Re: Debian live boot corrupting secure boot

[Jeffrey Walton]

On Tue, Sep 26, 2023 at 10:20 PM Valerio Vanni  wrote:
>
> Motherboard is an Asus H510M-A.
>
> I found the issue on latest versions of Clonezilla, but then I tried
> with plain Debian live and the behavior is the same.
>
> Booting a recent Debian USB key do some modification on secure boot that
> prevents some older OS to boot.
>
> The cycle is:
>
> 1) Machine brand new: secure boot is active, Windows 10 shows it active,
> I can boot an old Clonezilla live (2.8.1-12) as many times as I want.
>
> 2) I boot from USB drive Debian Live 12
> https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.1.0-amd64-kde.iso
>
> A note: to trigger the issue, there's no need to go on and load OS. It's
> enough to see the first page (that with grub entries) and then shutdown.
>
> 3) At next boots, secure boot refuses to boot from Clonezilla live
> 2.8.1-12. The error is
> "verification failed 0x1A security violation"
> Windows 10 can still start, and shows secure boot active. Only if I
> disable secure boot from BIOS, I can start clonezilla.
>
> 4) I reflash BIOS, same version, and go to point 1.
>
> Tested many times.

The failure at (3) sounds like what happened when old grub images were
blacklisted in the UEFI Revocation List dbx. Also see
.

You should probably stop doing (4).

Jeff

Re: Debian live boot corrupting secure boot

[Max Nikulin]

On 27/09/2023 03:28, Valerio Vanni wrote:


I found the issue on latest versions of Clonezilla, but then I tried 

   ^^

with plain Debian live and the behavior is the same.


Does it mean that you can not boot your *old* Clonezilla live after 
booting a latest Clonezilla? If so, it is better to discuss the issue 
with shim or grub developers.


1) Machine brand new: secure boot is active, Windows 10 shows it active, 
I can boot an old Clonezilla live (2.8.1-12) as many times as I want.

^^^

An old image may be signed by a key later added to certificate 
revocation lists. If so, secure boot just works as it is supposed to do.



2) I boot from USB drive Debian Live 12
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.1.0-amd64-kde.iso


If it can be reproduced with a contemporary Clonezilla or e.g. a Fedora 
image then it is not a Debian issue. If it is specific to namely Debian 
(I am unsure concerning Ubuntu, Debian derivatives) then it is better to 
file a bug providing more details.


A note: to trigger the issue, there's no need to go on and load OS. It's 
enough to see the first page (that with grub entries) and then shutdown.


I have an old HP laptop with buggy firmware where fbx64.efi (from shim) 
tries to fix NVRAM boot entries on each boot, so it is better to avoid 
this file on this machine. It happens before grub, but I do not think it 
is relevant to your issue.



4) I reflash BIOS, same version, and go to point 1.


How old is your BIOS? Maybe you just restore obsolete list signing of keys.

I suggest to compare

efibootmgr -v

output in the state when Clonezilla may be booted and when it fails. In 
addition public keys and certificate revocation list should be compared 
(unsure concerning commands).


My opinion is that just loading boot images without installing OS should 
not modify firmware state. In this sense it may be a bug.


On the other hand, forgot old images if you have secure boot enabled. A 
security vulnerability may result in requirement to sign all boot images 
with new keys while older ones are added to revocation lists that is 
updated with firmware update or by OS.


If you can confirm that Clonezilla signing key has not been revoked then 
it is a subject for a bug report.

Re: PATH revisited: one PATH to "rule the [Debian] World"

[Tom Browder]

On Tue, Sep 26, 2023 at 18:32 Tom Browder  wrote:

> On Tue, Sep 26, 2023 at 18:11 Tom Browder  wrote:
>
>> On Tue, Sep 26, 2023 at 16:15 Andy Smith  wrote:
>>
> ...
>
>> Well, I wanted to do it all in one program, but I guess I could break it
>> up into two separate programs. I'll have to think about what I'm really
>> trying to do.
>>
>
> Another issue is precompilation. I need to find out how to work around
> that somehow. Otherwise I would need two separate modules instead of the
> single one I'm currently using.
>
One of our experts says that is not a problem, so I'm heading in that
direction.

-Tom

Re: PATH revisited: one PATH to "rule the [Debian] World"

[Tom Browder]

On Tue, Sep 26, 2023 at 18:11 Tom Browder  wrote:

> On Tue, Sep 26, 2023 at 16:15 Andy Smith  wrote:
>
...

> Well, I wanted to do it all in one program, but I guess I could break it
> up into two separate programs. I'll have to think about what I'm really
> trying to do.
>

Another issue is precompilation. I need to find out how to work around that
somehow. Otherwise I would need two separate modules instead of the single
one I'm currently using.

Re: PATH revisited: one PATH to "rule the [Debian] World"

[Tom Browder]

On Tue, Sep 26, 2023 at 16:15 Andy Smith  wrote:

> Hello,

...

Why does any of that stop you from only using the dev Raku once
> you've used the packaged Raku to install it?


Well, I wanted to do it all in one program, but I guess I could break it up
into two separate programs. I'll have to think about what I'm really trying
to do.

