nextcloud.
> >> 
> >> I would just build something x86 based but the amd/intel Platform  
> >Security   
> >> Processor/IME stuff makes me nervous.
> >> 
> >> So far I have been looking at single board computers like the
> >> ones  
> >listed   
> >> here: https://wiki.debian.org/CheapServerBoxHardware#OSHW
> >> 
> >> I like the OLinuXino A20 LIME2 but I am not sure the processor
> >> will  
> >be enough   
> >> to handle the overhead from an encrypted hard drive. I also don't  
> >like that it   
> >> is only 32-bit since that will limit the file size nextcloud can  
> >handle as I   
> >> understand it.
> >> 
> >> Is there anything similar to the OLinuXino A20 LIME2 but more  
> >powerful or is   
> >> there a better option I haven't read about yet?  
> >
> >You haven't mentioned a budget, but strong emphasis on security and
> >openness ...
> >
> >https://www.raptorcs.com/TALOSII/ ?
> >
> >Richard  

I have a similar home setup and have to say that with the mail service
and seafile server (and a few smaller services) running in docker the
setup the PC is already consuming 1G of ram. I m using an old PC. I
wouldnt suggest a less powerful box as you will run out of ram.
If you need fanless checkout an intel nuc. Debian should run fine with
it although I think it will need some drivers from the non-free repos.

Regards,
-- 
Nektarios Katakis

Re: Server hardware advice.

[Steven Mainor]

Perhaps you are right about usb 2.0. And the Olimex A64-OLinuXino does seem 
like a solid option otherwise.

I wasn't able to verify which usb the Olimex A64-OLinuXino had. It didn't 
specifically say on the specs page. And the github link for the schematic seems 
to be broken. 

https://github.com/OLIMEX/OLINUXINO/blob/master/HARDWARE/A64-OLinuXino/A64-OlinuXino_Rev_C.pdf
--
Steven Mainor

On August 7, 2019 4:21:25 AM EDT, Jonas Smedegaard  wrote:
>Quoting Reco (2019-08-07 08:53:52)
>> On Wed, Aug 07, 2019 at 01:29:21AM -0400, Steven Mainor wrote:
>> > I'm looking for advice on how to build a home server with a primary
>
>> > focus on security. I plan to run nextcloud and a mail server that 
>> > will serve 3 to 5 people at most.
>> > 
>> > My requirements are:
>> > 
>> > A server setup that can be run with completely open source software
>
>> > and doesn't require any binaries to boot. I don't trust anything 
>> > closed source for this particular project.
>> > 
>> > A gigabit ethernet port.
>> > 
>> > A USB3.0 port or SATA connector to attach storage to.
>> > 
>> > Enough processor power and ram to run nextcloud and the mail server
>
>> > from an encrypted hard drive (LUKS) efficiently with moderate 
>> > throughput saving and reading files from nextcloud.
>> 
>>  These fit all your requirements (i.e. it'll run stock buster kernel 
>> without any additional firmware):
>> 
>> Helios4 - [1]. 4 SATA ports controller attached to PCI-E.
>> GnuBee - [2]. 6 SATA ports attached to PCI-E.
>> Odroid HC2 - [3]. Single SATA port, attached to USB bus.
>
>No powerful computers exist today completely without non-free parts: 
>Since you point to Open Source Hardware below, beware that none of
>above 
>devices are OSHWA certified: https://certification.oshwa.org/list.html
>- 
>if however your freedom concerns are limited to _software_ parts then
>it 
>is easier: Look for boards supported in mainline Linux and u-boot, and 
>supported in Debian!
>
>Disregarding OSHW I agree that above options are good highlights. 
>Additionally I suggest Olimex A64-Olinuxino and ESPRESSObin, both 
>(unlike above options) known to be mainlined and work with Debian 
>Buster.
>
>Personally, for hosting mail + Nextcloud for a small team I would 
>tolerate USB2.0 and use the OSHWA certified board Olimex A64-Olinuxino.
>
>Only for heavy professional demands (e.g. an advertising agency pushing
>
>big files across a LAN all the time) I would use a Helios4.
>
>
>> > So far I have been looking at single board computers like the ones 
>> > listed here: https://wiki.debian.org/CheapServerBoxHardware#OSHW
>
>Happy to see that list being of use beyond the FreedomBox project and
>my 
>own competing https://solidbox.org/ :-)
>
>Please note that above list is limited to more consumer-oriented
>devices 
>than your spec needs - e.g. must be sold with a proper case and be 
>cheaper than you tolerate.
>
>
>> That list is outdated somewhat. But it gave me good ideas back in the
>
>> day.
>
>Care to elaborate?
>
>
> - Jonas
>
>-- 
> * Jonas Smedegaard - idealist & Internet-arkitekt
> * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
> [x] quote me freely  [ ] ask before reusing  [ ] keep private

