Re: [DNG] mouse driver question
To find out what's behind which /dev/input/event* device, and generally what's going on with the input stuff on the kernel side, I usually check: "cat /proc/bus/input/devices" ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] resolv.conf
If you don't have a public domain, then the correct domain to use in an internal networks is home.arpa, see: https://tools.ietf.org/id/draft-ietf-homenet-dot-07.html home.arpa. is intentionaly set up as an unsigned delegation, so it won't break when someone uses dnssec. Other domains will fail dnssec. Unfortunately, noone seams to ever check dnssec for some reason, and noone seams to care about home.arpa either. But I'm still optimistic that this may someday change. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] mouse driver question
An alternative to "gpm" would be "consolation". It's based on "libinput". I've never tried serial mice, but you can probably install & start "inputattach", and then "consolation" should probably pick it up if it's installed. inputattach should also work with other things such as X11 and Wayland. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Some RAID1's inaccessible after upgrade to beowulf from ascii
Am 2021-11-09 19:56, schrieb Hendrik Boom via Dng: I upgraded my server to beowulf. After rebooting, all home directories except root's are no longer accessible. They are all on an LVM on software RAID. The problem seems to be that two of my three RAID1 systems are not starting up properly. What can I do about it? Do you still know which devices contained the raid? I'd first check out the metadata on them: ``` mdadm --query --examine /dev/sdXY ``` Ideally, the ones for the same arrays should have the same Version, Array UUID, and a number for Events which doesn't differ much. I'm not much of an export with raid myself. In fact, I already hosed one of mine once (I followed some tutorial which suggested using "mdadm --create" for a certain thing, but it was wrong and I should have used --grow instead). Anyway maybe try explicitly assembling the devices as a new raid device. There is also a --readonly option that should avoid it doing anything to the array, and a --readwrite option, which could be helpful. ``` mdadm --assemble /dev/md5 --readonly /dev/sdXY /dev/sdXY ``` If that works & the raid device works fine (maybe try mounting it), you can make it readwrite using ``` mdadm --readwrite /dev/md5 ``` Alternatively, you could also try --re-add to add devices to an existing raid again. I'd avoid doing anything with --create. I think that would be destructive. If it does stuff like resyncing after that, you can already use the device, but maybe wait with a reboot until it finishes. If you get it working, try doing the `mdadm --examine --scan` thing again / recreate /etc/mdadm/mdadm.conf. Maybe also recreate the initramfs using `update-initramfs -u`, just in case. And if all that works out, you may try rebooting to see if it detects it again. If things don't work out, maybe check for error messages / look at dmesg. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Your system is not supported by certbot-auto anymore.
Am 2020-12-08 08:41, schrieb Simon Walter: Other than a manual install, are there any alternatives? I am interested to hear how others are doing this. Let's Encrypt has a list of various clients: https://letsencrypt.org/docs/client-options/ I'm using one I've written myself (and haven't bothered adding to the list yet): https://github.com/Daniel-Abrecht/DPA-ACME2 There currently only is a solver for dns-01 challenges for it, though. And I should probably move the solver to another project/repo & make some packages and such stuff. It works pretty well overall, I didn't have any problems with it for a long time anymore. But if you put it in a cron job, make sure to set up mail notifications so you know when it fails. And make sure not to use it around 0 UTC, the let's encrypt servers tend to be overloaded and unreliable around that time. I do think TLS is an awesome and important technology, but I do not like having to rely on yet another authority (the other one being DNS registrars) to be able to operate a webpage and other services. This is why I have also set up DANE. If some day, browsers start to finally support DANE, or free certificates become unavailable, I will immediately switch to self signed certificates (and keep DANE so they could still in theory get automatically validated). Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Help needed:[Fwd: eudev: Methods to detect if running in a container.]
Hi, What's the point of trying to detect if eudev is run in a container? Is it just to not start it in that case? Would it just fail to start in them otherwise? Is that actually a problem? And could eudev not just be uninstalled in a container? In any case, I don't like the idea of doing hacks like looking at inode numbers or trying to determine if there is a container or not. In addition to this don't like the Idea of checking for being in a container in general. Instead, I would check for reasons why it doesn't work in a container, choose a sensible thing to check for out of those reasons, and then check for that. In this case, I would assume the following, although I haven't checked: 1) the container hypervisor (lxc/lxc, docker, libvirt-lxc, etc.) is responsible for managing/creating device files 2) eudev exists for managing/creating device files in other kinds of systems 3) device files can't be created in a container 4) 3. is due to the container hypervisor removing the cap_mknod capability from containers Given those assumptions, I think the sensible thing would be to either check for the mknod capability, or check if device nodes can't be created in /dev/ due to a lack of permissions. I think that's closer to the reason why one may not want to start eudev than trying to checking if we're in a container. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] couldn't register with accessibility bus in Beowulf (workaround)
Hi I've had that problem as well. It also prevents the auto-show feature of the `onboard` onscreen keyboard from working (which was annoying on my Librem 5 Phone, where I need that feature). To me, it seams to be caused by a combination of something `lightdm` does, and something `at-spi-bus-launcher` does not do. After a login with `lightdm`, the X11 root window has the `AT_SPI_BUS` property set (`xprop -root AT_SPI_BUS`), however, it seams the `at-spi-bus-launcher`/`at-spi2-registryd` instance which created that property does not exist anymore, causing applications to fail to connect to it. In addition to this, the presence of that property prevents a new instance of `at-spi-bus-launcher` from starting. My current workaround is to remove the `AT_SPI_BUS` property, and then start `at-spi-bus-launcher` again: ``` xprop -root -remove AT_SPI_BUS /usr/lib/at-spi2-core/at-spi-bus-launcher & ``` After that, the `onboard` auto-show feature works for me for newly started applications again (this may require `onboard` restart). At least for GTK Applications, that is, I still have the problem of that feature not working for some QT applications, such as the `kate` editor. I assume that should be the same for other things which use the accessibility bus as well. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed?
On 2020-02-25 11:11, Hendrik Boom wrote: Which is the reason for a capability architecture. Is there anything resembling that in GNU/Linux userspace? Kind of, not really. There is something similar to role based access control, namely the unix file permission model, which is a kind of DAC. Users and groups (=roles), can have different permissions on files (reading, writing, executing). Then there are the security modules. These can extend that functionality, which is usually used to add some kind of MAC. For processes / syscalls, Linux has capabilities as a replacement for things usually reserved for root, but these usually aren't very useful, they are crude and can often be used to escalate to root anyway. For syscalls, there is also seccomp, but it's hard to use and architecture dependent, and it will break applications which use it regularly. Something which is currently missing is a way to manage permissions for specific ioctls. Usually, its per device, and some ioctls need need read or write permissions to the fd. Sometimes, that's suficent, sometimes not. There is kind of a horrible situation with /dev/dri/card* devices, if I remember correctly, you need root for the ioctls to become drm master and do modesetting, even if you have read and write permissions to the file, which is why this is delegated to logind or a suid binary, I think? One way to resolve this would be to splitt those card devices into multiple ones, but I don't think that's going to happen. I don't think configurable supplementary group based per ioctl permissions are going to happen either. Except maybe as an LSM. One interesting thing about files is that permissions are only checked when those are opened. A file descriptor is like an access token. And they can be sent over unix sockets, which can also be files. Those file descriptors are unrevokable, though. There is also a small problem with the DAC permission model. A process has only one set of user, group, supplementary groups. This means, either you can use them to restrict a program, or you can use them to restrict a user, but you can't have restrictions based on a user and a program. I was thinking a lot about this at some point, and wanted to write an LSM for that at some point, but I never got to to it. I did write down my thoughts, although retrospectively, I did make various mistakes and misused some terminology there in there: https://github.com/Daniel-Abrecht/Discretionary-Program-Access-Control/blob/proposal/Discretionary%20Program%20Access%20Control.md It's possible that there are still some other access control mechanisms I don't know of yet. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed?
