Re: BASH reference for those who are "learning by doing"?
On Tue, Sep 10, 2024 at 5:05 AM Anssi Saari wrote: > > Karl Vogel writes: > > > Have you tried some different fonts? My eyesight is poor, and a good > > font made all the difference. > > > > https://bezoar.org/posts/2023/0214/font-screenshots/ > > Fonts on what? I mostly can't control fonts on documents I edit or > create, for work at least. A little hard to do on PDFs too, let alone > UIs. Try changing the display dots per inch setting. In xfce it's under settings / appearance select the 'fonts' tab, check 'Custom DPI setting' and try a larger dpi number than whatever you've got. My desktop defaults to 96 dpi and that's fine for me. My laptop also defaults to 96 but I need to bump that up to 120 to easily read the screen - even with 'computer' glasses. Regards Lee
Re: Usage: "debian ... amd64-netinst.iso"
On Mon, Sep 2, 2024 at 5:25 AM Thomas Schmitt wrote: > > Hi, > > Lee wrote: > > Oops.. I wrote to the stick using the Cygwin cp on an MS-Windows > > machine, so I'm guessing the damage was done even before ejecting the > > stick. > > MS-Windows can eject a stick ? > xorriso silently fails to do so: > > xorriso -outdev stdio:/dev/sdc -eject out > > (Sorry i could not refrain from this nonsense :)) but it isn't nonsense. Welcome to the world of Windowz, where one 'ejects' a USB stick and then gets a pop-up saying something about safe to remove the hardware now. Maybe there's a command to unmount / sync / whatever a USB stick but I've always used Windows Explorer and the only option for what to do before unplugging a USB stick is to eject it. > > But I'm more interested in what went wrong than exactly where > > the write/verification failed. > > IIRC i once learned from a report about a "FAILED" md5sum.txt check > that it was the EFI partition which got altered and that various > proprietary software companies feel entitled to add (rather harmless) > files to any FAT filesystem which their software can see. > > > > so yeah, the obvious conclusion is that "what went wrong" is that I > > used a Windows machine. *sigh* > > Well, you have to expect such things to happen there. Well, no.. I used to have bash scripts that worked on SunOS and then later Red Hat as well as cygwin. I've gotten used to things Just Working across platforms, so this failing is a bit of a surprise. > They wipe your bottom and your nose ... using the same cloth. They certainly are getting more .. abusive parental, thinking they know better than you and doing whatever regardless of what you want. > > As a very low priority, how was I able to install Debian on my laptop > > and have everything work when I did the exact same thing for my > > laptop? > > Maybe this time you pulled out the stick and put it back in while > MS-Windows was still running ? > I have no tangible idea other than to propose to do some experiments. Me either. I'm not going to worry about it - other than reinstall Debian on my laptop from a USB stick written on a Debian machine :) Regards Lee
Re: Usage: "debian ... amd64-netinst.iso"
On Sun, Sep 1, 2024 at 5:00 PM Thomas Schmitt wrote: > > Hi, > > Lee wrote: > > [...] I'd spin my wheels trying to > > figure out what's wrong and not too much later say f*kkit and boot off > > my just written USB drive. > > [...] > > $ check_debian_iso SHA512SUMS debian-12.7.0-amd64-netinst.iso /dev/sdb > > ... > > 661651456 bytes (662 MB, 631 MiB) copied, 7.11874 s, 92.9 MB/s > > MISMATCH: '/dev/sdb' checksum differs from > > 'debian-12.7.0-amd64-netinst.iso' in 'SHA512SUMS' > > [...] > > $ check_debian_iso SHA512SUMS debian-12.7.0-amd64-netinst.iso > > ... > > 661651456 bytes (662 MB, 631 MiB) copied, 2.65785 s, 249 MB/s > > Ok: 'debian-12.7.0-amd64-netinst.iso' matches > > 'debian-12.7.0-amd64-netinst.iso' in 'SHA512SUMS' > > The script correctly truncated the data stream from /dev/sdb to the > size that it read from the superblock of its ISO filesystem. > If the checksums do not match, then some bytes in that range on /dev/sdb > are not as they are in debian-12.7.0-amd64-netinst.iso. > > > If you are interested in learning where, please keep the stick as it is > now. Especially do not mount its EFI partition and do not plug it into > a running MS-Windows system, which would happily alter bytes in that > partition. Oops.. I wrote to the stick using the Cygwin cp on an MS-Windows machine, so I'm guessing the damage was done even before ejecting the stick. But I'm more interested in what went wrong than exactly where the write/verification failed. I tried everything all over again on my Debian machine and .. it all works :) as expected even!! so yeah, the obvious conclusion is that "what went wrong" is that I used a Windows machine. *sigh* As a very low priority, how was I able to install Debian on my laptop and have everything work when I did the exact same thing for my laptop? download the .iso on the windows machine cp the iso to /dev/sdb using cygwin on the windows machine boot the laptop from the usb stick and install debian My June "how2 format a flash drive" msg was after installing Debian on the laptop. Lee
Re: need help killing screen blanker
On Sun, Sep 1, 2024 at 10:57 AM David Wright wrote: > > On Sun 01 Sep 2024 at 01:05:21 (-0400), gene heskett wrote: > > On 8/31/24 22:58, David Wright wrote: > > > And so should we assume Gene's report that he needs to actually login > > > again after the screen locks itself is likely caused by confusing the > > > unlocking screen with a login screen? Sounds right. The only difference between the login screen I get after booting up the machine and the login screen I get after the screensaver starts and I press a key is that the screensaver login screen has my username already filled in. Regards, Lee
Re: Usage: "debian ... amd64-netinst.iso"
On Sun, Sep 1, 2024 at 10:59 AM David Wright wrote: > > > On Sat, Aug 31, 2024 at 09:59:47PM -0500, David Wright wrote: > > > On Sat 31 Aug 2024 at 14:09:45 (-0400), Lee wrote: > > > > On Sat, Aug 31, 2024 at 1:31 AM John Conover wrote: > > > > > > > > > > What does a "debian ... amd64-netinst.iso" do > > > > > with an .iso? > > > > > > > > > > Can it be coverted to a USB. How? > > > > > > > > https://www.debian.org/releases/bookworm/amd64/ch04s03.en.html > > > > > > > > # cp debian.iso /dev/sdX > > > > > > The disadvantage of this method is how to check the USB has a good copy. I never worried about it. Yeah, I know... Bad Lee [slaps wrist] > > I don't understand why it would be any harder or easier to check that > > there's a good copy with cp vs some other tool, so this seems like > > strange advice. > > So your command line would read … Same as what's in the FAQ[1] .. and then I'd spin my wheels trying to figure out what's wrong and not too much later say f*kkit and boot off my just written USB drive. root@i3668 /cygdrive/c/temp/debian $ cp debian-12.7.0-amd64-netinst.iso /dev/sdb root@i3668 /cygdrive/c/temp/debian $ sync root@i3668 /cygdrive/c/temp/debian $ check_debian_iso SHA512SUMS debian-12.7.0-amd64-netinst.iso /dev/sdb Piping 323072 blocks of '/dev/sdb' through 'sha512sum' to verify checksum list item 'debian-12.7.0-amd64-netinst.iso'. 323072+0 records in 323072+0 records out 661651456 bytes (662 MB, 631 MiB) copied, 7.11874 s, 92.9 MB/s Found: 9a165064baabd7ffb7063f02136e001a2c78c85c8b4a1ae97dfd81abd5641b32c6f04f4bdcd26d69bf6d78b1589bf2dcf75895106ae9e7794441fd2fc10dbe57 Expected: e0bd9ba03084a6fd42413b425a2d20e3731678a31fe5fb2cc84f79332129afca2ad4ec897b4224d6a833afaf28a5d938b0fe5d680983182944162c6825b135ce MISMATCH: '/dev/sdb' checksum differs from 'debian-12.7.0-amd64-netinst.iso' in 'SHA512SUMS' root@i3668 /cygdrive/c/temp/debian $ check_debian_iso SHA512SUMS debian-12.7.0-amd64-netinst.iso Piping 323072 blocks of 'debian-12.7.0-amd64-netinst.iso' through 'sha512sum' to verify checksum list item 'debian-12.7.0-amd64-netinst.iso'. 323072+0 records in 323072+0 records out 661651456 bytes (662 MB, 631 MiB) copied, 2.65785 s, 249 MB/s Ok: 'debian-12.7.0-amd64-netinst.iso' matches 'debian-12.7.0-amd64-netinst.iso' in 'SHA512SUMS' Regards, Lee [1] https://www.debian.org/CD/faq/#verify
Re: Usage: "debian ... amd64-netinst.iso"
On Sat, Aug 31, 2024 at 1:31 AM John Conover wrote: > > What does a "debian ... amd64-netinst.iso" do > with an .iso? > > Can it be coverted to a USB. How? https://www.debian.org/releases/bookworm/amd64/ch04s03.en.html # cp debian.iso /dev/sdX
Re: nsswitch what should come first
On Sat, Aug 3, 2024 at 9:33 AM Dan Ritter wrote: > > Lee wrote: > > On Fri, Aug 2, 2024 at 7:29 PM Dan Ritter wrote: > > > I do. If you assign an IP and a DNS name to the IP, all the > > > network printers I am aware of will work just fine. (They don't > > > care about the DNS name, either, but it's more convenient if you > > > don't want to remember the IP.) > > > > Yep, a static IP address is assigned via DHCP and the name exists in > > DNS. Now what? > > > > if it's not obvious, I know appx. zip about linux administration, so > > hints about what to do after assigning a name and address would be > > appreciated. > > Easiest thing to do: set up CUPSd on one of your machines. > > sudo apt install cups That and more was already installed by default. $ apt search cups 2>/dev/null | grep installed | wc -l 20 > Then read https://wiki.debian.org/SystemPrinting uh oh .. "It would be as well to check whether any functioning print queues have been automatically installed by cups-browsed prior to a manual setup. This can be done with lpstat -a" $ lpstat -a Canon_MG3600_series accepting requests since Sat Aug 3 00:00:28 2024 HP_ENVY_5540_series_20A070_ accepting requests since Sat Aug 3 00:00:28 2024 I'd have to go back to an /etc/nsswitch.conf with hosts: files dns and then manually configure the print queues. Correct? > and use either > the web interface on port 631 or system-config-printer in a GUI > to set up your printer. If it's recent, it can probably use the > ipp driver; if it is middle-aged, it can probably be used via > the port 9100 lp system. Thanks for the info. I'm not sure that manual configuration is all that much better than the automatic stuff tho.. it seems like if someone can get on my network and respond to mDNS queries I've got worse problems than them impersonating a printer. Am I missing something or does manually configuring printer queues just remove my print queue dependency on avahi / mDNS? I can see not wanting mDNS in a work environment, but at home?? I don't see how it improves my security all that much. Thanks, Lee
Re: nsswitch what should come first
On Sat, Aug 3, 2024 at 2:55 AM Jeffrey Walton wrote: > > On Fri, Aug 2, 2024 at 5:13 PM Lee wrote: > > > > On Thu, Aug 1, 2024 at 10:40 PM Jeffrey Walton wrote: > > > > > > I personally remove mDNS and Bonjour from my machines. mDNS is not the > > > source of truth on my networks. Rather, DNS is the source of truth in > > > my networks ... > > > > Do you have any network printers? That work without having mDNS enabled? > > Yes. > > I enable SLP, LPD and IPP only. I use CUPS Postscript drivers. And I > believe I use PCL-5, and not PCL-6. > > I disable AirPrint, Bonjour, WS-Discovery, WS-Print, Telnet printing, > TFTP printing and 9100-Printing. Oh my goodness!! I install Debian and printing Just Works. I know it's got something to do with mDNS because printing didn't work for me with mDNS disabled, but... that's a lot of enabling and disabling that you do. What does all that get you? Thanks Lee
Re: nsswitch what should come first
On Sat, Aug 3, 2024 at 1:41 AM Jeffrey Walton wrote: > > On Fri, Aug 2, 2024 at 10:35 PM Lee wrote: > > > > On Fri, Aug 2, 2024 at 7:29 PM Dan Ritter wrote: > > > > > > Lee wrote: > > > > On Thu, Aug 1, 2024 at 10:40 PM Jeffrey Walton wrote: > > > > > > > > > > I personally remove mDNS and Bonjour from my machines. mDNS is not the > > > > > source of truth on my networks. Rather, DNS is the source of truth in > > > > > my networks ... > > > > > > > > Do you have any network printers? That work without having mDNS > > > > enabled? > > > > > > I do. If you assign an IP and a DNS name to the IP, all the > > > network printers I am aware of will work just fine. (They don't > > > care about the DNS name, either, but it's more convenient if you > > > don't want to remember the IP.) > > > > Yep, a static IP address is assigned via DHCP and the name exists in > > DNS. Now what? > > > > if it's not obvious, I know appx. zip about linux administration, so > > hints about what to do after assigning a name and address would be > > appreciated. > > As far as DNS goes, the only hosts that require a static IP address > are your DNS servers. Just about everything else can get an address > from DHCP, including file servers, mail servers and print servers. But the DHCP assigned address doesn't have to be randomly assigned from "the free pool." I like having each machine be assigned the same address each time. If nothing else, when something shows up in the firewall logs it's trivial to figure out which machine was the problem child. And if something does show up that was assigned from the free pool.. it's always turned out to be something new my wife didn't mention. <.. snip ..> > If you are interested in some good reading on Unix & Linux networking, > then pick up a copy of W. Richard Stevens' TCP/IP Illustrated, Volume > I: The Protocols (<https://www.amazon.com/dp/0201633469>). It is a > great book to learn from. Stevens gives you plenty of command line > examples to demonstrate concepts. I've got it, but I preferred Internetworking with TCP/IP by Douglas Comer - a three volume set; volume 1 was my reference manual for ages. Regards, Lee
Re: What is the purpose of mDNS
On Sat, Aug 3, 2024 at 6:51 AM George at Clug wrote: > > Hi, > > What is the purpose of mDNS ? "zero-configuration networking" seems to be the search term eg - https://en.wikipedia.org/wiki/Bonjour_(software) > It seems to be for multicast? no, it _uses_ multicast. when did "utilize" replace "use"? install wireshark, do a capture with a capture filter of "host 224.0.0.251" and see what's happening on your network. I see what looks like advertisements for the two printers on my network and my iPhone constantly querying for User Datagram Protocol, Src Port: 5353, Dst Port: 5353 Multicast Domain Name System (query) Transaction ID: 0x Flags: 0x Standard query Questions: 4 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries lb._dns-sd._udp.local: type PTR, class IN, "QU" question _companion-link._tcp.local: type PTR, class IN, "QU" question _homekit._tcp.local: type PTR, class IN, "QU" question _sleep-proxy._udp.local: type PTR, class IN, "QU" question > What other use? zeroconf printing on Debian? I just installed Debian on a laptop. I haven't done anything wrt printing or printer configuration on this laptop and yet if I open mousepad and click on File / Print - both printers show up in the printer list. Regards, Lee
Re: Email sever and DNS
On Sat, Aug 3, 2024 at 12:46 AM George at Clug wrote: > > Does anyone have any recommendations on detailed books on Bind9 for > authoritative servers which would also include DNSSEC? https://www.oreilly.com/library/view/dns-and-bind/0596100574/ Years ago, well.. actually, decades ago, reading this book was what enabled me to maintain a DNS server at work. Unfortunately, the current version of bind is 9.18 with 9.20 just released and "The fifth edition covers BIND 9.3.2, the most recent release of the BIND 9 series ..." https://zytrax.com/books/dns/ is what I referenced when configuring bind on debian about 4 years ago. The isc docs were ... not so helpful? Their technical information is great. ..if you can understand it. They don't do a whole lot of explaining :( Regards, Lee
Re: nsswitch what should come first
On Fri, Aug 2, 2024 at 7:29 PM Dan Ritter wrote: > > Lee wrote: > > On Thu, Aug 1, 2024 at 10:40 PM Jeffrey Walton wrote: > > > > > > I personally remove mDNS and Bonjour from my machines. mDNS is not the > > > source of truth on my networks. Rather, DNS is the source of truth in > > > my networks ... > > > > Do you have any network printers? That work without having mDNS enabled? > > > I do. If you assign an IP and a DNS name to the IP, all the > network printers I am aware of will work just fine. (They don't > care about the DNS name, either, but it's more convenient if you > don't want to remember the IP.) Yep, a static IP address is assigned via DHCP and the name exists in DNS. Now what? if it's not obvious, I know appx. zip about linux administration, so hints about what to do after assigning a name and address would be appreciated. Thanks Lee
Re: nsswitch what should come first
On Thu, Aug 1, 2024 at 10:40 PM Jeffrey Walton wrote: > > I personally remove mDNS and Bonjour from my machines. mDNS is not the > source of truth on my networks. Rather, DNS is the source of truth in > my networks ... Do you have any network printers? That work without having mDNS enabled? Originally I had an /etc/nsswitch.conf with a cut down hosts: line hosts: files dns and no matter what I did I could not print to the network-attached printer. ... which, to be fair, could just be my ignorance wrt to printing. But switch back to an /etc/nsswitch.conf with hosts: files mdns4_minimal [NOTFOUND=return] dns and I could print. Regards, Lee
Re: nsswitch what should come first
On Thu, Aug 1, 2024 at 7:41 PM George at Clug wrote: > > On Friday, 02-08-2024 at 00:48 David Wright wrote: > > On Thu 01 Aug 2024 at 10:32:27 (-0400), Greg Wooledge wrote: > > > On Thu, Aug 01, 2024 at 14:30:05 +, fxkl4...@protonmail.com wrote: > > > > my nsswitch.conf is "hosts: files mdns4_minimal [NOTFOUND=return] dns" > > > > i don't remenber changing it in the past few decades > > > > i recently had a situation that made me question the ordering > > > > my dns server is my primary router > > > > should dns be first > > > > > > It would be *extremely* unusual to want to consult DNS before /etc/hosts. > > > I recommend leaving files first unless you have a *really* good reason > > > to switch them. > > > > > > I have no comment on mdns4_minimal because I don't really know what that > > > is. > > > > AIUI mdns4_minimal is for devices that configure themselves using > > multicast DNS on .local. If you put dns first, then the names of any > > .local devices will be leaked out of your LAN and on to the Internet's > > DNS servers. [NOTFOUND=return] is what prevent that happening IF you > > leave the order alone. > > > (BTW don't use .local for your LAN domain name.) > > Why is that? (recently I was starting to believe I should stop using the > domain names I had chosen, and start using (what I thought was) the standard > of .local) Because .local is used for names that can be resolved by multicast DNS. See the wikipedia article https://en.wikipedia.org/wiki/.local > Is it your personal preference, or a technical necessity? to quote from wikipedia Linux distributions use the Name Service Switch configuration file /etc/nsswitch.conf[9] in which mDNS name resolution was added via the mdns4_minimal plugin to nsswitch. In this configuration, where mdns4_minimal precedes the standard dns option, which uses /etc/resolv.conf, the mDNS resolution will block subsequent DNS resolution on the local network. > What is best practice for a local LAN prefix? (I have never found conclusive > instruction). home.arpa see https://www.rfc-editor.org/rfc/rfc8375.html > It is my belief that .local is a MS idea originating from the configuration > of their servers. Is this correct? again, quoting from the .local wikipedia article Microsoft TechNet article 708159[7] suggested .local ... but later recommended against it Regards, Lee
Re: Help installing gdb package using apt
On Mon, Jul 15, 2024 at 11:07 AM Demetrius Stanton wrote: > > Hi! > > My name is Demetrius Stanton. It was suggested that I reach out for a problem > I'm experiencing trying to install gdb on my system. I'm willing to submit > whatever information is necessary to try and get this issue resolved. > > I recently encountered a weird error, and I can't seem to find a fix online. > When I run the command ` sudo apt update && sudo apt install gdb -y `, I > receive an 404 error stating failed to fetch > https://deb.debian.org/debian/pool/main/g/glibc/libc6-dbg_2.36-9%2bdeb12u4_amd64.deb. > When I navigate to the https://deb.debian.org/debian/pool/main/g/glibc/ > site, I'm able to find libc6-dbg_2.36-9+deb12u7_amd64.deb. Though I'm > reasonably confident I could use wget to download and then dpkg to install > this file, I am concerned I could adversely affect the stability of my > system. I'm sure it would be safer for me to use apt to manage my packages. > > How do I proceed forward from here? > > I posed this question to and received the > following in response: > > " > Welcome to Debian. > > You might be able to resolve this issue you have by running > >sudo apt update > > followed by > >sudo apt full-upgrade > > and resolve resulting errors, if any occur, and then try reinstalling gdb. > The particular error - attempting to fetch and install what looks like an out > of date version of libc6-dbg_2.36-9 - suggests your system might not be fully > up to date. If that helps, good; otherwise: <.. snip ..> > Attempting the prescribed fix yielded the following: > > $ sudo apt update && sudo apt full-upgrade > [sudo] password for demetrius: > Hit:1 https://dl.google.com/linux/chrome/deb stable InRelease > Hit:2 https://deb.debian.org/debian bookworm InRelease > Hit:3 https://packages.microsoft.com/repos/code stable InRelease > Hit:4 https://brave-browser-apt-release.s3.brave.com stable InRelease You're missing bookworm-security and bookworm-updates from your sources list. Try it again with them in your /etc/apt/sources.list lee@laptop:~$ cat /etc/apt/sources.list #deb cdrom:[Debian GNU/Linux 12.5.0 _Bookworm_ - Official amd64 NETINST with firmware 20240210-11:27]/ bookworm contrib main non-free-firmware deb http://deb.debian.org/debian/ bookworm main non-free-firmware deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware deb http://security.debian.org/debian-security bookworm-security main non-free-firmware deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware # bookworm-updates, to get updates before a point release is made; # see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware Regards, Lee
Re: General questions
On Thu, Jul 11, 2024 at 7:55 AM 타토카 wrote: > > And can you explain to me what is it, please? * > > $ alias | grep sha > alias sha1='/usr/bin/openssl dgst -sha1 ' > alias sha256='/usr/bin/openssl dgst -sha256 ' > alias sha512='/usr/bin/openssl dgst -sha512 ' It's a way of getting sha sums for a file. I've been carrying those in my .bashrc file for ages.. I don't remember if I didn't know about the sha1sum program or it didn't exist in cygwin at the time, but I found a method that worked and quit looking. By now it's "muscle memory" -- like returning from vacation and not being able to remember your password, but go down to the cafeteria, get a cup of coffee, return to your desk, turn your PC on and enter your password without thinking. I found a method that worked and don't think about it any more. You probably should use the sha1sum, sha256sum, sha512sum programs though - if only to reduce confusion when you're talking to other people :) Regards Lee
Re: General questions
On Wed, Jul 10, 2024 at 6:07 PM 타토카 wrote: > > Hello, dear Debian Community. > > I just wanted to check a key with GPG. > > I have found this on https://www.debian.org/CD/verify: > > pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC] > > Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B > > uid Debian CD signing key > > > How can I download this key for GPG checking? Click on the link, that takes you to https://www.debian.org/CD/key-DA87E80D6294BE9B.txt and save the file. Then gpg --import it $ gpg --import key-DA87E80D6294BE9B.txt gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys gpg: key DA87E80D6294BE9B: public key "Debian CD signing key " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found hrmmm... 64 signatures not checked due to missing keys due to missing keys doesn't look good, but you've got the key now. I checked by going to http://mirror.us.leaseweb.net/debian-cd/12.6.0/amd64/iso-dvd/ and got the SHA512SUMS and SHA512SUMS.sign files. Verify them by $ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Sat Jun 29 16:50:24 2024 EDT gpg:using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Good signature from "Debian CD signing key " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B so the contents of SHA512SUMS are trustworthy. Or as trustworthy as I can verify.. somebody else hopefully knows how to get all the missing keys and mark the DA87E80D6294BE9B key as trusted. and for whatever it's worth, I use these aliases: $ alias | grep sha alias sha1='/usr/bin/openssl dgst -sha1 ' alias sha256='/usr/bin/openssl dgst -sha256 ' alias sha512='/usr/bin/openssl dgst -sha512 ' Regards, Lee
Re: usb => serial port converter
On Sun, Jul 7, 2024 at 8:51 PM Andy Smith wrote: > > Hi, > > On Sun, Jul 07, 2024 at 06:02:18PM -0400, Lee wrote: > > I tried plugging the dongle into my debian laptop but it didn't > > recognize it :( > > In my experience USB serial gadgets on Linux tend to just work or > will never work. It worked this time! Other than plugging it into a windows machine that had the proper drivers first, I don't know what changed. > > And what program are you using to talk to something over the serial > > link? pterm or something else? > > I use either minicom or GNU Screen. You'll need to know the baud > rate that the device expects, though you can just try a few common > ones and see what works. e.g. > > # screen /dev/ttyUSB0 115200 Great! I had to add myself to the dialout group to be able to talk to the device, but screen /dev/ttyUSB0 38400 works. Thanks Lee
Re: Browser traffic interception/inspection
Hi, On Sun, Jul 7, 2024 at 10:31 PM Max Nikulin wrote: > > On 08/07/2024 04:42, Lee wrote: > > On Mon, Jul 1, 2024 at 11:02 AM Max Nikulin wrote: > >> On 01/07/2024 13:57, Lee wrote: > >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292 > [...] > >> Is libnss built with logging support ABI compatible with the variant in > >> Debian repositories? (Or can it be patched to achieve ABI > >> compatibility?) Instead of asking for changing compile flags for all > >> users, from my point of view, it is better to suggest alternative > >> packages with and without logging enabled. > >> > >> Browsers are rather sensitive applications, so I find it reasonable that > >> dumping of encryption keys are not available by default. > > > > Maybe I don't know enough to know what's "reasonable" or not.. but I > > don't see a problem with me being able to inspect the traffic between > > me and some website. > > Is it OK for you that e.g. GnuPG agent disables tracing by default, so > attaching a debugger or a tool like strace is not so easy? It makes > harder to debug some issues. I didn't realize that GnuPG disables tracing by default, so the idea of it being OK or not has never come up for me. But my first question is does it actually improve security or is it more like security theater? I don't know how hard it would be to build your own version of GnuPG that allows tracing, but if it's relatively easy it seems like disabling tracing is just a minor stumbling block instead of an actual security enhancement. > From my point of view, by default libnss3 should not allow logging of > private keys. At the same time I do not mind that some users should be > able to inspect TLS sessions. My idea is an *alternative* package that > may be optionally installed instead of regular libnss3. Comments to the > bug report request to enable debugging for *all* and I agree with the > maintainers who have not do it. You may ask for providing an additional > package for TLS debugging. > > > Anyone else wants to intercept my traffic and they'll have to set an > > environment variable - which root can do, but who else? > > IAny regular user may start browser with this variable set. Right, but presumably they intended that the variable be set. I'm asking about malicious use of that variable. Root can do pretty much whatever they want to, but how does a non-root attacker set that variable? > Some > unintentionally executed code in a user session may restart browser with > enabled logging. I would not argue that it is a great trouble if an > exploit is executed. However some measures may be taken to increase > attack complexity and disabling TLS logging is a small step in this > direction. Well, debian has taken that small step. It's no big deal for me to download firefox from mozilla, so I've got my work-around. And this is on my laptop, so the minor lack of security is only going to impact me -- nobody else uses this laptop :) > >> <https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions> > > > > but I don't know how to evaluate the security > > implications of modifying apt-get files. So I just downloaded the > > binary from mozilla > > So you trust mozilla anyway. Yes, I trust them enough to run their binary. I lack the knowledge to evaluate the security implications of following their instructions to add their repository to .. whatever it is on my machine (I don't even know what it's called.) "When in doubt, leave it out." seems applicable here. > Notice the "Signed-By" key in repository > configuration: sources.list(5), > <https://wiki.debian.org/DebianRepository/UseThirdParty> > <https://wiki.debian.org/SourcesList> > apt-secure(8), <https://wiki.debian.org/SecureApt> > > > tar -xvf firefox-115.12.0esr.tar.bz2 > > sudo mv firefox /opt/firefox-115.12.0esr/ > > sudo ln -s /opt/firefox-115.12.0esr/firefox /usr/local/bin/firefox > > I suspect that a regular user owns /opt/firefox-115.12.0esr/ and may > modify files. You're right :) Everything in /opt/firefox-115.12.0esr/ is owned by me. But again, this in on a laptop that nobody else is going to use so ... I dunno.. maybe I'll chown everything to root so it can't be accidentally updated. > It should allow autoupdates, but I believe, it is an > administrator task to update browser. I agree. I've got it set up that way on my windows machine. I should probably fix it so I have to become root to update firefox. Regards, Lee
usb => serial port converter
What's everybody using for a usb => serial port converter? I got a new network switch and .. OhNoes!! how to I talk to the darn thing??? I went looking thru cabinets and came up with a keyspan usb -> serial dongle; a quick search found the site with driver downloads, but they all were for Windows or MacOS. I tried plugging the dongle into my debian laptop but it didn't recognize it :( So... what are people using to talk to serial devices now that PCs don't come with serial ports anymore? And what program are you using to talk to something over the serial link? pterm or something else? I still have a Windows machine, so install the drivers, configure putty to talk to COM4 & I'm good to go. But I'm trying to get *away* from Windows. How do I talk to my switch over the serial port? Thanks, Lee
Re: Browser traffic interception/inspection
Hi, On Mon, Jul 1, 2024 at 11:02 AM Max Nikulin wrote: > > On 01/07/2024 13:57, Lee wrote: > > On Sun, Jun 30, 2024 at 11:30 AM Max Nikulin wrote: > >>>>> On Sat, Jun 29, 2024 at 4:13 PM Lee wrote: > >>>>>> set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt > >>>>>> start C:\"Program Files\Firefox\Firefox.exe" > > > > This looks like the Debian bug report > >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292 > > > >> Lee, may you, please, specify Firefox version and release channel you > >> are using on Windows where this feature is working? > > > > Firefox 115.12.0esr -- which is the current extended service release > > software > > I'm not sure what you mean by release channel .. ESR? > > Thanks. I expected that you may use either developer release, beta, or > even nightly. Nope - just regular firefox-esr > Is libnss built with logging support ABI compatible with the variant in > Debian repositories? (Or can it be patched to achieve ABI > compatibility?) Instead of asking for changing compile flags for all > users, from my point of view, it is better to suggest alternative > packages with and without logging enabled. > > Browsers are rather sensitive applications, so I find it reasonable that > dumping of encryption keys are not available by default. Maybe I don't know enough to know what's "reasonable" or not.. but I don't see a problem with me being able to inspect the traffic between me and some website. Anyone else wants to intercept my traffic and they'll have to set an environment variable - which root can do, but who else? > However > debugging should be possible and should require special configuration. > > I have not tried .deb packages provided by Mozilla. Since their Windows > builds allows logging, it might work on Linux as well. > <https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions> Thanks for the pointer to downloading firefox from mozilla. But wow!! plenty too many instructions for to be able to Install Firefox .deb package for Debian-based distributions I suppose it's funny that I have no qualms with SSLKEYLOGFILE= but balk at following those instructions to modify apt-get actions, but I don't know how to evaluate the security implications of modifying apt-get files. So I just downloaded the binary from mozilla and went from there: get the 64 bit linux version of firefox esr from https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr tar -xvf firefox-115.12.0esr.tar.bz2 sudo mv firefox /opt/firefox-115.12.0esr/ sudo ln -s /opt/firefox-115.12.0esr/firefox /usr/local/bin/firefox lee@laptop:~$ cat ~/bin/firefox-tlsdecode.sh #!/bin/bash # set things up so that wireshark can decrypt firefox tls traffic umask 077 SSLKEYLOGFILE=/tmp/FF-SSLkeys.txt export SSLKEYLOGFILE /usr/local/bin/firefox "$@" & # then in wireshark: # edit / preferences # protocols / tls (v2.6: protocols / ssl) # paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log filename lee@laptop:~$ So now I've got the debian /usr/bin/firefox that doesn't allow export tls keys and a /usr/local/bin/firefox that does. Thanks Lee
Re: how2 format a flash drive
On Tue, Jul 2, 2024 at 5:27 AM jeremy ardley wrote: > > > On 2/7/24 16:24, Lee wrote: > > And if I don't want to leave Internet footprints - or if I just want > to give the finger to whoever is watching, I'll use the tor browser. > > > That is probably the worst thing you can do. On my last check *most* Tor exit > points are operated by intelligence or police agencies. OK.. I'll bite. How do you know most Tor exit points are operated by intelligence or police agencies? I mean, it sounds reasonable, but how do you *know*? > Going about your business just using a regular ISP makes it unlikely anyone > will pay attention to you unless you frequent disreputable sites. > > Using Tor will automatically put you on a watch list. Yeah. I've heard that too. But using tor - or any encryption, is still legal, so what I'm doing doesn't even rise to the level of civil disobedience. So if they're going to put me on a list, they're going to put me on a list. I've been using tor since however long ago when it came bundled with privoxy, so I doubt that me not using tor now is going to make a difference. > Your identity can easily be found because your ip address at the exit point > will be recorded and matched with ISP records. Indeed. The TOR documentation used to be up-front about tor not being proof against a global adversary, so I doubt the NSA needs to bother my ISP asking for records. I was just poking around on torproject.org (which has been rumored to be enough to get one on a watch list) and I don't see any strong warnings about using tor :( Or even much of anything that would discourage one from using TOR. Oh well.. I guess they need lots of cannon fodder to provide covering traffic for .. who? Regards, Lee
Re: how2 format a flash drive
On Mon, Jul 1, 2024 at 6:13 PM jeremy ardley wrote: > > > On 1/7/24 21:05, Lee wrote: > >> Visual Studio Code allows you to edit HTML and preview it using Live > >> Server plugin > >> > >> https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer > > Thanks, but no thanks. That seems to include the Microsoft spyware > > licensing: https://code.visualstudio.com/license > >Data Collection. The software may collect information about you and > > your use of the software, and send that to Microsoft. > > > VS Code Telemetry is easily turned off. > > https://code.visualstudio.com/docs/getstarted/telemetry#_disable-telemetry-reporting Except the license says You may opt-out of many of these scenarios, but not all, as described in the product documentation located at https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-telemetry-reporting. So 1. you can't opt-out of _all_ telemetry. .. at least according to the license. 2. opt-out is evil. Any group that uses opt-out is evil. They only do opt-out because they _know_ almost no one would opt-in. > In the more general case, telemetry is not in itself considered 'evil'. Anything opt-out I consider 'evil'. > For example Debian comes with telemetry that you can enable or disable. > https://popcon.debian.org/ That's opt-in, so a completely different case. > Firefox, and just about any other web browser you use also has > telemetry. e.g. https://support.mozilla.org/en-US/kb/telemetry-clientid I know & I don't like it. But it's like apple vs. google -- which one is less evil? I have an iPhone so that should tell you what I think. > To be certain your activity is private you will have to disconnect > completely from the internet as any software that uses any internet > resource will automatically leak information about you. If I use Internet resources I know that I can be tracked .. but **only when using the Internet**. Microsoft spyware is always-on tracking that can't be turned completely off. And if I don't want to leave Internet footprints - or if I just want to give the finger to whoever is watching, I'll use the tor browser. So I have options when I get on the Internet. I don't see any options when the OS or my tools are spying on me other than don't use that OS or those tools. Regards, Lee
Re: how2 format a flash drive
On Mon, Jul 1, 2024 at 4:53 AM jeremy ardley wrote: > > > On 1/7/24 10:32, Lee wrote: > > Bluefish looks like a possible replacement for notepad++ but it > > doesn't [seem to?] support WYSIWYG editing of html files. > > > Visual Studio Code allows you to edit HTML and preview it using Live > Server plugin > > https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer Thanks, but no thanks. That seems to include the Microsoft spyware licensing: https://code.visualstudio.com/license Data Collection. The software may collect information about you and your use of the software, and send that to Microsoft. Regards, Lee
Re: Browser traffic interception/inspection
On Sun, Jun 30, 2024 at 11:30 AM Max Nikulin wrote: > > On 30/06/2024 12:56, Jeffrey Walton wrote: > >>> On Sat, Jun 29, 2024 at 4:13 PM Lee wrote: > >>>> set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt > >>>> start C:\"Program Files\Firefox\Firefox.exe" > [...] > > Browsers do not support the passive capture/replay that OP wants. It works for me in Windows. This looks like the Debian bug report https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292 > Lee, may you, please, specify Firefox version and release channel you > are using on Windows where this feature is working? Firefox 115.12.0esr -- which is the current extended service release software I'm not sure what you mean by release channel .. ESR? If I go to https://www.mozilla.org/en-US/firefox/115.12.0/releasenotes/ under "Download Firefox" there's links to Windows 64-bit and Windows 64-bit MSI wow! I've been letting firefox update itself for awhile now. What I installed was Firefox Setup 68.3.0esr.msi Lee
Re: how2 format a flash drive
Hi, On Sat, Jun 29, 2024 at 1:12 PM Dan Ritter wrote: > > Lee wrote: > > My gripes and difficulties are the same thing. No universal image > > viewer like Ifranview, > > `apt search image viewer` suggests: eog, eom, ephoto, photoqt.. > among dozens of others. But start with one of those. Thanks, I'll check them out. > > an html editor would be nice -- something along > > the lines of the seamonkey html editor but current software and > > supported > > `apt search html editor` offers a bunch of suggestions, but > really most editors have support for specialized syntax checking > and previews and such. You might try bluefish. Bluefish looks like a possible replacement for notepad++ but it doesn't [seem to?] support WYSIWYG editing of html files. I'll save recipes that look good and try them later. But I don't want all the fluff that goes with most recipes, so I trim them down drastically; delete all the , all the comments, all the kitchenware thry're trying to sell me... All I want is the recipe > > , something equivalent to notepad++ > > Assuming that you don't want the graphical forms of emacs or Right. If I was going to climb the emacs learning curve I'd have done it 20 years ago :) > vim, While I like vim and occasionally do use it for html editing, what usually happens is running the file thru tidy and then edit with vim. I'd rather have a WYSIWYG html editor that lets me delete tables, rows or columns at a time. Or, since everybody wants to move to CSS, delete all the goop in a specific > >, something equivalent to > > winmerge (meld is nice, but isn't really a substitute) > > You will have to be specific about what makes meld "not a > substitute". Assume whoever you are talking to doesn't know what > winmerge is. Meld is beautiful. Meld looks **good** But I find it a distraction and _much_ harder to figure out what the difference is between two files or merge updates from file to file. Maybe I've just gotten used to winmerge & to get to the next difference and to copy the missing text from the left window to the right window. I can do most everything from the keyboard. Maybe because I haven't used it that much but I was using the mouse a lot in meld. > > , a cloneSpy equivalent would be nice > > duff, perforate, rdfind, dupeguru... Thank you. More things to check out :) > > Exact Audio Copy doesn't work on Linux, but supposedly does run under > > wine so that's a possibility.. > > You want to pull stuff off of an optical disk? cdparanoia, or > one of the things that wraps it like ripit or ripperx. Yup. I want to pull music off a CD and make MP3s of it. 2 cars ago I had a CD caddy in the trunk - I could play 6 CD worth of music without having to change anything. Now my car has a USB port; that + a 16GB thumb drive is more than 12 hrs worth of drive time enjoyment (as much as droning along at 55MPH can be called enjoyment) > > Debian firefox does NOT allow one to do > > TLS intercept - ie. this does not work: > > C:\UTIL>cat firefox-tlsdecode.bat > > set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt > > start C:\"Program Files\Firefox\Firefox.exe" > > > > @rem wireshark: > > @rem edit / preferences > > @rem protocols / tls (v2.6: protocols / ssl) > > @rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log > > filename (was SSL debug file entry) > > I have no idea what you are trying to do there, but I'm sure a > DOS batch file won't run here, especially since it appears to > mostly be comments. > > Describe what you want to do, not how you want it to happen. I want to be able to use wireshark to look at encrypted web traffic. eg https://everything.curl.dev/usingcurl/tls/sslkeylogfile.html Regards, Lee
Re: Browser traffic interception/inspection (was: how2 format a flash drive)
Hi, On Sat, Jun 29, 2024 at 4:45 PM Jeffrey Walton wrote: > > On Sat, Jun 29, 2024 at 4:13 PM Lee wrote: > > > > [...] Debian firefox does NOT allow one to do > > TLS intercept - ie. this does not work: > > C:\UTIL>cat firefox-tlsdecode.bat > > set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt > > start C:\"Program Files\Firefox\Firefox.exe" > > > > @rem wireshark: > > @rem edit / preferences > > @rem protocols / tls (v2.6: protocols / ssl) > > @rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log > > filename (was SSL debug file entry) > > I'm not sure who your complaint is against -- Debian, Firefox or > Linux. I'm also not sure that it is a valid complaint. It is 100% a valid complaint. And it's a complaint against Debian because they're the ones that turned off that functionality. They have , I disagree, I'm free to build Firefox for myself, get somebody else to doit for me, or get it somewhere else. ... which is the downside of free software. Technically, yes, I'm free to build the software with whatever I want enabled, with whatever changes I want added/deleted. In practice, my ability to build Firefox is .. lacking :( > Firefox uses its own certificate store. If you want to proxy your > traffic, then the proxy's root cert needs to be in Mozilla's > certificate store. See > <https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox>. Right. I have privoxy & occasionally do set it for +https-inspection when I want it to inspect/modify web traffic. > Chrome is different. I've never used Chrome & don't intend to. > When you are intercepting/inspecting traffic, you typically setup your > proxy, and then proxy Firefox and Chrome traffic through your proxy. > The proxy can run on your local machine, like 127.0.0.1. Your proxy's > root certificate should be in the browser's store (as described > above). Or you can tell firefox to write the SSL key info to a file that wireshark can read & then decrypt the traffic. For example https://everything.curl.dev/usingcurl/tls/sslkeylogfile.html Best Regards, Lee
Re: how2 format a flash drive
On Tue, Jun 25, 2024 at 7:26 PM George wrote: > > On Wednesday, 26-06-2024 at 05:43 Lee wrote: > > On Tue, Jun 25, 2024 at 11:47 AM Joe wrote: > > > > > > On Tue, 25 Jun 2024 09:53:41 -0400 > > > Lee wrote: > > > > > > > My old laptop died; I just got a new one and it has _no_ optical > > > > drive. But the Debian install from flash instructions were excellent > > > > & I now have a laptop running Debian. > > > > > > > > My question is: how do I reformat the flash drive so it's usable as a > > > > "normal" flash drive again? > > Did you try gparted, a user friendly graphical partition manager? No. It wasn't installed and fdisk was, so I went with fdisk. > > Yes, but I did the "burn the boats" thing with my new desktop & wiped > > windows and installed debian. > > Good on you ! I support you in this move. > > If you have any grips or difficulties, please mention them. My gripes and difficulties are the same thing. No universal image viewer like Ifranview, an html editor would be nice -- something along the lines of the seamonkey html editor but current software and supported, something equivalent to notepad++, something equivalent to winmerge (meld is nice, but isn't really a substitute), a cloneSpy equivalent would be nice, I'm getting used to the linux privoxy log viewer vs. the iconified thing that sits there on the windows taskbar, Exact Audio Copy doesn't work on Linux, but supposedly does run under wine so that's a possibility.. Debian firefox does NOT allow one to do TLS intercept - ie. this does not work: C:\UTIL>cat firefox-tlsdecode.bat set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt start C:\"Program Files\Firefox\Firefox.exe" @rem wireshark: @rem edit / preferences @rem protocols / tls (v2.6: protocols / ssl) @rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log filename (was SSL debug file entry) But the major things that were keeping me from migrating to Debian are fixable now in xfce: The xfce4-terminal window can be configured so that left double click selects a "word" and right click pastes it in installing bits of the Chicago95 theme makes all the scrollbars permanently visible, with up & down arrows at either end of the scroll bar that scroll by one line clicking in the scrollbar trough above or below the bar scrolls the window up one window size instead of jumping to that point in the scroll buffer > > My remaining Windows 10 machine goes end of life... at the end of the > > year? So I need to learn how to live without windows -- which I have > I would like you to keep a diary of your journey, of what challenges you face > and how you moved past, this could help other people you know who want to > make this journey. I don't know how helpful a diary of my journey would be. My workplace had a policy of Windows for the desktop and RedHat for servers in data centers, so I got used to cygwin on windows to ssh into linux servers (that other people maintained). Then Microsoft came out with the Windows 10 spyware/operating-system-as-a-service and it was clearly time to abandon ship. Which wasn't possible at work, but at home I don't have to put up with the M$ crapware so.. new machine, blow away everything that came installed on it and install Debian on the PC at home. To make a long story short, I have years of experience with the end-user side of linux & almost none with the maintenance side.. like formatting thumb drives or anything requiring sudo access. > I wonder what UI you are using? Xfce Lee
Re: Need help with narroely focused use case of Emacs
Hi, > > So you may prefer to use regexes as > > Murphy intended, handling both the opening and closing tags at the same > > time, leaving the intervening text intact. > > In this particular case I suspect it would become overly complex. > I've already discovered that the order of edits is important. I guess it depends on what you're used to. I don't think this bit is overly complex .. your opinion might be different $ cat /tmp/z cat /dev/null > txtfile.html for v in $(seq 1 12); do echo ' text text text ' >> txtfile.html; done sed -Ei.bak 's@([^<]*)@\1@g' txtfile.html $ bash z $ cat txtfile* text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text $ Regards, Lee
Re: new laptop: how2 enable suspend / hibernate?
On Tue, Jun 25, 2024 at 3:34 PM Van Snyder wrote: > > On Tue, 2024-06-25 at 09:47 -0400, Lee wrote: > > My old laptop died - a tiny little pop and it powered off. So I've > lost my implementation reference. > > If you can get the disk drive out of your old laptop, get a USB adapter for > it. Then you can look at your installation logs. I hadn't thought of that -- thanks! > But I can't suspend or hibernate the laptop :( Both options are > greyed out. How do I enable suspend / hibernate? Not being able to do suspend or hibernate seems to be a function of UEFI boot. I never figured out how to do UEFI boot before, so I never had a problem with suspend or hibernate. I seem to have found a work-around tho.. lee@laptop:~$ cat /etc/sudoers.d/adm-grp-privs # members of the adm group can run certain commands as root without supplying # a password # Andrei POPESCU Sun, Dec 5, 2021 at 10:46 AM # To: debian-user@lists.debian.org # Re: Don't try this at home kids Cmnd_AliasADM_COMMANDS = /usr/bin/dmesg, \ /usr/bin/apt list, \ /usr/bin/apt update, \ /usr/bin/systemctl suspend /usr/sbin/checkrestart, \ /usr/sbin/needrestart, \ /usr/sbin/reboot, \ %adm ALL = (root) NOPASSWD: ADM_COMMANDS lee@laptop:~$ cat ~/bin/sleep #!/bin/bash # put the machine to sleep (i hope. how to know **for sure**?? sudo systemctl suspend and make a keyboard shortcut so that s calls ~/lee/bin/sleep so members of the adm group can do certain commands with sudo privs and then Lee
Re: how2 format a flash drive
On Tue, Jun 25, 2024 at 12:48 PM Hans wrote: > > You can easily refotrmat it, either using fdisk or if you want a GUI, use > gparted. I just learned about fdisk today -- thank you! Lee
Re: how2 format a flash drive
On Tue, Jun 25, 2024 at 11:47 AM Joe wrote: > > On Tue, 25 Jun 2024 09:53:41 -0400 > Lee wrote: > > > My old laptop died; I just got a new one and it has _no_ optical > > drive. But the Debian install from flash instructions were excellent > > & I now have a laptop running Debian. > > > > My question is: how do I reformat the flash drive so it's usable as a > > "normal" flash drive again? > > > > Nothing I tried worked.. I ended up putting the thumb drive in a > > Windows machine and formatting it there; it would be nice to know how > > to restore the thumb drive to working order on Debian. > > > > Experience suggests that if it will be used on a Windows machine, e.g. > for file transfer, it's probably best to format it in Windows. Yes, but I did the "burn the boats" thing with my new desktop & wiped windows and installed debian. My remaining Windows 10 machine goes end of life... at the end of the year? So I need to learn how to live without windows -- which I have mostly. I just haven't adjusted to Linux and the horrible UI :( Or how user _un_friendly linux can be. Whoever came up with scroll bars that play hide & seek should be tarred & feathered. Lee
Re: how2 format a flash drive
On Tue, Jun 25, 2024 at 1:28 PM Thomas Schmitt wrote: > > Hi, Hi, I don't know what happened, but your msg _finaly_ showed up in my inbox. Strange how it was delayed for so long.. > Lee wrote: > > My question is: how do I reformat the flash drive so it's usable as a > > "normal" flash drive again? > > You have to delete the partitions of the USB stick which came with > the ISO. > Then you create one or more partitions. > Then you format them to a writable filesystem each. > > If it shall serve for file exchange with MS-Windows or Macs, then you > probably want just one partition with FAT as filesystem. > > I would do the first and second step by program "fdisk" and the third > step by program "mkfs.fat". Yes. That's the answer. I was missing the fdisk bit and mkfs wasn't working for me. Or at least not working until I did the fdisk :) > In hindsight it would of course have been advisable to make a copy > of the USB stick to an image file before putting the netinst ISO onto it. > Assuming that the USB stick is /dev/sdc and you home directory offers > enough space for the size of the USB stick this would have been something > like: > > dd if=/dev/sdc bs=1M of="$HOME"/usb_stick.img > > Later you would put it back onto the USB stick the same way as you did > with the netinst ISO image. Thanks for that, but all I was using this thumb drive for was putting movies on it & plugging it into a traver router so I could watch movies on a TV with no ads. In other words, there's nothing on the thumb drive that isn't expendable. Thanks, Lee
how2 format a flash drive
My old laptop died; I just got a new one and it has _no_ optical drive. But the Debian install from flash instructions were excellent & I now have a laptop running Debian. My question is: how do I reformat the flash drive so it's usable as a "normal" flash drive again? Nothing I tried worked.. I ended up putting the thumb drive in a Windows machine and formatting it there; it would be nice to know how to restore the thumb drive to working order on Debian. Thanks, Lee
new laptop: how2 enable suspend / hibernate?
My old laptop died - a tiny little pop and it powered off. So I've lost my implementation reference. My new laptop is a Lenovo v15 G3 - installing debian-12.5.0-amd64-netinst.iso from a flash drive was trivially easy. Whoever worked on the how to install Debian from flash did an excellent job. But I can't suspend or hibernate the laptop :( Both options are greyed out. How do I enable suspend / hibernate? TIA, Lee
Re: [ SOLVED] Re: Yet ANOTHER ThunderTurd ( Thunderbird ) topic... Text Size
On Mon, Jun 3, 2024 at 2:14 PM Bret Busby wrote: > > On 4/6/24 00:10, James H. H. Lampert wrote: > > I will say that one should probably not expect perfection from an email > > reader that's named after a cheap wine. > > ? Thunderbird wine was extremely inexpensive and 42 proof. In retrospect I'm a bit surprised that I've never tried it. Ripple, yes. Boone’s Farm, yes. Thunderbird? no. Lee
Re: tree with dir size
On Fri, May 31, 2024 at 11:18 PM Greg Wooledge wrote: > > On Fri, May 31, 2024 at 09:35:59PM -0500, David Wright wrote: > > If a coloured ] is unimportant, I suppose you could use: > > > > tree --du -Fh whatever | grep --color '][[:space:]][[:space:]].*/$' > > You don't need to count spaces. Just '].*/$' would suffice. We already > know we want to start with the first ] character on the line, no matter > how many spaces follow it. > > I really question the usefulness of colorizing the directory names, > but since we're already this far down the rabbit hole, we might as > well light some dynamite to make the hole deeper. I'm sure it's safe! > > We're using GNU grep for coloring, so we can also use its PCRE syntax > to do "lookbehind" voodoo: > > tree --du -Fh /usr/local | grep --color -P '(?<=]).*/$' > > which means "start matching after a ] but don't include the ] in the > match". Or use '\K' to cause previously matched characters to not be included in the match: tree --du -Fah . | grep --color -P '[^]]*] \K.*/$' (which required entirely too much RTFMing to learn about '\K') Regards, Lee
Re: "Repeaters", etc.
On Mon, May 27, 2024 at 7:08 PM Stefan Monnier wrote: > > > I'd like to shop for such a device, but I don't know what it's called. > > I think it's called a "wireless bridge". > > Any device with a wifi card and (at least) an ethernet port can do that. > So "any" wifi router will do the trick, as long as you can get it to run > a firmware that's not hopelessly restricted. > > I'd recommend you look at the routers supported by OpenWRT. +1 for OpenWRT supported routers supported devices are listed here https://openwrt.org/toh/start If all you want is a wireless bridge you can probably get by with a woefully underpowered router. Put the wan and lan ports on vlan 1 so there's no router or firewall involved and disable dns, dhcp, etc. so it's just ethernet <=> wifi I've got a pair of TP-Link Archer C7s that are now out of production but cost about $55 when new that do a great job with everything on vlan 1. > Of course, if you can do it with cables (ethernet/powerline/younameit) > it's probably going to work better, but I guess you know that already. +1 again - cables are better. Even with a house you're most probably going to get some interference from the houses around you :( Regards, Lee
Re: youtube-dl blocked?
On Fri, Apr 26, 2024 at 11:37 AM Curt wrote: > > On 2024-04-26, Lee wrote: > > On Wed, Apr 24, 2024 at 12:43 PM Curt wrote: > >> > >> On 2024-04-24, David Wright wrote: > >> > > >> > My experience was similar to Bret's, only I'd long got used to not > >> > just taking Debian's proferred version, but checking whether there > >> > was a newer version somewhere around. It was in February 2023 when > >> > >> I had to use it once for a friend of my wife. I downloaded the > >> github version (as it keeps abreast of the frequent breakages, and I > >> lack the moral rigor of our numerous purists). > > > > I should probably switch to using the Debian package; I lack the moral > > rigor to keep it updated :( > > <.. snip output showing how old my software is ..> > > I'm really not a very technical personal at heart, but what I found at > once slightly disturbing and mildly surprising was the lack of > understanding of how the whole shebang works for a majority of my > contemporaries. Right. Ask someone to explain what all is involved with getting a packet from to on the Internet. I suspect most would ask "What's a packet?" > I mean, my wife went to the url of the youtube video, > downloaded *that* from her browser, and then expressed a certain > confusion that what she had downloaded onto her hard drive was not the > video itself, but something else entirely. My wife knows that won't work; she skips directly to the "can you do this for me" step. > There was no use trying to explain to her anything at all; she only > wanted the video for her friend, and if I could get it for her, that was > the full extent of her desire. She wasn't interested in understanding > how it "works" fundamentally. Her attitude was and is: you're interested > in that sort of thing, but I'm not and am not going waste my time with > whatever it is. > > There are many intelligent people floating around the world with similar > attributes. What can you do for them but what you can do for them? Try explaining? If they don't want to know that's one thing but if you keep it simple enough maybe they'll listen & learn something. Regards, Lee
Re: youtube-dl blocked?
On Wed, Apr 24, 2024 at 12:43 PM Curt wrote: > > On 2024-04-24, David Wright wrote: > > > > My experience was similar to Bret's, only I'd long got used to not > > just taking Debian's proferred version, but checking whether there > > was a newer version somewhere around. It was in February 2023 when > > I had to use it once for a friend of my wife. I downloaded the > github version (as it keeps abreast of the frequent breakages, and I > lack the moral rigor of our numerous purists). I should probably switch to using the Debian package; I lack the moral rigor to keep it updated :( $ which youtube-dl /usr/local/bin/youtube-dl $ youtube-dl --version 2021.12.17 $ which yt-dlp /usr/local/bin/yt-dlp $ yt-dlp --version 2023.03.04 Regards, Lee
Re: Bluetooth sound problems playing from a web browser
On Sun, Apr 7, 2024 at 3:30 PM Richmond wrote: > > Richmond writes: > > > Richmond writes: > > > >> When playing videos in a web browser, and sending the sound to a > >> bluetooth speaker (amazon echo) I get playback problems; stuttering, > >> sound quality reduction to AM radio level or lower). These things can > >> clear up after a minute or two, or be reduced. > >> > >> When playing from nvlc however I get no such problems. (I haven't > >> tried vlc so I am not sure if it is just that it is a command line). > >> > >> I have tried google-chrome and firefox-esr. > >> > >> Perhaps there is some other browser which will work? Maybe I need to > >> isolate the process from the browser? I tried pop-out picture on you > >> tube and it improved but there was still stuttering. > > > > I installed Falkon and Konqueror. I tried Falkon and it worked fine, no > > sound problems. But then I tried Google-chrome again and that was > > working fine too, and so was Firefox-esr. The problems have gone away > > and even rebooting doesn't bring them back. Maybe one of those browsers > > brought a better library with it. > > These problems have come back again. So unless you've updated or installed new hardware or software it's probably not a firmware/software issue. > I have tried rebooting. I tried > sending the same audio from an android phone and it works fine. How do I > find out what the problems is? I cannot see errors in journalctl It's possible that wifi or usb 3.0 could be interfering with your bluetooth speakers - eg https://www.zdnet.com/article/usb-3-and-usb-c-devices-can-cause-problems-with-wi-fi-and-bluetooth-connections-but-theres-a-solution/ https://sortatechy.com/spot-and-fix-bluetooth-interference-with-wifi/ If your PC is using wireless and can use a 5Ghz channel, try moving your PC wireless to a 5Ghz channel first. If you PC only supports 2.4Gh wireless you can install linssid https://packages.debian.org/bookworm/linssid and pick a relatively unused channel for your PC wireless. Or just try channels 1, 6 and 11 and see if any of those makes a difference.. If you're using a USB 3.0 device on your PC try turning it off or moving it to a USB 2.0 port and see if that fixes the bluetooth interference. Regards, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 4:07 PM Andy Smith wrote: > > Hi, > > On Thu, Mar 28, 2024 at 12:22:57PM -0400, Lee wrote: ... snip ... > > Documentation and integration is perpetually out of date in Linux. Right. Intellectually I know that; emotionally I find it a bit difficult to accept. > Also no one can agree on which documentation is canonical, another area I'm struggling to accept. Seeing referrals to the Arch wiki on a debian mailing list just seems wrong.. > > Is there really nothing better than sudo find / > files with uid or gid perms> and try to figure out which of those > > program are not necessary? > > I don't think there is, no. After finding each of those things you > would need to do some research on each one. Right. That's what I was trying to avoid. > Those that are > particularly worrisome probably already do have some notes > somewhere. > > > $ sudo crontab -l > >... > > 47 4 * * * (apt update >> apt-update.log 2>/dev/null) && \ > > (apt list --upgradable 2>/dev/null |\ > > egrep -v '^Listing' >| /etc/motd) > > You may like to look in to "apticron-systemd" for a systemd timer > that does the above. Nope. I can't remember what I asked on this list years ago, but I got a few suggestions on how to be notified about software updates and ended up writing my own script. If nothing else, I trust it to work properly. I also trust that if there's a problem with my script someone will let me know :) Thanks, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 2:32 PM Andy Smith wrote: > > Hello, > > On Thu, Mar 28, 2024 at 11:24:08AM -0400, Greg Wooledge wrote: > > On Thu, Mar 28, 2024 at 01:30:32PM +, Andy Smith wrote: > > > https://www.debian.org/doc/manuals/debian-handbook/ > > > > > > This has a chapter on security, so possibly it would be appropriate > > > to mention "m,esg n" there. > > > > A more proactive endeavor would be to document known best practices > > on the wiki. > > Personally I'll read the handbook before the wiki, but I'm fairly > confident that the vast majority of users will read neither. 😀 > > Which leads me to ask OP which hardening documents have they > actually already read, and would the advice be suitable for those? Read and understood? None I have looked at the Debian Administrator's Manual and the Securing Debian Manual. I'll bet not enough has sunk in though. Years ago, I had to do CIS router security benchmarks for work so I know what went into a network security analysis & how much background knowledge was necessary to implement the policy .. Which is why I'm _sure_ I don't have enough background knowledge to do an adequate threat analysis for a Debian machine. I guess I'm just lazy :) and looking for a short-cut instead of doing the hard work and figuring it out for myself. Regards, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 1:48 PM Curt wrote: > > On 2024-03-28, Greg Wooledge wrote: > > > > A more proactive endeavor would be to document known best practices > > It makes no fucking difference, because your important data is elsewhere > and completely out of your control. Agreed - your important data is elsewhere and completely out of your control. But I don't think that's a good reason to quit trying. Regards, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 1:28 PM tomas wrote: > > On Thu, Mar 28, 2024 at 12:22:57PM -0400, Lee wrote: > > On Thu, Mar 28, 2024 at 1:11 AM tomas wrote: > > [...] > > > > Security means first and foremost understanding the threat. > > > > Which I don't. Hence the request for 'secure by default' instructions > > for Debian. Even better would be a secure by default installation > > option. > > This makes little sense. No threat analysis -- no security. Security > is always a relative (to the threat model) term, "security by default" > suggests something absolute. This ain't going to work. I disagree. I don't think I'm qualified to make an adequate threat analysis for a Debian system and yet $ sudo aa-status apparmor module is loaded. 21 profiles are loaded. 19 profiles are in enforce mode. ... 6 processes are in enforce mode. so apparently somebody else has done a threat analysis and decided apparmor is the appropriate mitigation strategy? I'm coming to the realization that more is wishful thinking, but still.. it would be nice if I didn't feel like I was facing such an overwhelmingly steep learning curve. Regards, Lee
Re: making Debian secure by default
> Hope this helps a little bit. Yes, it does. I was hoping for something simple but it's becoming clear to me that there's no simple "make Debian secure for dummies" checklist to follow. Thanks, Lee On Thu, Mar 28, 2024 at 11:43 AM Hans wrote: > > Hello, > personally I think, the best way is to plan, what you want to do with your > system. What is its task. How secure it shall be. > > And then just think of: What can happen? For example: Can someone boot wirt an > external medium? Do more than one people got admin rights? How do people > access? Can the server be stolen? And so on. > > Make a list, do brainsorming with other people. Learn from other hacks. > > And then act for every point you made. Think, how can this and this and this > attack be inhibited, how can it be noticed and is there an alarm and so on. > > For my personal experience, I never saw an attack in the past, which was not > prepared. Before are runninng portscans or simple bruteforce attacks. > > Here I am talking of activists and script kiddies, not APT's. APT's are much > more difficult to defend and to discover, they can, but very, very difficult. > > A good point to start is the doc "securing debian", and then, after you did > this, think of, what you have forgotten and what did the docu not tell. > > IT-Security is no software, it is a process, and you will have to learn for > years, which is normal. The attackers learn, the defenders, too. > > There is no straight, golden way, every server is different, and so are its > defence. As I said, its a concept, and this can change during the years. > > Hope this helps a little bit. > > Best regards > > Hans
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 11:24 AM Greg Wooledge wrote: > > On Thu, Mar 28, 2024 at 01:30:32PM +, Andy Smith wrote: > > I'm just not sure that you'll find any "hardening" guide that will > > specifically say "disable writing to your terminal as there might be > > a bug in a binary that is setgid tty" before yesterday's reveal that > > there is such a bug in "wall". > > > > The more general advice to audit every setuid/setgid binary is more > > likely to be present. > [...] > > If the maintainer of util-linux doesn't agree, then the next thing > > I'd try is a bug against the Debian Administrator's Handbook: > > > > https://www.debian.org/doc/manuals/debian-handbook/ > > > > This has a chapter on security, so possibly it would be appropriate > > to mention "m,esg n" there. > > A more proactive endeavor would be to document known best practices > on the wiki. A quick search found a couple pages that might serve > as starting points: > > https://wiki.debian.org/SecurityManagement > https://wiki.debian.org/Hardening -- says it's for package maintainers > > Anyone who is serious about such a project probably has a long road ahead > of them. Is there a generally preferred web link checker program for Debian? I took a look at https://www.debian.org/doc/manuals/securing-debian-manual/ch04s15.en.html and the 4.15. Protecting against buffer overflows section has this bit: recompile the source code to introduce proper checks that prevent overflows, using the http://www.research.ibm.com/trl/projects/security/ssp/ patch for GCC (which is used by http://www.adamantix.org) http://www.research.ibm.com/trl/projects/security/ssp/ patch gives me a connect failed and http://www.adamantix.org sends me to a vietnamese tv site?? Seems to me that an easy first step would be to check that all the links still work. Regards, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 1:11 AM tomas wrote: > > On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote: > > I just saw this advisory > > Escape sequence injection in util-linux wall (CVE-2024-28085) > > https://seclists.org/fulldisclosure/2024/Mar/35 > > where they're talking about grabbing other users sudo password. > > Are there any users logged in to your computer you dont't trust? > > Thought so. > > Relax. > > Security means first and foremost understanding the threat. Which I don't. Hence the request for 'secure by default' instructions for Debian. Even better would be a secure by default installation option. To be clear, I'm not all that concerned about _this_ CVE. I've got the disable_mesg.sh file in /etc/profile.d so sending messages with control codes to other terminals should be disabled for all. My concern is all the other stuff that I don't even know about that could be configured in a more secure manner but isn't. For heavens sake, the man page says Traditionally, write access is allowed by default. However, as users become more conscious of various security risks, there is a trend to remove write access by default, at least for the primary login shell. To make sure your ttys are set the way you want them to be set, mesg should be executed in your login scripts. Clearly at least the man page writer realized there was a threat there _and chose not to remove the threat_ !? So what other goodies are there that I don't know about? Is there really nothing better than sudo find / and try to figure out which of those program are not necessary? And I'm still a bit surprised that needrestart isn't included as part of the default install. Or at least as part of the synaptic package manager install. I never guessed that I would _not_ be warned that I needed to reboot after updating software with the synaptic package manager -- that didn't happen until after I installed needrestart. > Randomly > reaching into the CVE box will most probably keep you from actually > working on your real issues. E.g. your browser. I think it's up to date: $ cat /etc/motd lee@spot ~ $ sudo crontab -l [sudo] password for lee: ... 47 4 * * * (apt update >> apt-update.log 2>/dev/null) && \ (apt list --upgradable 2>/dev/null |\ egrep -v '^Listing' >| /etc/motd) > Or your social media > account. I've never had one. > Cheers > > [1] https://xkcd.com/1200/ I like the quote I saved from the full disclosure mailing list back when it was fun & exploits were mailed out as attachments: And at some point, you really have to ask yourself "Is this really a plausible attack method, or did I forget to take my meds again?" -- Valdis Kletnieks Regards Lee
Re: making Debian secure by default
On Wed, Mar 27, 2024 at 10:22 PM Andy Smith wrote: > > Hello, > > On Thu, Mar 28, 2024 at 07:37:13AM +0800, jeremy ardley wrote: > > Some distros, like Debian, do not seem to have a command like > > command-not-found by default. > > […] > > > Which implies that Debian is secure by default against this particular > > exploit > > I suspect if OP is worried about users potentially falling for a > fake sudo password prompt then OP is probably not happy about all > the other possibilities around putting arbitrary text on a user's > terminal. Yes, that. I'm not thrilled with the idea of anybody putting arbitrary text on someone else's terminal; what really concerns me is the ability to send control codes. Wasn't there some exploit that involved injecting text and a control code that acted like a carriage return? Lee
Re: making Debian secure by default
On Wed, Mar 27, 2024 at 10:07 PM Andy Smith wrote: > > Hi, > > On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote: > > I just saw this advisory > > Escape sequence injection in util-linux wall (CVE-2024-28085) > > https://seclists.org/fulldisclosure/2024/Mar/35 > > where they're talking about grabbing other users sudo password. > > It doesn't work by default on Debian as it relies on > command-not-found automatically running on the user's input. > command-not-found can be installed, however… > > > oof. Are there instructions somewhere on how to make Debian secure by > > default? > > Between the fact that "secure" means different things to different > people and that this advisory was only released a few hours ago, I > don't think you can reasonably expect documentation to already be > published for your standard of "secure". You snipped the bit from the man page about users becoming more more conscious of various security risks & removing write access by default. Considering how long it takes something to migrate into stable I'm guessing that man page is pretty old. So I don't think it's unreasonable to expect some kind of secure by default installation option. > There is a general push to get rid of setuid/setgid binaries. A lot > of "hardening" guides will suggest looking for setuid/setgid > binaries and deciding if you really need them. The problem with that is how many users are knowledgeable enough to know if something is necessary or not? > As you've never heard of "mesg" and probably don't use "wall" I > doubt you will have any issues chmod 0 /usr/bin/wall and then > setting it immutable¹ with chattr +i. I suppose that's one way. I'd rather uninstall it. > You could put a call to "mesg n" into a file in /etc/profile.d so > that all users execute it. Good idea: $ ls -l /etc/profile.d/disable_mesg.sh -rw-r--r-- 1 root root 383 Mar 28 00:15 /etc/profile.d/disable_mesg.sh $ cat /etc/profile.d/disable_mesg.sh # man mesg #... # Traditionally, write access is allowed by default. However, as users # become more conscious of various security risks, there is a trend to # remove write access by default, at least for the primary login shell. # To make sure your ttys are set the way you want them to be set, mesg # should be executed in your login scripts. /usr/bin/mesg n Then logout / login and.. $ mesg is n Thanks Lee
making Debian secure by default
I just saw this advisory Escape sequence injection in util-linux wall (CVE-2024-28085) https://seclists.org/fulldisclosure/2024/Mar/35 where they're talking about grabbing other users sudo password. Apparently the root of the security issue is that wall is a setguid program? Even more fun is the instructions To make sure the PoC will work, make sure your victim user can actually receive messages. First check that mesg is set to y (`mesg y`). If a user does not have mesg turned on, they are not exploitable. WTF?? I've never heard of a mesg, but $ which mesg /usr/bin/mesg So. There is a program called 'mesg', hrmmm.. man mesg ... Traditionally, write access is allowed by default. However, as users become more conscious of various security risks, there is a trend to remove write access by default, at least for the primary login shell. To make sure your ttys are set the way you want them to be set, mesg should be executed in your login scripts. oof. Are there instructions somewhere on how to make Debian secure by default? Thanks, Lee
Re: Root password strength
On Fri, Mar 22, 2024 at 9:02 AM Jan Krapivin wrote:
>
> The thing that bothers me are words: "any computer (and a fortiori any
> server) connected to the Internet is regularly targeted by automated
> connection attempts"
Change it to "any computer (and a fortiori any server) >>using IPv4
and directly<< connected to the Internet is regularly targeted by
automated connection attempts"
and yes, I'm 100% confident they're getting automated connection attempts.
Why the qualifier >>using IPv4 and directly<< connected?
The IPv4 address space is only 32 bits long. Scanning 2^32 = about
4,000,000,000 addresses for an open port is easily doable.
The IPv6 address space is a bit harder... Let's just say that 7/8th
of the IPv6 address space is reserved[1] so that means 2^125 addresses
would need to be scanned .. which just isn't going to happen.
There are ways for attackers to get the IPv6 address scan space down
to a reasonable number. I probably don't know most of them..
What's the difference between "connected" and "directly connected"?
None of my computers are directly connected to the Internet.
Everything is hiding behind a firewall that supposedly blocks _all_
unsolicited traffic coming in from the Internet.
So however much I believe no unsolicited traffic is allowed into my
network is about how much I believe there are no automated connection
attempts to my computers.
> I am not tech-savvy. Can you say with 100% (90%?) confidence that there is no
> such thing? That home PC without SSH and whatever complicated is safe (rather
> safe) from "automated connection attempts"?
What make it more fun is that it is not only SSH that could allow an
attacker in. A quick & easy check is to look for open ports - eg.
sudo ss -lptu
shows you all the programs listening for new connections (right now ..
10 minutes from now could be a whole different thing).
Except.. oops.. not _all_ the programs listening for new connections.
While writing this I tried
$ sudo ss -lwnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 0.0.0.0:255 0.0.0.0:*
users:(("atop",pid=186997,fd=4))
so there's atop allowing connections on a "raw" socket. .. whatever that is.
And there's the non-tcp/udp protocols like GRE or IPSec (think VPN
tunnels) where connections might be allowed in.
> This thread reminded of that topic -
> https://forums.debian.net/viewtopic.php?t=154002
Indeed. Is a firewall necessary or no? Some say yes, some say no.
I look at a firewall as the place where you implement your basic
network security policy. Should SSH be allowed in from the Internet?
NetBIOS? how about SNMP?
I fall into the "some say yes" camp because I say the firewall is
where those questions should be answered.
Regards,
Lee
[1]
https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
The assignable Global Unicast Address space is defined in [RFC3513] as
the address block
defined by the prefix 2000::/3. [RFC3513] was later obsoleted by [RFC4291].
Re: Root password strength
On Wed, Mar 20, 2024 at 3:50 PM Pierre-Elliott Bécue wrote: > > De : Lee > À : Pierre-Elliott Bécue > Cc : Debian Users ML > Date : 20 mars 2024 20:40:52 > Objet : Re: Root password strength > > > On Wed, Mar 20, 2024 at 1:47 PM Pierre-Elliott Bécue wrote: > >> > >> Brad Rogers wrote on 20/03/2024 at 18:39:30+0100: > >>> On Wed, 20 Mar 2024 17:09:31 +0100 > >>> Pierre-Elliott Bécue wrote: > >>> > >>> Hello Pierre-Elliott, > >>> > >>>> Most of the time, writing down a password is a very bad idea. > >>> > >>> Not in your own home. And in any event, it depends where one keeps that > >>> 'written down' password. > >>> > >>> And if it *does* become an issue at home, you've got bigger, more > >>> immediate, problems to deal with; Of the intruder variety. > >> > >> You have a rather bad cybersecurity approach. And you did not do a > >> proper risk assessment. > > > > The OP said > > - My password is easy because i am not afraid of direct physical > > access to the computer. > > > > That seems like a good enough risk assessment to me, but please > > explain what you think is "a proper risk assessment." > > > > Thanks, > > Lee > > As stated elsewhere, I am done with this thread. Therefore I do not intend to > reply here. > > If you still want an answer I am happy to reply privately. Yes, I would like an answer. I've got passwords written down at home, so I started thinking about it and I'm much more concerned about other papers I have at home like bank statements etc. that could do much more damage to me if they ended up in the wrong hands than a password to an AP Thanks Lee
Re: Root password strength
On Wed, Mar 20, 2024 at 1:47 PM Pierre-Elliott Bécue wrote: > > Brad Rogers wrote on 20/03/2024 at 18:39:30+0100: > > On Wed, 20 Mar 2024 17:09:31 +0100 > > Pierre-Elliott Bécue wrote: > > > > Hello Pierre-Elliott, > > > >>Most of the time, writing down a password is a very bad idea. > > > > Not in your own home. And in any event, it depends where one keeps that > > 'written down' password. > > > > And if it *does* become an issue at home, you've got bigger, more > > immediate, problems to deal with; Of the intruder variety. > > You have a rather bad cybersecurity approach. And you did not do a > proper risk assessment. The OP said - My password is easy because i am not afraid of direct physical access to the computer. That seems like a good enough risk assessment to me, but please explain what you think is "a proper risk assessment." Thanks, Lee
Re: Hyphen-minus passwd
On Thu, Mar 7, 2024 at 12:50 PM Nicolas George wrote: > > Computer Planet (12024-03-07): > > How can I create this password with a hyphen in front? > > > > # openssl passwd -6 -salt username -password > > > > This is the response message when I try: > > passwd: Unknown option: -passwd > > Hi. No it is not. Start by copy-pasting EXACTLY what is in your > terminal. You're going to rag on him for not copy-pasting EXACTLY when you could have just told him the standard way to get a leading hyphen accepted on the command line is to backslash escape it!?? rude
Re: Hyphen-minus passwd
On Thu, Mar 7, 2024 at 12:44 PM Computer Planet wrote: > > Hi guys! > Please, Can someone help me? > > How can I create this password with a hyphen in front? > > # openssl passwd -6 -salt username -password > > This is the response message when I try: > passwd: Unknown option: -passwd > > Thanks for reply! $ openssl passwd -6 -salt username \\-password $6$username$7 ..etc..
Re: Commandline client to lookup MAC vendor
On Thu, Mar 7, 2024 at 12:22 PM Thomas Pircher wrote: > > On 2024-03-07 10:11, Ralph Aichinger wrote: > > Any idea if one or the other is preferable or newer? > > I think there is not much difference between the two files, the > ieee-data packages the data directly from the IEEE, with nmap you have > one intermediary project that needs to download and release the file > before Debian can pick it up. > > Then on the other hand, the ieee-data package is one minor version > behind on the data, while the nmap file was modified ~6 months ago in > Debian's VCS. > > The only difference I can see is that with the ieee-data package you get > some visibility which upstream version was used, while it would take > more effort to trace that back in the nmap case. I haven't tried either package - I just use the file from IEEE https://standards-oui.ieee.org/oui/oui.txt
Re: medically smart watches
On Sat, Feb 24, 2024 at 12:06 PM gene heskett wrote: > > On 2/24/24 11:03, Loïc Grenié wrote: > > On Sat Feb 24th, 2024, at 16:03, Gene Heskett wrote: > > > > Greetings all; > > > > As most of you know I'm a DM-II, but the recent shortage of > > trulicity, a > > weekly self administerd shot that helps regulate one's blood guclose > > levels has got us scrambling for alternatives. So a month back I > > bought > > one of the so called smart watches that purports to monitor blood sugar. > > > > > > "purports" appears to be the correct verb > > https://www.fda.gov/medical-devices/safety-communications/do-not-use-smartwatches-or-smart-rings-measure-blood-glucose-levels-fda-safety-communication > > > > <https://www.fda.gov/medical-devices/safety-communications/do-not-use-smartwatches-or-smart-rings-measure-blood-glucose-levels-fda-safety-communication> > > > I got a msg from our state AG warning me about these, but it was 2 days > after I had ordered this thing. Too little warning, too late, but I'm > the curios type, and this device looks good so I would like to see how > it compares with the antique finger prick model we've been using since > Hector's great grandfather was a puppy.. New tech sometimes work pretty > good while the FDA seems to try to protect old tech. Give the FreeStyle Libre 14 day sensor a try - it's so much nicer than poking holes in yourself whenever you want to know what your blood sugar is. There's a reader you have to buy or a current enough smart phone can be used as a reader. What I'd like to find is software that lets me get the data off the reader into my PC. Abbott wants everything uploaded to their servers and I quit reading the terms of service when it got to them giving out my data after 'anonymising' it. Regards Lee
Re: what keyboard do you use?
On Fri, Feb 2, 2024 at 10:51 PM Ralph Aichinger wrote: > > On Fri, 2024-02-02 at 20:25 -0500, Lee wrote: > > I figure there's a high percentage of keyboard jockeys here so .. > > which keyboard do you like and why? > > I like the flat style similar to what is in many notebooks. Current > favourites are the Apple keyboards (expensive though, for what they > are), the Microsoft Designer Compact Keyboard (stupid generic model > name), that seems to have a problem for some that the electronics die > prematurely, it might not be able to connect any longer after some > time. Great if it works though, can often be gotten relatively cheaply > for about half the normal price. Very minimal design, you can't take > away much more from a keyboard: > > https://www.microsoft.com/en/accessories/products/keyboards/microsoft-designer-compact-keyboard?activetab=pivot:overviewtab That looks nice for a tablet or something that you'll be carrying around. > And a new fascination of mine, the Logitech MX series, also kind > of expensive, and with rather ugly design, but typing feels just > wonderful. Logitech seems to be quitting the corded keyboard business :( I go to their keyboard selection site, select full sized with numpad and corded and only two keyboards show up - the one I pulled out of the closet that I think is too tall and a K-845. I don't have a whole lot of luck with batteries or wireless, so a cord is a must for me. > Of the cheaper ones, I like the Logitech k280e. Feels quite OK for the > price, not on the level of the obove three though. Also large, clunky > and heavy. > > I used to be a full layout (with keypad) person, but recently I began > to like the smaller layouts. Takes up less space on the desk, only > thing I miss are the full cursor keys. Easier to move around on the > desk, which I do a lot. > > Keyboards are a product where preferences diverge a lot and are very > personal. Fortunately there is lots of choice in the market currently. As I'm seeing :) Thanks Lee
Re: what keyboard do you use?
On Fri, Feb 2, 2024 at 9:09 PM Nate Bargmann wrote: > > * On 2024 02 Feb 19:26 -0600, Lee wrote: > > I bought a Dell desktop in 2019 and the keyboard just died :( > > > > ssh in from another machine & do a 'sudo reboot now' and get an alert > > about 'Keyboard not found.' on power up. The keyboard also doesn't > > work in another machine so it's really & truly dead. > > > > I figure there's a high percentage of keyboard jockeys here so .. > > which keyboard do you like and why? > > I have several of the now classic IBM Model M keyboards I procured in > the '90s. Modern BIOSes don't like them even with a PS/2 to USB > adapter so I gave up on them. The Lenovo KU-0225 is a good keyboard > with the "standard" extra keys that are useful in some desktops. It is > full size and quiet. > > My main keyboard is a daskeyboard I bought several years ago with the > Cherry key switches It is thick so you might not like it and it is > loud. It has the same number of keys as the Lenovo, 104, I think. This > one was not cheap while the Lenovo was considerably less expensive. Full size and quiet are good qualities :) Tall not so much.. the Logitech that I pulled out of the closet and think is too high is less than 1 inch high. The Lenovo is listed as 1.34 inches, so that's probably not for me. Thick and loud is a no, so I'll pass on the daskeyboard. Thanks Lee
Re: what keyboard do you use?
On Fri, Feb 2, 2024 at 8:57 PM Russell L. Harris wrote: > > On Fri, Feb 02, 2024 at 08:25:09PM -0500, Lee wrote: > >which keyboard do you like and why? > > CHERRY MX BOARD 3.0 (Purchased several years ago; in daily use since.) > Excellent mechanical quality of the keyswitch. Keyswitch plungers > which start sticking (high resistance upon depression) is the biggest > problem I have found. The next-greatest problem is intermittent > contact of key switch contacts. Both problems are maddening for the > touch typist. OK - good to know. I am a touch typist, so I guess I'm giving that one a pass. Thanks Lee
what keyboard do you use?
I bought a Dell desktop in 2019 and the keyboard just died :( ssh in from another machine & do a 'sudo reboot now' and get an alert about 'Keyboard not found.' on power up. The keyboard also doesn't work in another machine so it's really & truly dead. I figure there's a high percentage of keyboard jockeys here so .. which keyboard do you like and why? I have a Logitech k740 attached to my Windows machine which is ok. Not great but OK. I found a spare Logitech k120 keyboard in the closet; its better than nothing but too thick for regular use. And the old Dell keyboard from the Windows machine - also too thick, the keys are too cramped and lettering has worn off on about 1/4 of the keys (which is why I got the Logitech 740) Thanks Lee
Re: in an object oriented world
Hi,
On Fri, Jan 26, 2024 at 8:46 AM songbird wrote:
>
> John Hasler wrote:
> > songbird writes:
> >> any process which does not respond should be thus cast into the outer
> >> darkness of the bits and never to return (aka a virus or unauthorized
> >> program).