Re: Server hardware advice.

[Steven Mainor]

Thanks for the reply. Those seem like options to consider. The pre-orders for 
the helios4 seem to be sold out for now. 
--
Steven Mainor

On August 7, 2019 2:53:52 AM EDT, Reco  wrote:
>On Wed, Aug 07, 2019 at 01:29:21AM -0400, Steven Mainor wrote:
>> Hi all,
>> 
>> I'm looking for advice on how to build a home server with a primary
>focus on 
>> security. I plan to run nextcloud and a mail server that will serve 3
>to 5 
>> people at most.
>> 
>> My requirements are:
>> 
>> A server setup that can be run with completely open source software
>and 
>> doesn't require any binaries to boot. I don't trust anything closed
>source for 
>> this particular project.
>> 
>> A gigabit ethernet port.
>> 
>> A USB3.0 port or SATA connector to attach storage to.
>> 
>> Enough processor power and ram to run nextcloud and the mail server
>from an 
>> encrypted hard drive (LUKS) efficiently with moderate throughput
>saving and 
>> reading files from nextcloud.
>
> These fit all your requirements (i.e. it'll run stock buster kernel
>without any additional firmware):
>
>Helios4 - [1]. 4 SATA ports controller attached to PCI-E.
>GnuBee - [2]. 6 SATA ports attached to PCI-E.
>Odroid HC2 - [3]. Single SATA port, attached to USB bus.
>
>
>> So far I have been looking at single board computers like the ones
>listed 
>> here: https://wiki.debian.org/CheapServerBoxHardware#OSHW
>
>That list is outdated somewhat. But it gave me good ideas back in the
>day. 
>
>Reco
>
>[1] https://kobol.io/
>[2] http://gnubee.org/
>[3] https://www.hardkernel.com/shop/odroid-hc2-home-cloud-two/

Re: Where do I find the Debian CAs?

[Stephan Seitz]

On Di, Aug 06, 2019 at 06:57:51 -0400, Dan Ritter wrote:

Stephan Seitz wrote:
I’ve noticed that the Debian mailing list server is offering 
a certificate as a client:

Client CN „clientcerts/bendel.debian.org”, Issuer „Debian SMTP CA”

I can’t verify it because I can’t find the CA. There doesn’t seem to be a
package with internal CAs.

Where can I find them?


dpkg -S /etc/ssl/certs
will show you:
ssl-cert, ca-certificates, openssl


I think there is a misunderstanding. I know about /etc/ssl/certs, but 
there isn’t a Debian SMTP CA.


So I would like to know where I can download this CA (or others as well) 
and then put them in /etc/ssl/certs.


Stephan

--
| If your life was a horse, you'd have to shoot it.   |

Re: Buster on laptop cannot find Nokia 3 hotspot...

[Andrea Giuliano]

On Aug 7, 2019 11:14, Jonas Smedegaard  wrote:Quoting Nimrod (2019-08-07 10:42:09)

> my (very old) laptop has been working like a charm until I updated 

> from Stretch to Buster. Among the other, the issue in the subject is 

> very relevant for me.

> 

> Here is what happens when I turn on wi-fi hotspot on Nokia 3 

> smartphone (Android up to date):

> 

> 1) any smartphone or tablet in the family can connect to my Nokia 3 

> hotspot.

> 

> 2) my laptop can connect at least to a tablet hotspot (the tablet has 

> a rather old Android version, I guess 6 or even less, and it cannot be 

> updated); also, my laptop finds a lot of wi-fi networks around 

> (currently I'm in a building in the small town of Anzio, Italy, but 

> almost every corner of the town is full of wi-fi networks)

> 

> 3) my laptop cannot even see any hotspot provided by a Nokia 3 

> smartphone with Android up to date; we have three of them, and I 

> checked everyone one of them: they all can be used by the tablet in 

> point 2) above, and none of them are even found by my laptop.

> 

> It seems there is something wrong with my laptop and Nokia 3 when they 

> try to communicate. Currently I'm still using my Nokia 3 as a modem 

> via Bluetooth, but the connection is rather slow. When the wi-fi 

> hotspot was working the speed was much higher.

> 

> Some data:

> 

> - the laptop is a HP 6730s, quite slow but incredibly robust; Buster 

> is up to date

> - all the Nokia 3 have Android 9 July update

> 

> Thanks in advance for any hint.



Perhaps your hotspot uses insecure encryption rejected by modern 

systems?



Some encryption (e.g. WEP) is so insecure that it is practically 

useless: If you cannot upgrade then consider turning off encryption 

altogether and see if that works.


Thanks, Jonas,but the encryption provided by Nokia 3 hotspot is WPA2, and it works perfectly with many client devices, except for my laptop.Since I upgraded to Buster, it worked for a while, but some days ago it stopped working.I repeat, it doesn't work with my laptop only, and my laptop can't connect with Nokia 3 hotspots only.This is rather weird.Best regards.


 - Jonas



-- 

 * Jonas Smedegaard - idealist & Internet-arkitekt

 * Tlf.: +45 40843136  Website: http://dr.jones.dk/



 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Re: Buster on laptop cannot find Nokia 3 hotspot...

[Nektarios Katakis]

On Wed, 07 Aug 2019 10:42:09 +0200
Nimrod  wrote:

> Hi,
> 
> my (very old) laptop has been working like a charm until I updated
> from Stretch to Buster. Among the other, the issue in the subject is
> very relevant for me.
> 
> Here is what happens when I turn on wi-fi hotspot on Nokia 3
> smartphone (Android up to date):
> 
> 1) any smartphone or tablet in the family can connect to my Nokia 3
> hotspot.
> 
> 2) my laptop can connect at least to a tablet hotspot (the tablet has
> a rather old Android version, I guess 6 or even less, and it cannot be
> updated); also, my laptop finds a lot of wi-fi networks around
> (currently I'm in a building in the small town of Anzio, Italy, but
> almost every corner of the town is full of wi-fi networks)
> 
> 3) my laptop cannot even see any hotspot provided by a Nokia 3
> smartphone with Android up to date; we have three of them, and I
> checked everyone one of them: they all can be used by the tablet in
> point 2) above, and none of them are even found by my laptop.
> 
> It seems there is something wrong with my laptop and Nokia 3 when they
> try to communicate. Currently I'm still using my Nokia 3 as a modem
> via Bluetooth, but the connection is rather slow. When the wi-fi
> hotspot was working the speed was much higher.
> 
> Some data:
> 
> - the laptop is a HP 6730s, quite slow but incredibly robust; Buster
> is up to date
> - all the Nokia 3 have Android 9 July update
> 
> Thanks in advance for any hint.
> 
> 

A good place to check your wireless issues is the excellent wifi howto
page from debian docs https://wiki.debian.org/WiFi/HowToUse.

You re not mentioning what software you re using to connect to wifi.

For your case I would check 2 things: 1) `dmesg` output to check if you
see any errors from your network card driver or if its loaded correctly.
2) The output of `iwlist scan` to see if the network you re  looking
for is detected from the hardware.

Regards

-- 
Nektarios Katakis

Re: Buster on laptop cannot find Nokia 3 hotspot...

[Jonas Smedegaard]

Quoting Nimrod (2019-08-07 10:42:09)
> my (very old) laptop has been working like a charm until I updated 
> from Stretch to Buster. Among the other, the issue in the subject is 
> very relevant for me.
> 
> Here is what happens when I turn on wi-fi hotspot on Nokia 3 
> smartphone (Android up to date):
> 
> 1) any smartphone or tablet in the family can connect to my Nokia 3 
> hotspot.
> 
> 2) my laptop can connect at least to a tablet hotspot (the tablet has 
> a rather old Android version, I guess 6 or even less, and it cannot be 
> updated); also, my laptop finds a lot of wi-fi networks around 
> (currently I'm in a building in the small town of Anzio, Italy, but 
> almost every corner of the town is full of wi-fi networks)
> 
> 3) my laptop cannot even see any hotspot provided by a Nokia 3 
> smartphone with Android up to date; we have three of them, and I 
> checked everyone one of them: they all can be used by the tablet in 
> point 2) above, and none of them are even found by my laptop.
> 
> It seems there is something wrong with my laptop and Nokia 3 when they 
> try to communicate. Currently I'm still using my Nokia 3 as a modem 
> via Bluetooth, but the connection is rather slow. When the wi-fi 
> hotspot was working the speed was much higher.
> 
> Some data:
> 
> - the laptop is a HP 6730s, quite slow but incredibly robust; Buster 
> is up to date
> - all the Nokia 3 have Android 9 July update
> 
> Thanks in advance for any hint.

Perhaps your hotspot uses insecure encryption rejected by modern 
systems?

Some encryption (e.g. WEP) is so insecure that it is practically 
useless: If you cannot upgrade then consider turning off encryption 
altogether and see if that works.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Server hardware advice.

[Jonas Smedegaard]

Quoting Reco (2019-08-07 10:53:35)
> On Wed, Aug 07, 2019 at 10:21:25AM +0200, Jonas Smedegaard wrote:
> > > That list is outdated somewhat. But it gave me good ideas back in 
> > > the day.
> > 
> > Care to elaborate?
> 
> Specifically it gave me an idea to buy that Linksys WRT1200.
> Works for me since stretch, the only disadvantages are the need to 
> build an out-of-tree kernel module (mwlwifi) for WiFi and feed it 
> non-free firmware.
> But I needed a router, the thing fit the need.

So when you wrote "That list is outdated somewhat" you really meant 
"That list didn't fit my needs and was inspirational even then."

Great to hear that!


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Server hardware advice.

[Reco]

On Wed, Aug 07, 2019 at 10:21:25AM +0200, Jonas Smedegaard wrote:
> > That list is outdated somewhat. But it gave me good ideas back in the 
> > day.
> 
> Care to elaborate?

Specifically it gave me an idea to buy that Linksys WRT1200.
Works for me since stretch, the only disadvantages are the need to build
an out-of-tree kernel module (mwlwifi) for WiFi and feed it non-free
firmware.
But I needed a router, the thing fit the need.

Reco

Buster on laptop cannot find Nokia 3 hotspot...

[Nimrod]

Hi,

my (very old) laptop has been working like a charm until I updated from
Stretch to Buster. Among the other, the issue in the subject is very
relevant for me.

Here is what happens when I turn on wi-fi hotspot on Nokia 3 smartphone
(Android up to date):

1) any smartphone or tablet in the family can connect to my Nokia 3
hotspot.

2) my laptop can connect at least to a tablet hotspot (the tablet has a
rather old Android version, I guess 6 or even less, and it cannot be
updated); also, my laptop finds a lot of wi-fi networks around
(currently I'm in a building in the small town of Anzio, Italy, but
almost every corner of the town is full of wi-fi networks)

3) my laptop cannot even see any hotspot provided by a Nokia 3
smartphone with Android up to date; we have three of them, and I
checked everyone one of them: they all can be used by the tablet in
point 2) above, and none of them are even found by my laptop.

It seems there is something wrong with my laptop and Nokia 3 when they
try to communicate. Currently I'm still using my Nokia 3 as a modem via
Bluetooth, but the connection is rather slow. When the wi-fi hotspot
was working the speed was much higher.

Some data:

- the laptop is a HP 6730s, quite slow but incredibly robust; Buster is
up to date
- all the Nokia 3 have Android 9 July update

Thanks in advance for any hint.


-- 
Nimrod 

Re: Server hardware advice.