Thanks for your input, Andy.

-Tom

Re: PATH revisited: one PATH to "rule the [Debian] World"

[Greg Wooledge]

On Tue, Sep 26, 2023 at 03:37:44PM -0500, Tom Browder wrote:
> On Mon, Sep 25, 2023 at 10:03 Greg Wooledge  wrote:
> ...
> 
> Greg, one more file I don't think we've discussed: '~/.bash_aliases'.
> 
> How should I handle that in this variable login climate?

That's not a standard file.  Debian does not create it, and bash does
not read it.

It only gets read if you source it from some other file, like ~/.bashrc.
The /etc/skel/.bashrc provided by Debian will source it if it exists.

As far as management goes, since it's sourced by .bashrc it should be
treated like it's part of .bashrc.

If you're asking "Should I create it?  Should I put things in it, if I
find it?" I would say no to both.  If an individual user wants to use
it, that's their choice, but you shouldn't assume it exists, or that
it *should* exist, or that it will be read if it does exist.

But that's just me.

If you're asking "Should I modify .bashrc (or one of its sourced files)?"
that's a much more complicated question.  The normal reasons people put
environmental configuration into .bashrc are:

1) Because they only care about the environment in their terminals, not in
   their GUI apps.

2) Because they want the simplest choice, not the most efficient choice,
   and they don't care how often the environment configuration commands
   are re-executed.

3) Because they're using a desktop which overrides the X or Wayland
   session environment, and disabling that is either impossible, or too
   hard for them to discover.

4) Because they're using a desktop where the terminal environment is NOT
   inherited from the X or Wayland environment, so duplicating
   environment configuration commands in .bashrc is needed to get their
   effects in terminals.

Debian live boot corrupting secure boot

[Valerio Vanni]

Motherboard is an Asus H510M-A.

I found the issue on latest versions of Clonezilla, but then I tried 
with plain Debian live and the behavior is the same.


Booting a recent Debian USB key do some modification on secure boot that 
prevents some older OS to boot.


The cycle is:

1) Machine brand new: secure boot is active, Windows 10 shows it active, 
I can boot an old Clonezilla live (2.8.1-12) as many times as I want.


2) I boot from USB drive Debian Live 12
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.1.0-amd64-kde.iso

A note: to trigger the issue, there's no need to go on and load OS. It's 
enough to see the first page (that with grub entries) and then shutdown.


3) At next boots, secure boot refuses to boot from Clonezilla live 
2.8.1-12. The error is

"verification failed 0x1A security violation"
Windows 10 can still start, and shows secure boot active. Only if I 
disable secure boot from BIOS, I can start clonezilla.


4) I reflash BIOS, same version, and go to point 1.

Tested many times.

Re: PATH revisited: one PATH to "rule the [Debian] World"

[Tom Browder]

On Mon, Sep 25, 2023 at 10:03 Greg Wooledge  wrote:
...

Greg, one more file I don't think we've discussed: '~/.bash_aliases'.

How should I handle that in this variable login climate?

Thanks.

-Tom

Re: Letting Windows go: scanning

[Dominique Dumont]

On Wednesday, 20 September 2023 19:06:12 CEST Tom Browder wrote:
> One major thing I use my windows host for is using my HP multifunction
> laser printer to scan to pdf to save locally.  I have just installed
> gscan2pdf and sane but I am still missing something.

HP scanner often requires the installation of a HP plugin . This is handled by 
hp-setup program from hplip package.

This plugin may be missing in your case.

See https://developers.hp.com/hp-linux-imaging-and-printing/binary_plugin.html

HTH

Re: Are people trying to relay mail through my system?

[Curt]

On 2023-09-25, Greg Wooledge  wrote:
>
> The preferred policy nowadays is to perform all possible checks *during*
> the initial SMTP conversation.  If a message fails to meet acceptance
> criteria for any reason, it should be rejected during that initial
> conversation.  Generating a bounce message almost always ends up sending
> spam to an innocent third party address, which the malicious sender has
> forged.
>
> How this relates to fetchmail and exim, specifically, I can't say.  These
> aren't tools I'm deeply familiar with.  But if you can do it, try to
> arrange it so that any message that can't be accepted gets dropped into
> a black hole, rather than generating a bounce message.
>
>

I guess this is what you're alluding to?

https://starcat.dp.ua/doc/exim4/FAQ-html/FAQ_7.html

 7. POLICY CONTROLS

 Q0701:  How do I block unwanted messages from outside my host?

 A0701:  Exim uses Access Control Lists (ACLs) for controlling incoming mail
 from other hosts. A whole chapter in the reference manual is devoted to
 describing how they work. A wide variety of conditions can be imposed on
 incoming messages.

 The default Exim run time configuration contains an example of an ACL which
 blocks all relaying, and messages whose senders cannot be verified. This
 example is heavily commented and worth studying.

 Q0702:  I don't want to block spam entirely; how can I inspect each message
 before deciding whether or not to deliver it?

 A0702:  Wherever possible, inspection and rejection is best done automatically
 in an ACL, that is, before the message is accepted. If you want to verify
 manually each message that is classified as spam by an automatic check, you can
 arrange for a system filter to freeze such messages after they have been
 accepted.

 If, after inspection, you decide not to deliver the message, it is safest to
 discard it, using the -Mrm option. Use of the -Mg option to force a bounce
 carries the risk of “collateral spam” if the sender address is faked (as it
 usually is in spam). 
 

Re: PATH revisited: one PATH to "rule the [Debian] World"

[Andy Smith]

Hello,

On Tue, Sep 26, 2023 at 09:05:51AM -0500, Tom Browder wrote:
> On Mon, Sep 25, 2023 at 17:45 Andy Smith  wrote:
> ...
> > I'd make it all run with one raku from one place, or else I'd
> > specify the full path to the special raku that is needed.

[…]

> You do not understand the problem, Andy: Debian's package version of
> raku is over two years old, and it is NOT installed by default.  My
> script uses that raku as a bootstrap to update to the latest release
> provided as a Debian package format similar to the manner in which
> PostgreSQL can be maintained in its latest state with an out-of-Debian
> package location.

Why does any of that stop you from only using the dev Raku once
you've used the packaged Raku to install it?

You're right, I don't understand. Your use case sounds the same as
any I've had to accomplish with development versions of Perl,
Python, Ruby, Go, Rust etc for multiple decades now. I do not
understand why your situation, with Raku, is special in any way.

Perhaps it's some aspect of Raku that I don't understand, not being
familiar with that, so I should leave it to others who maybe do
understand that.

Best of luck!
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: PATH revisited: one PATH to "rule the [Debian] World"

[Tom Browder]

On Mon, Sep 25, 2023 at 17:45 Andy Smith  wrote:
...
> I'd make it all run with one raku from one place, or else I'd
> specify the full path to the special raku that is needed.
>
> Anything else sounds like a great foot-gun left lying around for
> others or myself a week from now.
>
> Perl and Python virtual environments typically have a script which
> sets the path to the interpreter once you enter them, and then
> everything is self-contained from there.
...

You do not understand the problem, Andy: Debian's package version of
raku is over two years old, and it is NOT installed by default.  My
script uses that raku as a bootstrap to update to the latest release
provided as a Debian package format similar to the manner in which
PostgreSQL can be maintained in its latest state with an out-of-Debian
package location.

Perl, on the other hand, is very current, installed as a default
Debian package, and not changing as fast as raku (improved releases
almost every month). Python is its own weird thing which I ignore as
much as possible.

Cheers!

-Tom

Re: Unable to install phpMyAdmin in Debian 12

[Andy Smith]

Hi,

On Tue, Sep 26, 2023 at 01:56:44PM +0300, Petros Pap wrote:
> ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using
> password: NO)

^ scripts trying to connect to MariaDB as root with no password.

> Note: I have already setup password for root in mysql
> mysql -uroot -p
> working

Doesn't matter; that's not what the scripts are doing.

You need to arrange it so that:

# mysql -u root

works (no -p)

Normally MariaDB uses socket authentication for root@localhost, i.e.
if you're root you can log in as root@localhost through unix socket
without specifying password.

> How do I solve this issue?
> Resetting password for root?

I think you might need to remove your password for root@localhost
and return it back to socket authentication.

If you want to allow both kinds of authentication, that is possible
since Mariadb 10.4:

MariaDB> ALTER `root`@`localhost`
IDENTIFIED VIA unix_socket
OR mysql_native_password USING PASSWORD("letmein1")

But I think for the sake of Debian package scripts, root needs to
have socket authentication available.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Unable to install phpMyAdmin in Debian 12

[Petros Pap]

Hi there
I try to install phpMyAdmin but i got error



dbconfig-common: phpmyadmin configure: trying again.
Determining localhost credentials from /etc/mysql/debian.cnf: succeeded.
dbconfig-common: writing config to /etc/dbconfig-common/phpmyadmin.conf
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using
password: NO).
unable to connect to mysql server.
error encountered creating user:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using
password: NO)
dbconfig-common: phpmyadmin configure: aborted.
dbconfig-common: flushing administrative password
dpkg: error processing package phpmyadmin (--configure):
 installed phpmyadmin package post-installation script subprocess returned
error exit status 1
Errors were encountered while processing:
phpmyadmin

Note: I have already setup password for root in mysql
mysql -uroot -p
working

status
--
mysql  Ver 15.1 Distrib 10.11.3-MariaDB, for debian-linux-gnu (x86_64)
using  EditLine wrapper

Connection id:  6693
Current database:
Current user:   root@localhost
SSL:Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:  stdout
Using outfile:  ''
Using delimiter:;
Server: MariaDB
Server version: 10.11.3-MariaDB-1 Debian 12
Protocol version:   10
Connection: Localhost via UNIX socket
Server characterset:utf8mb4
Db characterset:utf8mb4
Client characterset:latin1
Conn.  characterset:latin1
UNIX socket:/run/mysqld/mysqld.sock
Uptime: 2 hours 36 min 58 sec

Threads: 1  Questions: 13358  Slow queries: 0  Opens: 119  Open tables: 112
 Queries per second avg: 1.418

How do I solve this issue?
Resetting password for root?

-- 
ppetros