Q: is javascript sourced from who knows where on the Internet
considered an unauthorized program?
if no, have you heard of "malvertising"?
> > Malware can lie. A virus can infect an authorized program and use its
> > credentials.
>
> objects are only created by authorized calls to other
> objects so there is no pathway to infect if done correctly.
I hate it when someone blithely tosses off that "if done correctly"
nonsense - ignoring the last 60+ years of computer history that shows
people more often than not CANNOT actually "do it correctly."
I came across this recently
https://thephd.dev/c-undefined-behavior-and-the-sledgehammer-guideline
TL,DR: undefined behavior yields incorrect behavior
if (i >= 0 && i < sizeof(tab)) {
printf("tab[%d] looks safe because %d is between [0:%d]\n",
i, i, (int)sizeof(tab));
return tab[i];
}
doesn't actually verify that i is always within limits.
$ cat bad-behavior.c
#include
#include
#include
#include
uint8_t tab[0x1ff + 1];
int safe = 0;
uint8_t f(int32_t x)
{
if (x < 0)
return 0;
if ( safe ) { /* do a valid overflow check */
if ((INT32_MAX / 0x1ff) <= x) {
printf("overflow prevented!\n");
return 0;
}
}
int32_t i = x * 0x1ff / 0x;
/* signed integer overflow yields undefined behavior */
if (i >= 0 && i < sizeof(tab)) {
printf("tab[%d] looks safe because %d is between [0:%d]\n",
i, i, (int)sizeof(tab));
return tab[i];
}
return 1;
}
int main(int argc, char **argv)
{
(void)argc;
memset(tab, 0, sizeof(tab));
if ( strcmp(argv[1], "safe") == 0 ) safe = 1;
return f(atoi(argv[2]));
}
/*
* https://thephd.dev/c-undefined-behavior-and-the-sledgehammer-guideline
*
* gcc -O2 -o bad.exe bad-behavior.c
* ./bad unsafe 5000
* tab[62183] looks safe because 62183 is between [0;512]
*/
$ gcc -O2 -o bad.exe bad-behavior.c
$ ./bad unsafe 5000
tab[62183] looks safe because 62183 is between [0:512]
$ ./bad safe 5000
overflow prevented!
> if you do not allow random objects to be created that
> are not verified and vetted then there are no viruses.
That sounds so very easy. Not so easy to do in practice, but it sure
_sounds_ easy enough.
> note, i'm just kicking this around and wondering if it
> really would be possible.
I'd vote for possible but improbable.
Regards,
Lee
Re: how to clone apt repository to newest only?
I live in South Korea. Most of the government systems in Korea operate in a closed environment and are not connected to the internet. This is because they are vulnerable to security. Anyway, I decided to use the update dvd image. Alternatively, it would be good to create the image directly using jigdo. Thanks to all of you for your help. 2023년 12월 27일 (수) 오전 7:33, Andrew M.A. Cater 님이 작성: > On Tue, Dec 26, 2023 at 04:49:13PM -0500, Roy J. Tellason, Sr. wrote: > > On Tuesday 26 December 2023 09:34:00 am Andrew M.A. Cater wrote: > > > Living offline is not really feasible anymore - there are too many > security > > > updates needed. > > (snip) > > > Linux distributions do update and you should ideally be running the > latest > > > most up to date security patches. > > > > I must be missing something here. If one is running a system that's NOT > net-connected, why is security so important an issue? > > > > You always have to hope that it remains not connected :) > > Remembering that each point update introduces fixes which may clear > previous problems, it is always worth keeping the system up to date. > > Given the inadvertent upstream kernel problems we gained during the 12.3 > release which resulted in 12.4 and that we then needed 12.5 relatively > immediately to solve problems that some users had - if you'd _only_ > had the 12.4 medium, you might have had problems which could only have > been fixed by being net connected to pick up the appropriate kernel. > > Just because you have a (relatively) isolated system doesn't mean that > your system shouldn't be consistent, patched and up to date which will > allow you to be sure that known vulnerabilites have been addressed. > > There's nothing like the joy of inheriting a system tucked away somewhere > that hasn't been updated or rebooted in five years and not knowing what > you might expect when logging in, what services are running or what will > happen if you have to reboot. Marginally better because you know about it > then finding the system that everything depends on is undocumented, > running on a system with dead disks in the RAID and that has just > been bounced by the unscheduled power outage when the UPS failed .. > > > -- > > Member of the toughest, meanest, deadliest, most unrelenting -- and > > ablest -- form of life in this section of space, a critter that can > > be killed but can't be tamed. --Robert A. Heinlein, "The Puppet Masters" > > - > > Sounds like a project manager imposing random requirements :) > > All the very best, as ever, > > Andy Cater > (amaca...@debian.org) > > > Information is more dangerous than cannon to a society ruled by lies. > --James > > M Dakin > > > >
Re: how to clone apt repository to newest only?
The reason I'm asking for this feature is that For example, I want to install the most recent packages when installing an OS in a specific closed network environment. Of course, I could use a recently created DVD iso file, but I would need to have an internet connection to apply files that have been updated since this ISO was created, so I only want to copy and apply the most recent packages. Is there any way to do this? 2023년 12월 25일 (월) 오후 11:05, Andrew M.A. Cater 님이 작성: > On Mon, Dec 25, 2023 at 12:21:29PM +, �� wrote: > [Copied to the poster because they may not be subscribed] > > > how to clone apt repository to newest only? > > Fedora/Red Hat will organize the repository by copying only the most > recent packages from that distribution if you give it the "reposync > --newest-only" option, but Debian doesn't seem to be able to do that. > > > > What can I do? > > > > > Hi > > By default, apt will check the dates on the package manifests and bring you > up to date based on that. > > If you install from nothing then the installer will do the same assuming > that you have an internet connection. > > reposync is really a Red Hat ecosystem specific command, I think. > > (already answered on the list: can I suggest that you subscribe to the > list) > > Andy > (amaca...@debian.org) > >
Re: Test
On Fri, Dec 22, 2023 at 4:08 PM Tixy wrote: > > On Fri, 2023-12-22 at 12:15 -0500, Pocket wrote: > > This is a test of the emergency broadcast system > > Please stop spamming the 1000 or so people subscribed to this list. Would forwarding his message to commun...@debian.org and asking for a one month suspension violate the mailing list rules? I think no, but that might be wishful thinking..
Re: time question, as in ntp?
On Wed, Nov 29, 2023 at 12:50 PM gene heskett wrote: > > Greetings all; > > I have a 3d printer, an arm64 controller running ambian buster > it has an address of 169.254.xx.xx/16 > it can ping this machine but something is killing full net access, so it > can't set its time. With a 169.254.x.x address I'm surprised it can talk to anything else on your network. Your internet router is running dd-wrt - correct? Why not enable the dhcp server software on that and serve static IP addresses to everything on your network? eg https://wiki.dd-wrt.com/wiki/index.php/Static_DHCP Your /etc/hosts files will still work and you'll stop getting 169.254.x.x addresses assigned to your machines. Regards, Lee
Re: Bookworm: NetworkManager
On Mon, Oct 23, 2023 at 8:29 PM Andy Smith wrote: > > Hi, > > On Sun, Oct 22, 2023 at 06:36:28PM -0400, Lee wrote: > > My understanding is that ISC no longer supports their dhcp client > > software so the isc-dhcp-client package will go away someday? > > correct? & I suspect whatever works today will break when the new > > software comes out, so I'd rather get a head-start on how to work > > with the replacement. > > > > How can I find out who is working on what replacement? > > There was a fairly recent conversation on debian-devel over what to > replace isc-dhcp-client with for the trixie release onwards: > > https://lists.debian.org/debian-devel/2023/06/msg00184.html > > My understanding is that ultimately the choice will be made by the > ifupdown maintainer, assuming that remains the default way to > configure networking on trixie absent other dependencies. > > Unfortunately there does not seem to be a public response by the > ifupdown maintainer jo...@debian.org in that thread. Thanks for the info. I was thinking about replacing dhclient with the new whatever but I guess I can wait and burn that bridge when I get to it Best Regards, Lee
Re: Bookworm: NetworkManager
On Sun, Oct 22, 2023 at 7:13 PM Pocket wrote:
>
> On 10/22/23 18:36, Lee wrote:
> > On Sun, Oct 22, 2023 at 1:18 PM Greg Wooledge wrote:
> >> On Sun, Oct 22, 2023 at 11:22:06AM -0400, Lee wrote:
> >>> Just out of curiosity, why didn't you use the example from
> >>> https://wiki.debian.org/resolv.conf and do
> >>>
> >>> echo 'make_resolv_conf() { :; }' >
> >>> /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
> >>> chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
> >> Because that only affects isc-dhcp-client, and does nothing for other
> >> DHCP clients, such as Network Manager.
> > I can sort of understand that an all volunteer project is going to
> > have some rough edges and inconsistencies, but this is a bit much. My
> > understanding is that ISC no longer supports their dhcp client
> > software so the isc-dhcp-client package will go away someday?
> > correct? & I suspect whatever works today will break when the new
> > software comes out, so I'd rather get a head-start on how to work with
> > the replacement.
> >
> > How can I find out who is working on what replacement?
> >
> > Thanks
> > Lee
> >
>
> https://www.isc.org/kea/
Yes, that's the ISC replacement. But I get the impression Debian is
leaning towards using dhcpcd
https://lists.debian.org/debian-boot/2023/06/msg00121.html
https://lists.debian.org/debian-devel/2023/07/msg00277.html
There's a very good chance I'm missing something, which is why I'm
asking what will be the new default dhcp client software? (for
debian)
Thanks
Lee
Re: Bookworm: NetworkManager
On Sun, Oct 22, 2023 at 1:18 PM Greg Wooledge wrote:
>
> On Sun, Oct 22, 2023 at 11:22:06AM -0400, Lee wrote:
> > Just out of curiosity, why didn't you use the example from
> > https://wiki.debian.org/resolv.conf and do
> >
> > echo 'make_resolv_conf() { :; }' >
> > /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
> > chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
>
> Because that only affects isc-dhcp-client, and does nothing for other
> DHCP clients, such as Network Manager.
I can sort of understand that an all volunteer project is going to
have some rough edges and inconsistencies, but this is a bit much. My
understanding is that ISC no longer supports their dhcp client
software so the isc-dhcp-client package will go away someday?
correct? & I suspect whatever works today will break when the new
software comes out, so I'd rather get a head-start on how to work with
the replacement.
How can I find out who is working on what replacement?
Thanks
Lee
Re: Bookworm: NetworkManager
On Sun, Oct 22, 2023 at 11:25 AM wrote:
>
> On Sun, Oct 22, 2023 at 11:22:06AM -0400, Lee wrote:
> > On Sat, Oct 21, 2023 at 4:24 PM Pocket wrote:
> > >
> > > Ding ding ding we have a winner
> >
> > Just out of curiosity, why didn't you use the example from
> > https://wiki.debian.org/resolv.conf and do
> >
> > echo 'make_resolv_conf() { :; }' >
> > /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
> > chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
>
> Does NetworkManager honour this? Or is that "just" a
> dhclient thing?
I don't know.
my /etc/network/interfaces has
iface enp1s0 inet6 dhcp
and my /etc/NetworkManager/system-connections/Wired\ connection\ 1 has
[ipv6]
addr-gen-mode=eui64
dns-search=
ip6-privacy=0
method=dhcp
but /etc/network/interfaces over-rides /etc/NetworkManager - correct?
So maybe I'm just using dhclient and have no idea if this works for
NetworkManager or not. .
Lee
Re: Bookworm: NetworkManager
On Sat, Oct 21, 2023 at 4:24 PM Pocket wrote:
>
> Ding ding ding we have a winner
Just out of curiosity, why didn't you use the example from
https://wiki.debian.org/resolv.conf and do
echo 'make_resolv_conf() { :; }' >
/etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
Are you using NTP? If yes, how are you keeping dhcp from over-writing
your ntp.conf?
I had to comment out the "ntp_servers_setup" line in
/etc/dhcp/dhclient-exit-hooks.d/ntp to keep dhcp from messing up my
list of ntp servers.
Regards,
Lee
>
> cat /etc/resolv.conf
> # Generated by NetworkManager
> search example.org
> nameserver 127.0.0.1
> nameserver ::1
> options edns0 trust-ad
>
> This make this work
>
> sudo cat /etc/NetworkManager/NetworkManager.conf
> [main]
> plugins=ifupdown,keyfile
>
> [ifupdown]
> managed=false
>
> [device]
> wifi.scan-rand-mac-address=no
>
> [global-dns]
> searches=example.org
> options=edns0 trust-ad
>
> cat /etc/NetworkManager/system-connections/Wired\ connection\ 1.nmconnection
> [connection]
> id=Wired connection 1
> uuid=fe51b7a9-f0a9-32b9-ba1d-7a4dd08d0718
> type=ethernet
> autoconnect-priority=-999
> interface-name=end0
> timestamp=1697818643
>
> [ethernet]
>
> [ipv4]
> dns=127.0.0.1;
> dns-search=example.org;
> ignore-auto-dns=true
> method=auto
>
> [ipv6]
> addr-gen-mode=default
> dns=::1;
> dns-search=example.org;
> ignore-auto-dns=true
> method=auto
> [proxy]
>
> [.nmmeta]
> nm-generated=true
Re: Intermittent WiFi on Network Manager
On 10/9/23, Ottavio Caruso wrote: > Am 08/10/2023 um 11:42 schrieb Lee: >> On 10/7/23, Ottavio Caruso wrote: >>> Am 07/10/2023 um 11:11 schrieb gene heskett: >>>> Another possibility is a leaky microwave oven in the vicinity >>> >>> This is an urban legend and an excuse I was using when I was in tech >>> support. >> >> It's real. Try it yourself - run iperf for 2 minutes, display the >> bandwidth report every second and then start the microwave for 1 >> minute. >> >> I get the thruput cut in half or or more when the microwave is on. >> Which is an improvement on the previous microwave which used to kill a >> wireless connection. (which was super annoying when the wife was doing >> work-from-home & I wasn't allowed to use the microwave _at_all_ during >> the day. I suspect that's the reason she got a toaster oven) >> >> Is it fairly well-known that microwave ovens interfere the most on channel >> 11? >> I just tried linssid again and there's a bunch of APs on channel 1 & >> 6, one on channel 2 and two on channel 8. Nothing on channel 11. >> >> Lee >> >> > > So the microwave should be running 100% 24/7? What is it? Am I > surrounded by 24/7 greasy spoons? I'm more inclined to believe in a > buggy driver implementation. All the nearby Windows laptops run fine. In other words, you didn't try running iperf and then starting the microwave, right? Or you did and don't want to admit that your microwave interferes with wifi. Either way, take a look at https://www.acrylicwifi.com/en/blog/performing-wifi-spectrum-analysis-information-provided/#How_to_Perform_a_Professional_Site_Survey scroll down just a bit and see The most common devices that create interference and noise in a wireless infrastructure are: Some of those do run 24/7. And finally https://www.zdnet.com/article/usb-3-and-usb-c-devices-can-cause-problems-with-wi-fi-and-bluetooth-connections-but-theres-a-solution/ which I've never seen in action, just read about. Lee
Re: Intermittent WiFi on Network Manager
On 10/8/23, gene heskett wrote: > On 10/8/23 07:43, Lee wrote: >> On 10/7/23, Ottavio Caruso wrote: >>> Am 07/10/2023 um 11:11 schrieb gene heskett: >>>> Another possibility is a leaky microwave oven in the vicinity >>> >>> This is an urban legend and an excuse I was using when I was in tech >>> support. >> >> It's real. Try it yourself - run iperf for 2 minutes, display the >> bandwidth report every second and then start the microwave for 1 >> minute. >> >> I get the thruput cut in half or or more when the microwave is on. >> Which is an improvement on the previous microwave which used to kill a >> wireless connection. (which was super annoying when the wife was doing >> work-from-home & I wasn't allowed to use the microwave _at_all_ during >> the day. I suspect that's the reason she got a toaster oven) >> >> Is it fairly well-known that microwave ovens interfere the most on channel >> 11? >> I just tried linssid again and there's a bunch of APs on channel 1 & >> 6, one on channel 2 and two on channel 8. Nothing on channel 11. > > That, again probably, would be because the microwave does NOT transmit > an SID, It doesn't transmit anything resembling a wifi frame (packet?), it's just noise as far as the wifi interface knows.. and not something that shows up on a wifi analyzer like linssid. You need a spectrum analyzer to see wifi noise/interference. I just took a quick look again for an affordable spectrum analyzer & didn't see anything. Then again, my definition of "affordable" is under $50 so I suppose that's not to surprising. Regards Lee
Re: Intermittent WiFi on Network Manager
On 10/7/23, Ottavio Caruso wrote: > Am 07/10/2023 um 11:11 schrieb gene heskett: >> Another possibility is a leaky microwave oven in the vicinity > > This is an urban legend and an excuse I was using when I was in tech > support. It's real. Try it yourself - run iperf for 2 minutes, display the bandwidth report every second and then start the microwave for 1 minute. I get the thruput cut in half or or more when the microwave is on. Which is an improvement on the previous microwave which used to kill a wireless connection. (which was super annoying when the wife was doing work-from-home & I wasn't allowed to use the microwave _at_all_ during the day. I suspect that's the reason she got a toaster oven) Is it fairly well-known that microwave ovens interfere the most on channel 11? I just tried linssid again and there's a bunch of APs on channel 1 & 6, one on channel 2 and two on channel 8. Nothing on channel 11. Lee
Re: CVE-2023-5217 unimportant for firefox?