Hi I would like to add my point of view to the polkit debate. I don't think polkit is bad or unnecessary, it simply has a completely different usecase/scope than sudo has. sudo is for starting a process as an other user provided some preconditions (group/user allowed to use it, supplied arguments allowed, etc.) are met. And it can retain or restrict some resources inherited from the parent process (such as environment variables, for example). Therefore, the use case is to allow some users to execute certain commands in certain ways with certain resources. I know polkit less well, but my current understanding is, that polkit is for managing access to stuff on dbus. So next, why is dbus needed? dbus is a message bus. There usually is one for the whole system, and one for each session. There are various uses and missuses for it, but I think the most crucial things are: * Notify any process interested in something of these things. * Tell other programs which can do something to do something. This can be useful for various things, for example: * A program may want to now if a device got rotated, so it can rotate a screen. * A wlan management gui may want to tell it's daemon that it shall connect to a wlan, and it may want to know what connections it already has and manages. * A phone call application may want to ring when a call arrives, or it may want to let the user initiate a call. Now, those examples are mainly things that would need the system bus. I couldn't come up with a good example solely within a user session/bus, but I'm sure these exist too, especially because dbus doesn't need a graphical session. And with that, back to polkit. It'd be bad if just everyone/everything could do system level stuff, so per default, noone can. But that would make dbus useless for a lot of things. This is the problem polkit is there to solve, there are config files specifying who (user, group, etc.) can see/use which methods calls, signals/messages, etc. Without dbus, applications & daemons could do similar things using unix sockets. However, then, every application would need their own socket, permission management, configs, etc. This would have the same security implications as just using dbus, which also just uses unix sockets, but would leave a bigger attack surface, and a lot of scattered security critical configs with different formats. Now, there is also the approach of using a suid binary for the privileged stuff. As a good and bad thing, just like sudo, this can't escape a container, unlike a unix socket passed to one could. However, it would leave the problem of a bigger attack surface, and a lot of scattered security critical configs with different formats, and is very difficult to get right. All things considered, I think for the purpose of interacting with system level daemons/services and managing related permissions, especially in cases more complex than simply shutting down the system for example, dbus + polkit is a very nice solution, especially considering the alternatives. It does have some flaws, though, such as noone knowing how to correctly configure it, for example. Regarding pkexec, I think this thing is an abomination. Starting a process is absolutely not something which should be done in a way completely disregarding resources and restrictions of the spawning process. It's kind of useful for checking if polkit works at all, but aside from that, I recommend getting rid of it as fast as possible. Regarding gksudo, I think it's intended use case is an awful thing as well. The very Idea of asking for a users password for starting a more privileged process is a bad one. It means that if the user account is breached, as soon as sudo or gksudo is used to obtain root, it could have been replaced (z.B. by changing the PATH, setting an alias, etc.) by an attacker to get the password instead, and then compromise the rest of the system. In my opinion, sudo should always be used in such a way as to work without password, and only for known "safe" commands. For everything else, it'd be much better to just log in on a tty as root. Same goes for su. One last, only partially related thing. Does anyone know how to get polkit agents working properly? If I start `lxqt-policykit-agent`, for example, pkexec won't work. If I start it as `su -c 'lxqt-policykit-agent'`, it does, but I'm pretty sure that's not the right way to do this. I'm currently on devuan beowulf, but I think debian users may have similar problems, I think systemd/logind people may have broken something in polkit... Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Mail message headers
Hi golinux, I'm using Roundcube Webmail 1.2.3 on devuan ascii, with the following plugins: filesystem_attachments 1.0 GPLv3+ jqueryui 1.10.4 GPLv3+ Everything was installed from the regular repos. I don't have any of those strange http links in these headers. I also think this is most likely caused by a plugin of your roundcube mail client. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [ASCII] [Mutt+Torify+Fetchmail+Procmail+Msmtp] Problems torifying email
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 15/05/2019 06.31, Se7en wrote: > The problem I have been having since November 2018 when I upgraded > to ASCII was that I simply can not torify Fetchmail. I later > discovered that Mutt is affected. The problem seems to be related > to my mail spool, /var/mail/se7en. Are you using torsocks to torify applications? I wouldn't recommend that. Using iptables, it's possible to configure tor as a transparent proxy. You can redirect network traffic using iptables over tor. That can be just traffic from the local host, or even traffic from a whole network. Using linux network namespaces, you can have different independent internal network configurations on your machine. You can then enter that namespace and execute an application there. To route traffic between network namespaces, you can use virtual ethernet interface pairs (veth). It is also possible to connect them using bridges. Physical network interfaces can be moved to a different network namespace as well. All this can be done using the "ip", "brctl" and "iptables" commands. You can also use containers for this, they usually use network namespacces too. I recommend torifying the complete system if possible, or even better, a whole dedicated network. If you keep the tor devices and the other devices completely seperate, it becomes much harder to deanonymize you. Use one thing in both environments, and you may have been deanonymized. On another note, there are also a lot of online services that block tor nodes, and i think some ports like smtp are blocked on pretty much all exit nodes. It's fine for mailing between onion addresses, but not for sending mails anywhere else from within tor. Good luck, Daniel Abrecht -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlzcil0ACgkQcASjafdL VoFkCQgArT1EdxEj8NxuoxJNJu3m4gwKlxoRVseYZByKVdiJwUar0L6/RLm3Ug3E 8k2hunHzK27xqFl6epeRKryzZl1X3kQsM31y8aclQlgdzHP6Mv8HXaY9wlIHaF6a kSj9R+YxZb0OLY0i2RH8rybfze0lH0CwMx8yhZkgV087lI+1UW4H1NYantN/2p8I KOWPo5MoHxmqPkNgMBVHaCD20QWPuwhCNrxjgln9FbRQxyCcDHzV0VTKPxc6YtfP Lo789jEFyB81gW4hQgdWRpzzxoQXQ78PWau3d16z3cDUhUS2lLnsxuHUdPolBPJv Rz8hxXFzm9MOVgUOLLgFzbeDAYJuig== =Hbdy -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It's now clear that this was a planned action and there was no danger. But when it happened, this wasn't obvious in any way. I assume the other staff members knew about it, was it discussed at the last meeting? I really like April Fools, but this was no April Fool. Faking a crime, in this case claiming to have been hacked, is no prank or joke. It doesn't matter that it was April 1. either. This was absolutely unacceptable, never do this again! Regards, Daniel Abrecht -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlyicfYACgkQcASjafdL VoGPKwf/X3xB71RjqPHO7EyxOiZbWA1oSj4jWNRV7GegPCpTWqLOQbdbiZtTgCeI fj1J8+ec0AUiL7MU8kG6iV1feK3coOdOUFXEzUZQ312niGo4EJEoVyfSQCLM0p/6 8ecxAPghEUPIPZeZRwB1pDPNgOggPJykLSRFfMywbYDCoqJ/5OzRC0IMNQGLRUht QHC7XCROiEsMSDh6LGNg0aINLTRuQ8RiiqVtklPYMaGp/0p+zSWeDKtZuzdzBCfl x4pOPSlVuRZ3x0R43kQw9m75hC6BaiH4msJyjyzr0kTnNhs1QhaetcjjR8Ujv7Hz ii69ahPVzG6zbrcBLfjjDDE/odWlxg== =c/i1 -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] devuan.org website down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Devuan.org website seams to be down. I can't reach it, and neither can that checker page: https://www.isitdownrightnow.com/devuan.org.html Could someone fix that please? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlyEOw8ACgkQcASjafdL VoF9cgf/Sk0jL2//YU46u1GGyvnrTjCR2DqFK4P2B41a9YulJnnYUFB30GR/s6Tb Sqc+jZRNxC/tFwO/cft0qaexv74ULRhlH9m0mWwGJIxV8Zguub5Tj3avBhIXY4LI f+3/3Jp3UcLAyMBZ9Y4mgfce4XgoUeYsZvlX1oHkRsKMc1wpd/ky5rxIrSBWhPlW s6k7dMJEyuSex9lYrVeU1w6sjMn22oLMIkVC+AnL17x4S9jbuxPHdkzwc/i8DhTF 4+n7F+BIHRKwY5paTDsYucy19HqS6dxi0KNccMemv+j591D+FlE1QCJWg4PzdBku l+WC7jI1qvpFyrk897l5kq9QBu2r8g== =PxDd -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] simple-netaid-backend debugged.
On 2019-03-07 19:49, Alessandro Selli wrote: Next improvement would be using current commands (ip and iw) in place of the obsolete and deprecated ones, i.e. ifconfig and iwconfig: ifconfig and iwconfig being depracted or obsolete is questionable at best. They work, get security patches if they need them, provide a stable interface, and have a stable, parseable output that's known to not change. ip and iw on the other hand, well, they aren't suitable to pass networking information to other programs because they have a less stable interface. At least with ip, that will get a bit better with the -json option. But that option isn't in debians version yet. In addition to this, ifconfig and iwconfig will also work on other unix systems, such as FreeBSD. Parsing output in regular programs is more of a hack anyway. Why can't these tools provide a library for use in regular programs? There is also the option of using the kernel interfaces directly, but then the program directly depends on linux. There really is no good option. PS: It's not like I don't use ip at all, I do use it's netns feature on one of my servers to move all it's network interfaces to a different netns, which I then use for a libvirt container, in which I setup the routing between the host system, the containers, and the VMs on my server. There is no reason why ip should do this and not a dedicated program though. I think about using network namespaces, and maybe also some filesystem & user namespaces on my desktop PC too at some point. I could probably write a pam module to isolate user homes further and put different users into different network namespaces. That way, I could make sure all connections of certain users are part of my regular network, and all connections of another users are always routed over a vpn, a proxy, over tor, or something similar. But I won't be able to use ip for that. And I won't get to that any time soon, there is just so much stuff to do. But linux namespaces are really awesome, I use them all the time, and not just for containers. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Devuan on the Librem5 devkit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 My devuan Images can boot on the librem5 devkit now. A lot of things, like the lcd display, don't work yet, but I'm working on it. A uart adapter is required to access the linux console, which is currently the only way to access the image after it has been flashed. The build scripts can be found here: * https://github.com/Daniel-Abrecht/librem5-image-builder * https://gitlab.com/DanielAbrecht/librem5-image-builder If anyone has cloned my repos before already, I recommend doing a "make reset", or at least a "make reset-repo" before rebuilding the images to make sure all repos are up-to-date. I also recommend doing a "make reset-repo@linux" and "make reset-repo@uboot" from time to time, to get the latest kernel & uboot, the repos are active at the moment. There is still a lot to do, I'll keep y'all updated. Regards, Daniel Abrecht -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlwqhcwACgkQcASjafdL VoE5qggAoA2dq+9lpgoEONU6DwDlehxWP7iXkUFt0uLIFn0Cr+jxjn+K9Wc6jPdy TBb2ujZcgN7oVVVbQnffKVcknyC0ISpio1y137J4teKDdK6XR35H318ept41lpMx 9PpgPx0/HxyZjW5WELN3AsFJJHbc50MFiU706tRW0dYLvhXqw+f5NcQSeQm0ddDe 9ar4IDI4ELWV+r+83BmJDMUhfmkK67XW1b3c0B1UD5ng3998EMHttKefflHI6zDs hKVQ6NWlbKMSUa8dEUSm8d4G/YMlWE0IKdhGfiYjsRDk7g4G5S3HXuBUml+NWzF3 /j7uuAYjmjIgfq4Z0Toobi/qJadDfw== =CNLF -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