[Jonas Smedegaard]

Quoting john doe (2019-08-07 09:33:35)
> On 8/7/2019 8:53 AM, Reco wrote:
> > On Wed, Aug 07, 2019 at 01:29:21AM -0400, Steven Mainor wrote:
> >> I'm looking for advice on how to build a home server with a primary 
> >> focus on security. I plan to run nextcloud and a mail server that 
> >> will serve 3 to 5 people at most.
> >>
> >> My requirements are:
> >>
> >> A server setup that can be run with completely open source software 
> >> and doesn't require any binaries to boot. I don't trust anything 
> >> closed source for this particular project.
> >>
> >> A gigabit ethernet port.
> >>
> >> A USB3.0 port or SATA connector to attach storage to.
> >>
> >> Enough processor power and ram to run nextcloud and the mail server 
> >> from an encrypted hard drive (LUKS) efficiently with moderate 
> >> throughput saving and reading files from nextcloud.
> >
> >  These fit all your requirements (i.e. it'll run stock buster kernel 
> > without any additional firmware):
> >
> > Helios4 - [1]. 4 SATA ports controller attached to PCI-E.
> > GnuBee - [2]. 6 SATA ports attached to PCI-E.
> > Odroid HC2 - [3]. Single SATA port, attached to USB bus.
> >
> >
> >> So far I have been looking at single board computers like the ones 
> >> listed here: https://wiki.debian.org/CheapServerBoxHardware#OSHW
> >
> > That list is outdated somewhat. But it gave me good ideas back in 
> > the day.
> >
> > Reco
> >
> > [1] https://kobol.io/
> > [2] http://gnubee.org/
> > [3] https://www.hardkernel.com/shop/odroid-hc2-home-cloud-two/
> >
> 
> I don't have a room dedicated to my devices, is there any solution 
> that is fan less?
> Url (3) looks to be the case.

The ODroid board ships with huge passive cooling which helps if the room 
is adequately cool - and otherwise will "throttle" - i.e. run at lower 
speeds to avoid meltdown.

Heat is indeed a reason to consider other boards than above.  My 
recommendation is to buy the industrial-grade A64-OLinuXino-2Ge8G-IND
https://www.olimex.com/Products/OLinuXino/A64/A64-OLinuXino/open-source-hardware

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Server hardware advice.

[Jonas Smedegaard]

Quoting Reco (2019-08-07 08:53:52)
> On Wed, Aug 07, 2019 at 01:29:21AM -0400, Steven Mainor wrote:
> > I'm looking for advice on how to build a home server with a primary 
> > focus on security. I plan to run nextcloud and a mail server that 
> > will serve 3 to 5 people at most.
> > 
> > My requirements are:
> > 
> > A server setup that can be run with completely open source software 
> > and doesn't require any binaries to boot. I don't trust anything 
> > closed source for this particular project.
> > 
> > A gigabit ethernet port.
> > 
> > A USB3.0 port or SATA connector to attach storage to.
> > 
> > Enough processor power and ram to run nextcloud and the mail server 
> > from an encrypted hard drive (LUKS) efficiently with moderate 
> > throughput saving and reading files from nextcloud.
> 
>  These fit all your requirements (i.e. it'll run stock buster kernel 
> without any additional firmware):
> 
> Helios4 - [1]. 4 SATA ports controller attached to PCI-E.
> GnuBee - [2]. 6 SATA ports attached to PCI-E.
> Odroid HC2 - [3]. Single SATA port, attached to USB bus.

No powerful computers exist today completely without non-free parts: 
Since you point to Open Source Hardware below, beware that none of above 
devices are OSHWA certified: https://certification.oshwa.org/list.html - 
if however your freedom concerns are limited to _software_ parts then it 
is easier: Look for boards supported in mainline Linux and u-boot, and 
supported in Debian!

Disregarding OSHW I agree that above options are good highlights. 
Additionally I suggest Olimex A64-Olinuxino and ESPRESSObin, both 
(unlike above options) known to be mainlined and work with Debian 
Buster.

Personally, for hosting mail + Nextcloud for a small team I would 
tolerate USB2.0 and use the OSHWA certified board Olimex A64-Olinuxino.

Only for heavy professional demands (e.g. an advertising agency pushing 
big files across a LAN all the time) I would use a Helios4.


> > So far I have been looking at single board computers like the ones 
> > listed here: https://wiki.debian.org/CheapServerBoxHardware#OSHW

Happy to see that list being of use beyond the FreedomBox project and my 
own competing https://solidbox.org/ :-)

Please note that above list is limited to more consumer-oriented devices 
than your spec needs - e.g. must be sold with a proper case and be 
cheaper than you tolerate.


> That list is outdated somewhat. But it gave me good ideas back in the 
> day.

Care to elaborate?


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Server hardware advice.

[john doe]

On 8/7/2019 8:53 AM, Reco wrote:
> On Wed, Aug 07, 2019 at 01:29:21AM -0400, Steven Mainor wrote:
>> Hi all,
>>
>> I'm looking for advice on how to build a home server with a primary focus on
>> security. I plan to run nextcloud and a mail server that will serve 3 to 5
>> people at most.
>>
>> My requirements are:
>>
>> A server setup that can be run with completely open source software and
>> doesn't require any binaries to boot. I don't trust anything closed source 
>> for
>> this particular project.
>>
>> A gigabit ethernet port.
>>
>> A USB3.0 port or SATA connector to attach storage to.
>>
>> Enough processor power and ram to run nextcloud and the mail server from an
>> encrypted hard drive (LUKS) efficiently with moderate throughput saving and
>> reading files from nextcloud.
>
>  These fit all your requirements (i.e. it'll run stock buster kernel
> without any additional firmware):
>
> Helios4 - [1]. 4 SATA ports controller attached to PCI-E.
> GnuBee - [2]. 6 SATA ports attached to PCI-E.
> Odroid HC2 - [3]. Single SATA port, attached to USB bus.
>
>
>> So far I have been looking at single board computers like the ones listed
>> here: https://wiki.debian.org/CheapServerBoxHardware#OSHW
>
> That list is outdated somewhat. But it gave me good ideas back in the
> day.
>
> Reco
>
> [1] https://kobol.io/
> [2] http://gnubee.org/
> [3] https://www.hardkernel.com/shop/odroid-hc2-home-cloud-two/
>

I don't have a room dedicated to my devices, is there any solution that
is fan less?
Url (3) looks to be the case.

--
John Doe

Re: Don't disable recoomends by default

[tomas]

On Tue, Aug 06, 2019 at 07:40:25PM +0100, Brian wrote:
> On Tue 06 Aug 2019 at 09:32:11 +0200, to...@tuxteam.de wrote:

[...]

> > And now let me get down from my soapbox and hand it over to someone
> > else :-)
> 
> We'd rather you stayed there to keep us up to the mark. Anyway, we
> like the snazzy shirt you are wearing.

Oops! And I thought I had my webcam covered?

;-)

Cheers
-- t


signature.asc
Description: Digital signature

Re: Server hardware advice.

[Reco]

On Wed, Aug 07, 2019 at 01:29:21AM -0400, Steven Mainor wrote:
> Hi all,
> 
> I'm looking for advice on how to build a home server with a primary focus on 
> security. I plan to run nextcloud and a mail server that will serve 3 to 5 
> people at most.
> 
> My requirements are:
> 
> A server setup that can be run with completely open source software and 
> doesn't require any binaries to boot. I don't trust anything closed source 
> for 
> this particular project.
> 
> A gigabit ethernet port.
> 
> A USB3.0 port or SATA connector to attach storage to.
> 
> Enough processor power and ram to run nextcloud and the mail server from an 
> encrypted hard drive (LUKS) efficiently with moderate throughput saving and 
> reading files from nextcloud.

 These fit all your requirements (i.e. it'll run stock buster kernel
without any additional firmware):

Helios4 - [1]. 4 SATA ports controller attached to PCI-E.
GnuBee - [2]. 6 SATA ports attached to PCI-E.
Odroid HC2 - [3]. Single SATA port, attached to USB bus.


> So far I have been looking at single board computers like the ones listed 
> here: https://wiki.debian.org/CheapServerBoxHardware#OSHW

That list is outdated somewhat. But it gave me good ideas back in the
day. 

Reco

[1] https://kobol.io/
[2] http://gnubee.org/
[3] https://www.hardkernel.com/shop/odroid-hc2-home-cloud-two/

Re: WiFi interface unexpected response

[Andrei POPESCU]

On Ma, 06 aug 19, 18:13:02, zetam.imap wrote:
> 
> > Why do you need this if you configure wpa in /etc/network/interfaces?
> 
> Normally the wireless interface is activated when a user accesses their
> account on the graphical interface.
> This host has to perform unattended tasks on that network even if no
> user is logged in.

Let me rephrase that: why do you need *both* /etc/network/interfaces and 
wpa_supplicant.conf?

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: qDslrDashboard anyone?

[deloptes]

Johann Spies wrote:

> How do I solve these problems?

Read https://dslrdashboard.info/introduction/
Install dependencies.

The application is written in C++ using the Qt Framework. It uses the OpenCV
library for image processing, LibRaw library for RAW image processing and
the libusb library for the USB communication.

regards

Re: PROGRESS!! - was {Re: Wireless home LAN - WiFi vs Bluetooth?}

[Andrei POPESCU]

On Ma, 06 aug 19, 08:34:20, David Wright wrote:
> On Tue 06 Aug 2019 at 08:44:41 (+0300), Andrei POPESCU wrote:
> > On Lu, 05 aug 19, 14:55:11, David Wright wrote:
> > > 
> > > I think it's made clear in the tomás quotation, about 18 lines above
> > > Richard's citation of the same. Regardless, the OP is connecting two
> > > machines (requiring firmware) running DEs on stretch, and has an
> > > 8-port switch lying around too, so not much chance of needing to
> > > chop up cables (unless in frustration at having to use them at all).
> > > No progress reported yet, though, AFAICT.
> > 
> > Maybe it's just me, but it was quite clear the OP excluded ethernet and 
> > the cable lying around was USB-to-USB.
> 
> We live in hope. The OP may realise eventually that the USB-to-USB is
> a dead end, a useful dead end in its day, like Kermit over RS232 which
> gave me years of service in the 1980s and 1990s. It was 2013 when I
> finally disposed of my 9/25-pin to 9/25-pin serial crossover cable.
> It could have been very useful for the OP's Kaypro 10. Yes, they have
> one of these lying around, but no room for Cat5 cables to any of their
> other computers. So our hope is forlorn. Or should I say, we are a
> forlorn hope.

Regardless, it still make the entire "to crossover or not to crossover" 
pointless.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Server hardware advice.

[Steven Mainor]

You are correct. That was an oversight.

Of all the items on that page I could probably afford the screwdriver and the 
heatsinks.

I would like to keep the budget under $500 not including the hard drive(s) I 
already have drives. Less is better. 
--
Steven Mainor

On August 7, 2019 1:52:15 AM EDT, Richard Hector  wrote:
>On 7/08/19 5:29 PM, Steven Mainor wrote:
>> Hi all,
>> 
>> I'm looking for advice on how to build a home server with a primary
>focus on 
>> security. I plan to run nextcloud and a mail server that will serve 3
>to 5 
>> people at most.
>> 
>> My requirements are:
>> 
>> A server setup that can be run with completely open source software
>and 
>> doesn't require any binaries to boot. I don't trust anything closed
>source for 
>> this particular project.
>> 
>> A gigabit ethernet port.
>> 
>> A USB3.0 port or SATA connector to attach storage to.
>> 
>> Enough processor power and ram to run nextcloud and the mail server
>from an 
>> encrypted hard drive (LUKS) efficiently with moderate throughput
>saving and 
>> reading files from nextcloud.
>> 
>> I would just build something x86 based but the amd/intel Platform
>Security 
>> Processor/IME stuff makes me nervous.
>> 
>> So far I have been looking at single board computers like the ones
>listed 
>> here: https://wiki.debian.org/CheapServerBoxHardware#OSHW
>> 
>> I like the OLinuXino A20 LIME2 but I am not sure the processor will
>be enough 
>> to handle the overhead from an encrypted hard drive. I also don't
>like that it 
>> is only 32-bit since that will limit the file size nextcloud can
>handle as I 
>> understand it.
>> 
>> Is there anything similar to the OLinuXino A20 LIME2 but more
>powerful or is 
>> there a better option I haven't read about yet?
>
>You haven't mentioned a budget, but strong emphasis on security and
>openness ...
>
>https://www.raptorcs.com/TALOSII/ ?
>
>Richard