On 9/30/23, hede wrote: > Hi, > > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an > "open unimportant issue" for firefox-esr? Currently it is not fixed in > bookworm and newer [1]. Mozilla itself rates it as "critical" [2]. At the bottom of the page of your [1] is the note src:firefox, src:firefox-esr and src:thunderbird use the system libvpx starting in bookworm and above. For older releases still needs the fixes in src:firefox-esr and src:thunderbird. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053182#22 Date: Fri, 29 Sep 2023 14:58:43 + We believe that the bug you reported is fixed in the latest version of libvpx, which is due to be installed in the Debian FTP archive. But I'm just guessing that the firefox security tracker page hasn't been updated yet. Regards Lee > [1] https://security-tracker.debian.org/tracker/source-package/firefox-esr > [2] https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ > > hede
Re: chrome web browser worthless
On 8/2/23, Brian wrote: > On Wed 02 Aug 2023 at 14:52:26 -0400, gene heskett wrote: > >> On 8/2/23 14:26, Brian wrote: >> > No - that isn't the way it works. Give what is asked for, not a >> > censored >> > version that suits you. >> > >> ok, same cat in full: >> gene@bpi52:~$ cat /etc/hosts >> 127.0.0.1 localhost < ... snip ... > > Where is the line with 127.0.1.1? Debian always provides that. $ egrep '^127' /etc/hosts 127.0.0.1 localhost lee@spot ~ $ uname -a Linux spot 5.10.0-23-amd64 #1 SMP Debian 5.10.179-2 (2023-07-14) x86_64 GNU/Linux Regards, Lee
Re: thunderbird missing arrows for scrolling through list of email messages
On 5/26/23, zithro wrote:
> On 05 May 2023 18:07, Lee wrote:
>> On 5/4/23, zithro wrote:
>> I think you also need
>> user_pref("widget.gtk.overlay-scrollbars.enabled", false);
>>
>> and this is also nice
>> user_pref("widget.non-native-theme.scrollbar.size.override", 20);
>
> I tried them all, but now there's a simple GUI option (see my other post
> in this thread) ! \o/
yes, but
Settings -> General -> Browsing -> Always show scrollbars
shows a too-thin scrollbar with no up or down arrows at either end.
>> From there I can select the Chicago95 theme as any user and if there's
>> anything I don't like I can, once I figure out wtf needs to be changed
>> (which can be a non-trivial task for me), make the change.
>
> That was my point, wtf needs to be changed ?! ^^
That's why I picked the Chicago95 theme .. it was _real_ close to what I wanted.
Then again, I wanted different colors & I couldn't figure out how to
get everything changed the way I wanted so I went back to the default
:(
The changes I've got now are:
lee@spot ~/Templates/Chicago95-2.0.1/Theme
$ diff -u5 -r Chicago95 /usr/share/themes/Chicago95
Only in Chicago95: cinnamon
Only in Chicago95: gnome-shell
diff -u5 -r Chicago95/gtk-3.0/settings.ini
/usr/share/themes/Chicago95/gtk-3.0/settings.ini
--- Chicago95/gtk-3.0/settings.ini 2020-06-29 10:33:20.0 -0400
+++ /usr/share/themes/Chicago95/gtk-3.0/settings.ini2023-05-27
17:10:25.257049595 -0400
@@ -1,4 +1,14 @@
[Settings]
gtk-auto-mnemonics = 0
gtk-visible-focus = automatic
gtk-menu-images = true
+
+gtk-menu-popup-delay=0
+# LR: delay between pointing the mouse at a menu and that menu
opening (in milliseconds)
+
+gtk-primary-button-warps-slider = 0
+# LR: warp slider to click position (true) or move scrollbar by one
page (false)
+
+gtk-overlay-scrolling = 0
+# LR: 0: always show scrollbars 1: hide the scrollbar until a mouseover
+
Only in Chicago95: gtk-3.22
Only in Chicago95: gtk-3.24
Only in Chicago95: index.theme
Only in Chicago95: metacity-1
Only in Chicago95: misc
Only in Chicago95: xfwm4_hidpi
> I checked some themes in /usr/share/themes and ... well, I'll use my
> theme as it is !
I hope you've got a better set of themes than I have - I tried all of
them and didn't like any :(
Regards,
Lee
Re: sudoers question
On 5/12/23, DdB wrote: > Am 13.05.2023 um 00:03 schrieb Lee: >> On 5/12/23, Stefan Monnier wrote: >>>> Or configure sudo to disable tty_tickets, so that the timeout (10 >>>> minutes by default IIRC) applies to all terminals. >>> >>> `sudo bash` anyone? >> >> me! me! but I also have > (...) >> %adm ALL = (root) NOPASSWD: ADM_COMMANDS > > Of course, there are ways to allow any/all sudo commands without > password. And i also have to cast a warning here: > > The kind of mistakes, any user (including yourself) can initiate, grows > considerably, if he can use any commands without even thinking. In general, yes, but how much trouble can /usr/bin/dmesg, /usr/bin/apt list /usr/bin/apt update /usr/sbin/checkrestart /usr/sbin/needrestart cause? OTOH, I like the idea of logging in as root to do admin stuff. But that seems to be frowned on now.. I don't know why :( .. unless logging? 'sudo bash' or logging in as root doesn't leave an audit trail of commands you've done > To my eye, as there is a huge responsability involved with using > elevated powers, i would not want "my little brother" to accidentally > sit in front of my computer while just trying commands at a console, > that he may have heard of somewhere. I gave login credentials to a 4 yr old :) I was a bit apprehensive when he started mashing the keyboard but I'd already tried to find all the world-writeable files on the machine so I wasn't all _that_ worried. I'm more concerned that I did the search wrong & missed some thing than I am of getting a "rm -fr /" from random keyboard mashing. > Even worse: When i found out, how to prevent sudo from asking a pwd, i > in fact did cause a couple of bad mistakes, that the system would > otherwise have prevented from happening (including making it > unbootable). And it took my quite some time in order to get used to some > kind of a routine, that keps me from having to reinstall everything from > scratch after each mishap. > > So, after some time, i have become way more cautious at allowing too > many powers to myself without thinking. And especially the OP did reveal > some contradictory habits: > He was asking, how to allow any sudo command without being asked for a > password ( which means: without being controlled by the system ). On one > hand, this could make sense under certain premises. > OTOH, he was failing to display any kind of responsible attitude for the > job (like as if reading logfiles was hs only interest ...). > > Just simply asking for help in this regard let me wonder, as i had been > able to find out all this without even knowing about his group, > including the relevance of sudoedit in this regard (which no one even > mentioned). > > You can't have your cake and eat it too! > > If we (as a community) would support such a behavior, wouldn't we be > responsible for the effecs, this entails No. > Would you hand out a loaded weapon to a child? (I certainly did not.) Maybe I have? But this is a personal/household machine so if files get deleted I'll get to find out if my backup/restore process works as well as I hope it does :) At work, downtime is expensive, so I do tend to lock things down at work. At home I'm a lot more casual. Regards Lee
Re: sudoers question
On 5/12/23, Stefan Monnier wrote: >> Or configure sudo to disable tty_tickets, so that the timeout (10 >> minutes by default IIRC) applies to all terminals. > > `sudo bash` anyone? me! me! but I also have # cat /etc/sudoers.d/adm-grp-privs # members of adm can run certain commands as root without supplying # a password # Andrei POPESCU Sun, Dec 5, 2021 at 10:46 AM # To: debian-user@lists.debian.org # Re: Don't try this at home kids Cmnd_AliasADM_COMMANDS = /usr/bin/dmesg, \ /usr/bin/apt list, \ /usr/bin/apt update, \ /usr/sbin/checkrestart, \ /usr/sbin/needrestart, \ /usr/sbin/reboot %adm ALL = (root) NOPASSWD: ADM_COMMANDS Regards Lee
Re: EPSON ET M 1120 new printer: If You can read this, you are using the wrong driver
On 5/10/23, Schwibinger Michael wrote: nothing of interest .. same as every other day. *plonk*
Re: disk usage for /usr/lib on bullseye
On 5/2/23, Greg Wooledge wrote: > On Tue, May 02, 2023 at 10:18:10AM +0100, Tixy wrote: >> On Tue, 2023-05-02 at 17:03 +0800, Bret Busby wrote: >> > man apt >> >> Which doesn't say what 'apt purge' does without a package name. It says >> 'Performs the requested action on one or more packages specified via >> regex(7), glob(7) or exact match'. It doesn't go on to say what happens >> if you leave that blank. > > Maybe I can experiment? Let's see if "apt purge" is a syntax error: > > unicorn:~$ apt purge > E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: > Permission denied) > E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), > are you root? > > Rats! No luck here. Either "apt purge" is not an error, or the argument > processing and validation happens only after acquiring the lock. > > Now we have to tread dangerous waters to find out more information. > > unicorn:~$ sudo apt --dry-run > [sudo] password for greg: > E: Command line option --dry-run is not understood in combination with the > other options > > OK... that's progress. It looks like the --dry-run option exists. > So maybe we can use that to avoid destroying our system by trying commands > as root. > > unicorn:~$ sudo apt --dry-run purge > Reading package lists... Done > Building dependency tree... Done > Reading state information... Done > 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. you're a better sysadmin? I get $ sudo apt --dry-run purge [sudo] password for lee: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: linux-image-5.10.0-19-amd64 linux-image-5.10.0-20-amd64 Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Regards Lee
Re: WiFi Not Working After System Reinstallation
On 5/8/23, Marko Randjelovic wrote: > Both systems are fully updated Bullseye on a laptop. I have two access > points, let's call them A and B. When I connect to A, DHCP does not > work. When I connect to B, DHCP works, laptop gets an IP address and > internet works without problems. On the other hand, my mobile phone > can successfully connect to both. Both APs have enabled DHCP server > and I made sure the IP ranges do not overlap. Does access point A have mac-address security enabled? OpenWRT calls it mac address filter and gives you the choice of - disabledallows anyone to connect - allow listed only list of mac addresses that are allowed to connect to the AP - allow all except listed why one would pick this instead of allow listed only?? Does the AP have any logging that you could look at? (dhcp)?diagnostics? Regards Lee
Re: relevance of packages in repositories
On 5/7/23, Jeffrey Walton wrote: > On Sun, May 7, 2023 at 7:30 AM Дмитрий wrote: >> >> the stable version of Neodim 9.0 in debian 12 is the SEVENTH version, and >> in order to get the current version, you need to drag something like >> Homebrew, it really pisses you off and pushes you away from using the >> distribution > > You might give Fedora a try. Its release cadence is every 6 months. At > each release, Fedora typically supplies the most current version of a > package. > > You may find Fedora aligns better with your requirements. How about Arch linux? https://en.wikipedia.org/wiki/Arch_Linux Arch Linux is an independently developed, x86-64 general-purpose Linux distribution that strives to provide the latest stable versions of most software by following a rolling-release model.
Re: thunderbird missing arrows for scrolling through list of email messages
On 5/4/23, zithro wrote:
> On 04 May 2023 22:11, Dan Ritter wrote:
>> zithro wrote:
>>>
>>> Well, I'm currently using "Greybird-dark" (so not the default).
>>> But it seems there's no GUI to alter the theme itself.
>>
>>
>> Right, you have to select a different theme.
>>
>> Or write your own.
>>
>> -dsr-
>
> Well, I just tried half of the stock themes, and some themes show the
> arrows, some don't, but ... it depends on the applications !
>
> As the OP reported, neither Thunderbird nor Firefox display the arrows,
> whereas editors, xterm or file managers do ...
>
> So I guess the problem is REALLY in the Mozilla apps.
> I opened about:config in Firefox (didn't find it in TB), typed
> "scrollbar" and played with some settings.
> "widget.non-native-theme.gtk.scrollbar.allow-buttons" seemed promising,
> but has no effect, even with skins displaying the arrows in other apps.
I think you also need
user_pref("widget.gtk.overlay-scrollbars.enabled", false);
and this is also nice
user_pref("widget.non-native-theme.scrollbar.size.override", 20);
> From what I read it's a problem with GTK2/3.
>
> PS: no I won't write a theme ^^
> But I may check how to edit one. You know how ?
I think vim is really nice :)
But that's probably not what you want to know, so what I did was to
start with the release tarball from
https://github.com/grassmunk/Chicago95
unpack it into my home directory and
mv ~/Templates/Chicago95-2.0.1/Theme/Chicago95/gtk-2.0
/usr/share/themes/Chicago95/
mv ~/Templates/Chicago95-2.0.1/Theme/Chicago95/gtk-3.0
/usr/share/themes/Chicago95/
>From there I can select the Chicago95 theme as any user and if there's
anything I don't like I can, once I figure out wtf needs to be changed
(which can be a non-trivial task for me), make the change.
Regards,
Lee
Re: processing /etc/sysctl.d
On 5/4/23, Greg Wooledge wrote: > On Thu, May 04, 2023 at 01:22:40PM -0400, Lee wrote: >> OK.. I'll try to figure out how to modify whatever in /etc/NetworkManager > > I've been told that Network Manager will ignore any interfaces that > are defined in /etc/network/interfaces. So the correct way to set up > a static address on that interface would be to add it in /e/n/i and > simply don't touch Network Manager at all. > > auto lo > iface lo inet loopback > > auto enp1s0 > iface enp1s0 inet static > address 192.168.x.y/24 > # gateway 192.168.x.1 if you need this to be the default route > up sysctl blah blah blah > > Also, having "auto enp1s0" here will tell systemd that this interface > is one that matters, and that this interface needs to be up before it > can activate any services that depend on the "network being up". I > have no idea how that works with N-M because I've never used N-M. That does sound like the way to go. I originally tried to configure the box that way and failed, but it seems like it's worth another try. But since I ended up with networkmanager because it was the only thing that worked for me I need to allow enough time for troubleshooting & restoring everything to my current setup before giving it a try -- which will be Monday at best. Thanks Lee
Re: processing /etc/sysctl.d
On 5/4/23, Andy Smith wrote: > Hello, > > On Thu, May 04, 2023 at 08:43:52AM +0200, Michel Verdier wrote: >> Yes setting parameter on interface is better done in >> /etc/network/interfaces or /etc/network/interfaces.d/* >> which is used when the interface is configured > > There's definitely race conditions between creation of interface and > setting of sysctls at boot, so I agree - I don't think I would use sysctl.d > for any of those interface settings except default/all. > > I also don't know if an interface goes away and comes back again ( > think ppp, dummy, VPNs, etc) if it gets the same sysctl settings as > you set last time or if it just gets the "default" ones all over > again. I suspect the latter. enp1s0 does _not_ get the default settings -- I spent way too much time figuring out how to get ipv6 working on this machine and now, after upgrading to 11.7, it's broken :( > So yeah, multiple reasons to not try setting per-interface sysctls > in sysctl.d. OK.. I'll try to figure out how to modify whatever in /etc/NetworkManager Why isn't that caveat mentioned in the man pages? It seems like a rather serious deficiency in sysctl.d Thanks Lee
Re: processing /etc/sysctl.d
On 5/4/23, Michel Verdier wrote: > Le 4 mai 2023 Greg Wooledge a écrit : > >> A guess: perhaps this parameter cannot be set during the initial boot, >> because the enp1s0 interface isn't in a working state yet. > > Yes setting parameter on interface is better done in > /etc/network/interfaces or /etc/network/interfaces.d/* > which is used when the interface is configured > with a stanse like > > auto enp1s0... > sysctl net/ipv6/conf/default/accept_ra = 1 I suspect that won't work for me: $ cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback $ ls -l interfaces.d total 0 I didn't know what I was doing when I set this machine up & used the GUI interface to network manager to configure a static ipv4 address. Or at least I think it's network manager .. ps shows it as /usr/bin/nm-connection-editor Thanks Lee
Re: processing /etc/sysctl.d
On 5/3/23, Andy Smith wrote: > Hello, > > On Wed, May 03, 2023 at 07:50:30PM -0400, Lee wrote: >> I'm at a loss for how to figure out why my settings aren't taking effect. >> >> $ head /etc/sysctl.d/local.conf > > […] > >> # accept router advertisements >> net/ipv6/conf/enp1s0/accept_ra = 1 > > Is it possible that enp1s0 didn't yet exist at the time that > systemd-sysctl.service ran? To check, you could instead set the key > > net/ipv6/conf/default/accept_ra = 1 > it's already set > then any new interfaces should get accept_ra=1 as they are created. > > Though when I look at my net/ipv6/conf/default/accept_ra it is > already set to 1, so another possibility is that you have something > that is setting net/ipv6/conf/enp1s0/accept_ra back to 0 after > systemd-sysctl.service already set it to 1. NetworkManager is known > to do this: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025073 > > So, what are you using to manage enp1s0? yup - I'm using NetworkManager I wanted a static ipv4 address and that was the only thing I could get working Thanks Lee
Re: processing /etc/sysctl.d
On 5/3/23, Greg Wooledge wrote: > On Wed, May 03, 2023 at 07:50:30PM -0400, Lee wrote: >> $ head /etc/sysctl.d/local.conf >> # my site local preferences >> # >> # man sysctl.d >> # Configure kernel parameters at boot >> # /etc/sysctl.d/*.conf >> # key/name/under/proc/sys = some value >> >> # accept router advertisements >> net/ipv6/conf/enp1s0/accept_ra = 1 >> >> >> $ cat /proc/sys/net/ipv6/conf/enp1s0/accept_ra >> 0 >> >> >> Telling the system to read /etc/sysctl.d/local.conf works: >> $ sudo sysctl --load=/etc/sysctl.d/local.conf >> <.. snip lots ..> >> >> $ cat /proc/sys/net/ipv6/conf/enp1s0/accept_ra >> 1 >> >> How do I get the system to read it at boot time? > > A guess: perhaps this parameter cannot be set during the initial boot, > because the enp1s0 interface isn't in a working state yet. > > If you put another parameter in the same local.conf file, one that's > *not* tied to a piece of hardware, does it work? Yes. All of the directives that do _not_ mention enp1s0 "take". What's annoying is that all this worked before upgrading to 11.7 .. and I'm positive of that because this is a server running bind that now dies on the query-source-v6 address xx::yy port *; line in named.conf :( Is there a way to get systemd to do list of commands in /etc/sysctl.d/something.conf and set of commands in /etc/sysctl.d/somethingElse.conf _after_ all the interfaces come up? Thanks Lee
processing /etc/sysctl.d
How to get /etc/sysctl.d/local.conf directives processed? I don't see any errors or warnings in the logs that look applicable, and grep sysctl doesn't give me anything interesting: $ grep sysctl /var/log/* 2>/dev/null /var/log/auth.log:May 3 19:41:17 spot sudo: lee : TTY=pts/0 ; PWD=/home/lee ; USER=root ; COMMAND=/usr/sbin/sysctl --load=/etc/sysctl.d/local.conf /var/log/kern.log:May 2 17:55:03 spot kernel: [0.070323] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 2 18:28:15 spot kernel: [0.070201] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 2 18:34:23 spot kernel: [0.070002] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 3 18:21:59 spot kernel: [0.069819] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 3 19:18:01 spot kernel: [0.070156] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 3 19:29:12 spot kernel: [0.070329] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 2 17:55:03 spot kernel: [0.070323] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 2 18:28:15 spot kernel: [0.070201] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 2 18:34:23 spot kernel: [0.070002] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 3 18:21:59 spot kernel: [0.069819] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 3 19:18:01 spot kernel: [0.070156] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 3 19:29:12 spot kernel: [0.070329] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 2 17:55:03 spot kernel: [0.070323] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 2 18:28:15 spot kernel: [0.070201] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 2 18:34:23 spot kernel: [0.070002] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 3 18:21:59 spot kernel: [0.069819] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 3 19:18:01 spot kernel: [0.070156] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 3 19:29:12 spot kernel: [0.070329] Yama: disabled by default; enable with sysctl kernel.yama.* I'm at a loss for how to figure out why my settings aren't taking effect. $ head /etc/sysctl.d/local.conf # my site local preferences # # man sysctl.d # Configure kernel parameters at boot # /etc/sysctl.d/*.conf # key/name/under/proc/sys = some value # accept router advertisements net/ipv6/conf/enp1s0/accept_ra = 1 $ cat /proc/sys/net/ipv6/conf/enp1s0/accept_ra 0 Telling the system to read /etc/sysctl.d/local.conf works: $ sudo sysctl --load=/etc/sysctl.d/local.conf <.. snip lots ..> $ cat /proc/sys/net/ipv6/conf/enp1s0/accept_ra 1 How do I get the system to read it at boot time? TIA Lee
Re: how to reverse an IPv4
On 4/30/23, cor...@free.fr wrote:
> Hello list,
>
> I wrote this script for reversing an IP:
>
> #!/bin/bash
>
> IP=$1
>
> if [ -z $IP ];then
>echo "$0 IP"
>exit 1
> fi
>
> REVERSE=$(echo $IP|awk -F\. '{print $4.$3.$2.$1}')
> echo $REVERSE
>
>
> it won't work as the output below.
>
> $ bin/rbl.sh 61.144.56.32
> 325614461
>
>
> The "." was lost.
>
> If I changed the awk line to:
> REVERSE=$(echo $IP|awk -F\. '{print "$4.$3.$2.$1"}')
>
>
> It becomes:
>
> $ bin/rbl.sh 61.144.56.32
> $4.$3.$2.$1
>
>
>
> Can you help with this?
$ cat /tmp/reverse
#!/bin/bash
IP=$1
if [ -z $IP ];then
echo "$0 IP"
exit 1
fi
REVERSE=$(echo $IP|awk -F\. '{printf("%s.%s.%s.%s\n", $4, $3, $2, $1) }')
echo $REVERSE
$ /tmp/reverse 61.144.56.32
32.56.144.61
Regards
Lee
Re: repeat of previous question that has gone unanswered several times.
On 4/30/23, gene heskett wrote: > Greetings all; > > I have a mixed home network, some buster, some bullseye, all up to date > a/o yesterday. > > I have 2 printers shared on this bullseye main box, available as 5 or 6 > printers, each configured in cups to do a specific job. Good printers, > both running on brother's own linux drivers for that printer. > > All my buster machines can use both of these printers just as if they > were plugged into that machine, but a machine shop full of sawdust and > metal shavings is not a good printer environment, even if there was room > for them, which there isn't. > > All of my bullseye machines are locked out, printer screen at > localhost:631 is empty, and no printers can be found and added. > > But open a shell, and type "lpstat -t" and it gets the full list of > available printers on that same bullseye machine whose cups output is > empty. > > Why? Take a look at https://wiki.debian.org/CUPSQuickPrintQueues The quick ref is to install avahi-utils and run avahi-browse -rt _ipp._tcp | grep URF If you get a line matching URF the printer supports the AirPrint service. Install cups and see if it works (which is all that I needed to do to get the printer working). If no, what does avahi-browse -rt _ipp._tcp and systemctl status avahi-daemon show you? Regards, Lee
Re: Wireshark does not show physical interfaces for capture
On 4/29/23, Victor Sudakov wrote: > Lee wrote: >> On 4/29/23, Victor Sudakov wrote: > > [dd] > >> > >> > However when I startup wireshark from the GUI, it does not show the >> > physical interfaces in the list of interfaces to capture from, so I >> > cannot really capture anything from the non-root user. When started >> > via sudo, it does show enp3s0 and other interfaces and can capture. >> > >> > What am I missing? >> >> See if the interfaces have been hidden from the GUI. eg >> $ grep devices_hide .config/wireshark/preferences >> capture.devices_hide: any,nflog,nfqueue,dbus-system,dbus-session > > Nothing much there: > > $ grep devices_hide .config/wireshark/preferences > #capture.devices_hide: > >> >> Or check from the GUI: >> Capture / Refresh Interfaces > > Does not add the NICs to the list. > >> Capture / Options >> select the Input tab and click Manage Interfaces >> select the Local Interfaces tab and make sure there's a checkmark >> under Show for all the physical interface names > > I don't see any physical interfaces there, this is all I see: > https://ibb.co/190ytwv Have you looked at https://www.wireshark.org/faq.html#capprobunix I have a vague memory of having to do sudo dpkg-reconfigure wireshark-common a few years ago before I was able to capture packets without using sudo Regards Lee
Re: Wireshark does not show physical interfaces for capture
On 4/29/23, Victor Sudakov wrote: > Dear Colleages, > > My user is a member of the "wireshark" group and can start /usr/bin/dumpcap > all right: > > $ ls -al /usr/bin/dumpcap > -rwxr-xr-- 1 root wireshark 129696 мар 4 2022 /usr/bin/dumpcap > > $ id > uid=1000(vas) gid=1000(vas) > группы=1000(vas),4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),27(sudo),30(dip),44(video),46(plugdev),121(lpadmin),136(lxd),137(sambashare),138(wireshark),1002(admin) > > $ /usr/bin/dumpcap > Capturing on 'enp3s0' > File: /tmp/wireshark_enp3s0Y3LW31.pcapng > Packets captured: 126 > Packets received/dropped on interface 'enp3s0': 126/0 > (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%) > $ > > However when I startup wireshark from the GUI, it does not show the > physical interfaces in the list of interfaces to capture from, so I > cannot really capture anything from the non-root user. When started > via sudo, it does show enp3s0 and other interfaces and can capture. > > What am I missing? See if the interfaces have been hidden from the GUI. eg $ grep devices_hide .config/wireshark/preferences capture.devices_hide: any,nflog,nfqueue,dbus-system,dbus-session Or check from the GUI: Capture / Refresh Interfaces Capture / Options select the Input tab and click Manage Interfaces select the Local Interfaces tab and make sure there's a checkmark under Show for all the physical interface names Regards, Lee
Re: What do all those "* * *" mean on a traceroute log?
On 4/12/23, Albretch Mueller wrote: > I have found a few examples and "explanations" but in the cases of > the examples I have seen by other people, like: > > https://serverfault.com/questions/733005/what-does-having-mean-in-the-command-traceroute-and-how-can-you-cope-wit > > It is not with every site and it is mostly with one hop. I my case it > is with all sites and once the packets reach the web (from hop 5 to > 30), from wherever I connect to the Internet. Why would that happen you should probably start off with https://archive.nanog.org/sites/default/files/10_Roisman_Traceroute.pdf A Practical Guide to (Correctly) Troubleshooting with Traceroute > and why would that -consistently- "happen" to me? Ask your ISP - or VPN provider or whatever it is that you're using.. I did a search on your _gateway (199.83.128.1) address and found https://www.sitelock.com/blog/sitelock-trueshield-web-application-firewall-updates/ SiteLock TrueShield Complete IP Range in long form: 199.83.128.1-199.83.135.254 Maybe they can explain what's going on? Interestingly enough, I tried a traceroute to the last ip address that answered in your traceroute and got an answer from 1. my router 2. my ISP's router and nothing else !?? It seems that Verizon doesn't have a route to 199.83.128.1 -- https://www.verizon.com/business/why-verizon/looking-glass/ doesn't show anything for 199.83.128.1, so I'm guessing verizon is doing some form of Unicase Reverse Path Filtering (URPF) and dropping all those packets that don't have a route to the destination I also tried a traceroute to your _gateway (199.83.128.1) and got $ traceroute 199.83.128.1 traceroute to 199.83.128.1 (199.83.128.1), 30 hops max, 60 byte packets <.. snip ..> 4 0.ae5.BR2.IAD8.ALTER.NET (140.222.6.175) 12.963 ms 0.ae1.BR2.IAD8.ALTER.NET (140.222.239.85) 9.400 ms 0.ae5.BR2.IAD8.ALTER.NET (140.222.6.175) 12.919 ms 5 ash-b2-link.ip.twelve99.net (80.239.135.178) 9.211 ms 9.334 ms 9.424 ms 6 imperva-svc087369-lag004786.ip.twelve99-cust.net (62.115.55.139) 9.612 ms 7.612 ms 7.445 ms 7 * * * 8 * * * 9 * * * 10 * * * ... etc And finally https://bgp.tools/prefix/199.83.128.0/24#connectivity Anycast Detected When bgp.tools scanned this prefix, we found that 199.83.128.0 was anycasted. Upstreams This info take up to 6 hours to fully update ASN Description AS2914 NTT America, Inc. AS1299 Arelion (fka. Telia Carrier) So it seems you're doing something ... different. Regards, Lee > > $ traceroute google.com > traceroute to google.com (172.217.0.174), 30 hops max, 60 byte packets > 1 _gateway (199.83.128.1) 6.687 ms 6.660 ms 6.683 ms > 2 199.83.240.2 (199.83.240.2) 6.101 ms 6.622 ms 6.610 ms > 3 ad.nypl.org (199.254.254.1) 6.600 ms 6.588 ms 6.577 ms > 4 199.254.252.1 (199.254.252.1) 6.566 ms 6.590 ms 6.738 ms > 5 * * * > . . . > 30 * * * > > $ traceroute microsoft.com > traceroute to microsoft.com (20.81.111.85), 30 hops max, 60 byte packets > 1 _gateway (199.83.128.1) 12.353 ms 12.319 ms 12.306 ms > 2 199.83.240.2 (199.83.240.2) 11.803 ms 12.281 ms 12.268 ms > 3 ad.nypl.org (199.254.254.1) 12.256 ms 12.244 ms 12.231 ms > 4 199.254.252.1 (199.254.252.1) 12.255 ms 12.243 ms 12.511 ms > 5 * * * > . . . > 30 * * * > > $ traceroute debian.org > traceroute to debian.org (149.20.4.15), 30 hops max, 60 byte packets > 1 _gateway (199.83.128.1) 16.821 ms 17.804 ms 17.784 ms > 2 199.83.240.2 (199.83.240.2) 4.739 ms 5.086 ms 5.070 ms > 3 ad.nypl.org (199.254.254.1) 5.054 ms 5.389 ms 5.023 ms > 4 199.254.252.1 (199.254.252.1) 6.805 ms 6.282 ms 6.773 ms > 5 * * * > . . . > 30 * * * > > lbrtchx > >
Re: apt temporary failure resolving deb.debian.org
On 4/9/23, Tim Woodall wrote: > On Sun, 9 Apr 2023, Badli Al Rashid wrote: > >> Hi All, >> >> Gooday everybody. Anyone having temporary failure when running apt update >> with own bind local resolver ? I got a temporary failure resolving >> deb.debian.org and www.debian.org since last week thursday. I can resolve >> other sites like www.kernel.org and others. >> >> When I switch to other DNS servers I can resolve www.debian.org. >> >> The command dig with +cd option I was able to resolve dwb.debian.org and >> www.debian.org. >> >> I am using bullseye bind packages and then upgraded to bind to sury to >> test. It is still the same. >> > > I've also been having severe problems resolving debian.org domains. > > I've now turned off dnssec validation on my bind server. > > > // > // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > // https://www.isc.org/bind-keys > > // > dnssec-validation no; If it was "yes" that might be the problem. dnssec-validation auto; # If dnssec-validation is set to auto, then a default trust anchor for the DNS root zone will be used. # If it is set to yes, however, then at least one trust anchor must be configured with a trusted-keys #or managed-keys statement in named.conf, or DNSSEC validation will not occur. # The default setting is yes. The only DNS issues I've noticed are NTP starting before BIND at boot time and all the N.debian.pool.ntp.org queries failing until bind is up and running. Regards Lee
Re: what's the right way to resolve localhost's IPs
On 3/23/23, Nicolas George wrote: > Jeremy Ardley (12023-03-23): >> On your second topic I don't usually run firewalls on my cloud severs. > > But surely on a server the network configuration is static, including > the firewall rules, isn't it? Consider the IP addressing info coming from DHCP. The network configuration stays the same but the IP(v6)? address might change. For example, Verizon is my ISP; they delegate a /56 to my router and the router delegates /64's to the LANs. I've got DHCP configured to give out static host addresses to the various machines but the network portion of the ipv6 address does change at Verizon's whim .. which requires firewall rule changes because I haven't figured out how to automatically plug in the newly delegated /64 into the firewall rules for that lan :( Regards, Lee
Re: No /
Thanks David. Steps 1 through 6 describe just how the present drama unfolded. Good thinking. This is, I imagine, also what happens anytime power is taken away before COW has been able to do its thing. Is there a way to fix this, or is a re-installation the only remedy? Michael Am Montag, dem 13.03.2023 um 14:03 -0500 schrieb David Wright:
Re: No /
Thanks David. Steps 1 through 6 describe just how the present drama unfolded. Good thinking. Am Montag, dem 13.03.2023 um 14:03 -0500 schrieb David Wright:
