Re: Private home directories for hirsute onwards

2020-11-26 Thread Alex Murray 

On Fri, 2020-11-27 at 03:39:36 +1030, Dimitri John Ledkov wrote:

> On Thu, Nov 26, 2020 at 2:31 AM Alex Murray  wrote:
>>
>> setfacl -m u:libvirt-qemu:rx $HOME
>>
>
> Similar to above for qemu are there similar setfacl commands, would
> something similar be also needed for:
> - sshd user to access ~/.ssh/authorized_keys , or nothing needed
> there?

There is nothing needed here, ssh with public key auth works fine with
750 $HOME - sshd runs as root so this is fine

> - in GNOME making ~/Public public?

Also tested this and is fine - gnome-user-shame spawns apache2 running
as the target user to share via webdav so this also works

> - giving access to ~/public_html for the www-data user?

This also needs the same ACL based approach:

setfacl -m u:www-data:rx $HOME

>
> If yes, then what are the commands?
>
> I like this approach of selective and explicit setfacl commands to
> grant ACLs on per-usecase basis. This is inline with modern ways of
> managing permissions.
>
> -- 
> Regards,
>
> Dimitri.


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Should one be able to install with only release + -security enabled?

2020-11-26 Thread Dimitri John Ledkov 
On Wed, Nov 25, 2020 at 2:59 PM Nish Aravamudan
 wrote:
>
> Hi!
>
> I have been testing a network-isolated Ubuntu mirror inside our network and I 
> am trying to understand if what I envision should work or not.
>
> In particular, I am trying to minimize how much review is needed for package 
> updates, so I would like to just include the release and security pockets. 
> However, I am finding a few package updates (in Bionic in my case, but I 
> think Focal may also have this problem) that only have fixes in the -updates 
> pocket. This prevents installation from succeeding with preseed.
>
> So far, I have seen apt-setup, but debootstrap and base-installer both need 
> some adjustment for my test environment.
>
> Should we require -updates as well?

Actually it's the security pocket that is optional. It is a fast track
to access SRUs that happen to also contain security fixes at the
fastest speed possible, with automatic download & upgrades by default
via a direct connection to security.ubuntu.com.

When a new security update is prepared, it is based on package version
in updates; security; or release pocket in that order.

Because security update is mandatory to install, and it must not
regress any fixes that already were present in either
updates/security/release.

And then the security update is published into both updates & security
pockets on archive.ubuntu.com & mirrors, as well as onto
security.ubuntu.com host. As it must supersede everything.

When mirroring, we recommend for people to mirror release & updates
pockets. And we advise people to keep security.ubuntu.com
$suite-security archive config as is.

This way all machines can access security updates via a separate
endpoint directly. This insures that if the private mirror is lagging,
the critical security updates still get through to the end-users.

If you must mirror security.ubuntu.com $suite-security, please ensue
it is a separate mirror too. Such that resiliency remains to access
security-updates even if the stock mirror for updates is down for
maintenance.

-- 
Regards,

Dimitri.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Private home directories for hirsute onwards

2020-11-26 Thread Dimitri John Ledkov 
On Thu, Nov 26, 2020 at 2:31 AM Alex Murray  wrote:
>
> setfacl -m u:libvirt-qemu:rx $HOME
>

Similar to above for qemu are there similar setfacl commands, would
something similar be also needed for:
- sshd user to access ~/.ssh/authorized_keys , or nothing needed there?
- in GNOME making ~/Public public?
- giving access to ~/public_html for the www-data user?

If yes, then what are the commands?

I like this approach of selective and explicit setfacl commands to
grant ACLs on per-usecase basis. This is inline with modern ways of
managing permissions.

-- 
Regards,

Dimitri.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss