Re: UEFI bootkit

[Eddie G. O'Connor Jr.]

On 09/19/2012 11:06 PM, JD wrote:


On 09/19/2012 08:50 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 10:47 PM, JD wrote:


On 09/19/2012 08:30 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1)  "Writing a bootkit couldn't be an easier task for virus 
writers with the UEFI framework available, much easier than before 
when they needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally 
signed UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user 
choice."


Great!  MS shoots self in foot, others in head.  We saw it coming :/



Or...maybe this was a little "skit" to help make the push for 
universal UEFI enforcement?.this way Linux users are locked 
out, the landscape once again returns to the Windows vs Apple 
conflict eliminating the biggest threat to both of them in one 
hatchet swing! I for one am going to be looking into way to get 
around this thing.I see no reason to be locked into using a 
particular brand or service JUST because someone ELSE thinks I should!



EGO II
I think there will be at least a few mobo manufacturers who will 
provide the buyer the option
of either uefi or traditional bios. Not so sure about laptop 
manufacturers. Perhaps

one or more may choose to offer that choice.




And if there's no "options" out there?.then what? do I just go 
ahead and install my OWN version of a BIOS and hope for the best?...



EGO II

In that case, I feel that many people will start building open source
bioses for a limited set of mobos. They will provide the software to
burn the bios into the mobo's eeprom or will even sell mobo's which
them modify and install their own bios prom on. I think nature abhors 
vaccum.




I agree, well then in that case I'm not as worried as I was before!


EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Apache/chromium slow

[Tim]

On Thu, 2012-09-20 at 11:38 +1000, Roger wrote:
> I'm finding that some admin pages, eg, permissions, can take over 2 
> minutes to load and similar to save changes.
> top doesn't show anything out of the ordinary, memory is no more than 
> <20% of 2 gig, /swap is not used.

The first things that spring to mind with slow, but not CPU intensive,
are:  

DNS resolution problems.  

And somewhere, something is trying to connect to an outside service,
whether that be because you've configured an address wrongly, or it's
calling home to mummy (which could be snooping, or your browser doing
one of those "is this page dangerous?" checks).

-- 
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Apache/chromium slow

[Steven Stern]

On 09/19/2012 08:38 PM, Roger wrote:
> I have Fedora 16 latest updates developing a drupal 7 site on my home pc
> in /var/www/html/drupal/.
> 
> I'm finding that some admin pages, eg, permissions, can take over 2
> minutes to load and similar to save changes.
> top doesn't show anything out of the ordinary, memory is no more than
> <20% of 2 gig, /swap is not used.
> How can I watch/trace exactly what is happening to cause significant
> delays.
> These delays do not occur on the remove server, just on my home machine.
> Thanks for help
> roger
> 
> 
When on your home box, make sure that you're not hitting a lot of
SELinux errors. If you move files into /var/www, rather than copying
them via cp, you'll keep SELinux very busy. As root, try "restorecon -v
-r /var/www" to make sure everything there has the right contexts.

Finally, grab a copy of the tuning-primer script and check that MySQL is
tuned properly.  Get it at http://www.day32.com/MySQL/tuning-primer.sh


-- 
-- Steve
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cd reader external

[Tim]

On Wed, 2012-09-19 at 14:18 +0200, Patrick Dupre wrote:
> Can I use (mount?) a cd reader from another computer?
> Both computers are on internet, In aother words can I do a
> mount 122.255.988.10:/dev/cdrom or similar?

You'd mount it on the computer it's connected to, then export that mount
to your network.  However, changing discs would be a pain, you'd have to
unexport then unmount it.

-- 
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[JD]

On 09/19/2012 08:50 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 10:47 PM, JD wrote:


On 09/19/2012 08:30 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1)  "Writing a bootkit couldn't be an easier task for virus writers 
with the UEFI framework available, much easier than before when 
they needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally 
signed UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user 
choice."


Great!  MS shoots self in foot, others in head.  We saw it coming :/



Or...maybe this was a little "skit" to help make the push for 
universal UEFI enforcement?.this way Linux users are locked out, 
the landscape once again returns to the Windows vs Apple conflict 
eliminating the biggest threat to both of them in one hatchet swing! 
I for one am going to be looking into way to get around this 
thing.I see no reason to be locked into using a particular brand 
or service JUST because someone ELSE thinks I should!



EGO II
I think there will be at least a few mobo manufacturers who will 
provide the buyer the option
of either uefi or traditional bios. Not so sure about laptop 
manufacturers. Perhaps

one or more may choose to offer that choice.




And if there's no "options" out there?.then what? do I just go 
ahead and install my OWN version of a BIOS and hope for the best?...



EGO II

In that case, I feel that many people will start building open source
bioses for a limited set of mobos. They will provide the software to
burn the bios into the mobo's eeprom or will even sell mobo's which
them modify and install their own bios prom on. I think nature abhors 
vaccum.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[Eddie G. O'Connor Jr.]

On 09/19/2012 10:47 PM, JD wrote:


On 09/19/2012 08:30 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1)  "Writing a bootkit couldn't be an easier task for virus writers 
with the UEFI framework available, much easier than before when they 
needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally 
signed UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user choice."

Great!  MS shoots self in foot, others in head.  We saw it coming :/



Or...maybe this was a little "skit" to help make the push for 
universal UEFI enforcement?.this way Linux users are locked out, 
the landscape once again returns to the Windows vs Apple conflict 
eliminating the biggest threat to both of them in one hatchet swing! 
I for one am going to be looking into way to get around this 
thing.I see no reason to be locked into using a particular brand 
or service JUST because someone ELSE thinks I should!



EGO II
I think there will be at least a few mobo manufacturers who will 
provide the buyer the option
of either uefi or traditional bios. Not so sure about laptop 
manufacturers. Perhaps

one or more may choose to offer that choice.




And if there's no "options" out there?.then what? do I just go ahead 
and install my OWN version of a BIOS and hope for the best?...



EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[JD]

On 09/19/2012 08:30 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1)  "Writing a bootkit couldn't be an easier task for virus writers 
with the UEFI framework available, much easier than before when they 
needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally 
signed UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user choice."

Great!  MS shoots self in foot, others in head.  We saw it coming :/



Or...maybe this was a little "skit" to help make the push for 
universal UEFI enforcement?.this way Linux users are locked out, 
the landscape once again returns to the Windows vs Apple conflict 
eliminating the biggest threat to both of them in one hatchet swing! I 
for one am going to be looking into way to get around this thing.I 
see no reason to be locked into using a particular brand or service 
JUST because someone ELSE thinks I should!



EGO II
I think there will be at least a few mobo manufacturers who will provide 
the buyer the option
of either uefi or traditional bios. Not so sure about laptop 
manufacturers. Perhaps

one or more may choose to offer that choice.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[Eddie G. O'Connor Jr.]

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1)  "Writing a bootkit couldn't be an easier task for virus writers 
with the UEFI framework available, much easier than before when they 
needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally signed 
UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user choice."

Great!  MS shoots self in foot, others in head.  We saw it coming :/



Or...maybe this was a little "skit" to help make the push for 
universal UEFI enforcement?.this way Linux users are locked out, the 
landscape once again returns to the Windows vs Apple conflict 
eliminating the biggest threat to both of them in one hatchet swing! I 
for one am going to be looking into way to get around this thing.I 
see no reason to be locked into using a particular brand or service JUST 
because someone ELSE thinks I should!



EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache/chromium slow

[Roger]

I have Fedora 16 latest updates developing a drupal 7 site on my home pc 
in /var/www/html/drupal/.


I'm finding that some admin pages, eg, permissions, can take over 2 
minutes to load and similar to save changes.
top doesn't show anything out of the ordinary, memory is no more than 
<20% of 2 gig, /swap is not used.

How can I watch/trace exactly what is happening to cause significant delays.
These delays do not occur on the remove server, just on my home machine.
Thanks for help
roger


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[Mikkel L. Ellertson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 06:43 PM, JD wrote:
>
>
> The question I have is, can the buyer simply choose NOT to
> use uefi (i.e. blow it off the system) and boot any OS of choice
> which will not insist on the presence of any UEFI?
> I think the answer to this question is more important as it provides
> an "opt-out" choice to the consumer.
>
>

If I understand things correctly, UEFI takes the place of the BIOS,
so you have to use UEFI to boot. So it would be blowing off the
BIOS. Would it be possible to replace the stock UEFI with an open
source version like you can replace the stock BIOS with an open
source version on some motherboards? That may be something to look
into. I am not sure what hoops you have to jump through to
change/upgrade the UEFI image...

Mikkel
- -- 
Do not meddle in the affairs of dragons, for thou art crunchy and
taste good with Ketchup!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBacPoACgkQqbQrVW3JyMRrHwCfdO6TU3WspSGVpbvVJm6vTPRh
YCgAn1p3zU9YwXD2DzlA7dDOKIKTzEaE
=Pu1R
-END PGP SIGNATURE-

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[nomnex]

> On Wed, 19 Sep 2012 11:05:39 -0700
> Mike Wright  wrote:
>
> And in today's news:
> 
> http://www.theregister.co.uk/2012/09/19/win8_rootkit/
> 
> A few things in particular stood out to me:
> 
> 1)  "Writing a bootkit couldn't be an easier task for virus writers
> with the UEFI framework available, much easier than before when they
> needed to code in pure assembly."
> 
> 2) "... unless SecureBoot is used to ensure that only digitally
> signed UEFI bootloaders can be executed at the system bootup.
> 
> 3) "... enabling SecureBoot by default effectively limits user
> choice."
> 
> Great!  MS shoots self in foot, others in head.  We saw it coming :/

I am still unclear about secure boot. As I will probably delay my
purchase of a new notebook until next year, I worry.

I read the efforts of the fedora team to allow >F18 to boot on UEFI
+Secure boot enabled devices (the machines with the W8 stinker on them).

I also read that (most?) vendor will allow Secure boot to be switch off
on the BIOS.

When I purchase a notebook (Prior to Secure boot), I erase the
partition. I boot from a Live CD. If everything seems to work, and if I
like the DE, I install the OS.

And that's my question with these new UEFI+Secure boot machines: If I
turn Secure boot OFF, can I install a live CD as I used to do. Or is
there more?

-- 
nomnex 
Freenode: nomnex
Registered Linux user #505281. Be counted at: http://linuxcounter.net
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[JD]

On 09/19/2012 05:00 PM, Alan Cox wrote:

The proper way to do this is to issue a unique key for each board
that has the private signing key included for the users who wish to
add personally signed software. Their key does not work on any other
machine, of course. Distros could sign their material. And if the user
wishes to recompile a kernel they can sign it with their own key and
still boot with it.

While they made a right mess of it and IMHO tried to play ugly cynical
games (and still are on ARM) the underlying concern isn't entirely bogus.
The signing extends through the system including all the firmware. That
means that the firmware you get is the firmware the vendor intended you
to get which cuts out an interesting (and it seems growing) like of
attacks based upon shipping people computers with trojaned firmware.

Now given a lot of this will be built in countries that the USA doesn't
trust, by people they don't trust I'm not sure what impact it will have
on the really "interesting" uses of such technology, but it cuts out some
stuff.

And there is a real issue because as other security improves and systems
with interesting stuff on become highly isolated firmware attacks and
shipping people "pre trojanned" systems into banks etc becomes a rather
attractive attack model.

Alan

What you say is indeed a very ppssible scenario, as the US has
lost a lot of friends recently, especially among the countries that
manufacture the high tech we buy.

The question I have is, can the buyer simply choose NOT to
use uefi (i.e. blow it off the system) and boot any OS of choice
which will not insist on the presence of any UEFI?
I think the answer to this question is more important as it provides
an "opt-out" choice to the consumer.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cd reader external

[Mikkel L. Ellertson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 04:46 PM, Rick Stevens wrote:
> On 09/19/2012 12:16 PM, Mikkel L. Ellertson uttered this comment:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On 09/19/2012 11:50 AM, Rick Stevens wrote:
>>> On 09/19/2012 05:18 AM, Patrick Dupre uttered this comment:
 Hello,

 Can I use (mount?) a cd reader from another computer?
 Both computers are on internet, In aother words can I do a
 mount 122.255.988.10:/dev/cdrom or similar?
>>>
>>> Not really. You can ssh to the remote box, mount the media on the
>>> remote box, then export that mount from the remote box via NFS or
>> CIFS.
>>>
>>> On your local box, you'd mount the export from the remote box
>> using the
>>> appropriate mechanism (NFS or CIFS).
>> I wounder if ISCSI would let you do this?
>
> It would if the remote device was an iSCSI target and everything had
> been set up cleanly. Remember that iSCSI only offers up raw block
> devices. The mount of the remote device would have to know what
> filesystem type the remote device was. iSCSI can be confusing.
I was thinking the local system would take care of mounting the
device using SCSI commands over the network to access it as if it
were attached to the local machine. But I may be misunderstanding
what iSCSI does. I have not looked into it in depth.

It sounds like you know a lot more then I do about it. Would the
device ID from the remote device show that it is a CD/DVD drive?
Could the drive be handled the same way as an USB CD/DVD drive? But
using iSCSI instead of USB as the communication channel to the
drive? The same upper level drivers used for almost all CD/DVD
drives, with only the low level drivers changed to use iSCSI instead
of low level SCSI/ATA/USB to communicate with the drive?

What I am thinking of is that all the remote system would do is
handle the communications between the network and the physical
device driver, just like it handles communication between the
physical device driver and the high level SCSI drivers when you
access the device locally. Then on the local machine, the ISCSI
drivers would take the place of the physical device driver, and the
rest would be handled as if it were a local drive. The remote
machine would never have to know what file system is involved. It
would just pass commands and data between the network and the
device. (Start read at track x, sector y, and return z blocks of
data.) The remote machine would never mount the file system.

Mikkel
- -- 
Do not meddle in the affairs of dragons, for thou art crunchy and
taste good with Ketchup!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBaVrsACgkQqbQrVW3JyMR6bQCbBKPpuTqqUWBMl30SGKNoMC8Z
GSwAn0HyVsNM9lU0LtqB3jLICDhZUvQL
=MuGP
-END PGP SIGNATURE-

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[Alan Cox]

> The proper way to do this is to issue a unique key for each board
> that has the private signing key included for the users who wish to
> add personally signed software. Their key does not work on any other
> machine, of course. Distros could sign their material. And if the user
> wishes to recompile a kernel they can sign it with their own key and
> still boot with it.

While they made a right mess of it and IMHO tried to play ugly cynical
games (and still are on ARM) the underlying concern isn't entirely bogus.
The signing extends through the system including all the firmware. That
means that the firmware you get is the firmware the vendor intended you
to get which cuts out an interesting (and it seems growing) like of
attacks based upon shipping people computers with trojaned firmware.

Now given a lot of this will be built in countries that the USA doesn't
trust, by people they don't trust I'm not sure what impact it will have
on the really "interesting" uses of such technology, but it cuts out some
stuff.

And there is a real issue because as other security improves and systems
with interesting stuff on become highly isolated firmware attacks and
shipping people "pre trojanned" systems into banks etc becomes a rather
attractive attack model.

Alan
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Bill Shirley]

On 9/19/2012 5:54 PM, Arthur Dent wrote:

On Wed, 2012-09-19 at 17:00 -0400, Bill Shirley wrote:

On 9/19/2012 3:36 PM, Arthur Dent wrote:


On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:
All is not _quite_ perfect however. In calling clamdscan from my script
(itself called from procmail) I get the error:
ERROR: Can't parse clamd configuration file /etc/clamd.conf

Note the config file and location. In order to get it to work (which it
does), I need to declare clamdscan in my script as:
"/bin/clamdscan -c/etc/clamd.d/scan.conf"

So where does it default to /etc/clamd.conf ? I have grepped the whole
of /etc/* and can't find a reference to this location, and there is
no /etc/sysconfig/clamd as there used to be.

I think this is the last remaining mystery. After I have solved this I
will be a very happy bunny!

/etc/clamd.conf is the old location for the config file.  With the
flexibility of systemd allowing multiple daemons running, I think the
packager changed things to use /etc/clam.d/scan.conf but didn't catch
this change for clamdscan.

Yes I know that /etc/clamd.conf is the old location. What I can't work
out is why it still thinks that's where it is. Is it hard-coded
somewhere?


I also run a Mandriva mail server that uses procmail to deliver mail.
Here is a snippet of my IMAP recipe:
:0
VIRUS=| clamdscan --no-summary --stdout - | cut -d' ' -f2 -


[snip] useful recipe (similar to mine). The thing is, for me "clamdscan
--no-summary --stdout" won't work. I need to tell it explicitly where
the config file is. I have this in my script:
CLAMSCAN="/bin/clamdscan -c/etc/clamd.d/scan.conf"
CLAMSCANOPT="--no-summary --stdout"

and call it with ${CLAMSCAN} ${CLAMSCANOPT} - < ${MSGTMP}

The same thing happens on the command line:
# clamdscan -V
ERROR: Can't parse clamd configuration file /etc/clamd.conf
# clamdscan -c /etc/clamd.d/scan.conf -V
ClamAV 0.97.5/15376/Wed Sep 19 19:35:38 2012

Any ideas?

Thanks (yet) again...

Mark





Yes, I would just symlink it.
ln -s /etc/clamd.d/scan.conf /etc/clamd.conf

Bill

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[jdow]

On 2012/09/19 14:52, Alan Evans wrote:

On Wed, Sep 19, 2012 at 11:05 AM, Mike Wright wrote:

Great!  MS shoots self in foot, others in head.  We saw it coming :/


Shoots themselves in the foot? Limiting user choice sounds like it's
working just the way they wanted. (Shooting everyone else in the head
was a part of their plan.)


The proper way to do this is to issue a unique key for each board
that has the private signing key included for the users who wish to
add personally signed software. Their key does not work on any other
machine, of course. Distros could sign their material. And if the user
wishes to recompile a kernel they can sign it with their own key and
still boot with it.

{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Arthur Dent]

On Wed, 2012-09-19 at 17:00 -0400, Bill Shirley wrote:
> 
> On 9/19/2012 3:36 PM, Arthur Dent wrote:
> 
> > On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:

> > 
> > All is not _quite_ perfect however. In calling clamdscan from my script
> > (itself called from procmail) I get the error:
> > ERROR: Can't parse clamd configuration file /etc/clamd.conf
> > 
> > Note the config file and location. In order to get it to work (which it
> > does), I need to declare clamdscan in my script as:
> > "/bin/clamdscan -c/etc/clamd.d/scan.conf"
> > 
> > So where does it default to /etc/clamd.conf ? I have grepped the whole
> > of /etc/* and can't find a reference to this location, and there is
> > no /etc/sysconfig/clamd as there used to be.
> > 
> > I think this is the last remaining mystery. After I have solved this I
> > will be a very happy bunny!

> /etc/clamd.conf is the old location for the config file.  With the
> flexibility of systemd allowing multiple daemons running, I think the
> packager changed things to use /etc/clam.d/scan.conf but didn't catch
> this change for clamdscan.

Yes I know that /etc/clamd.conf is the old location. What I can't work
out is why it still thinks that's where it is. Is it hard-coded
somewhere?

> I also run a Mandriva mail server that uses procmail to deliver mail.
> Here is a snippet of my IMAP recipe:
> :0
> VIRUS=| clamdscan --no-summary --stdout - | cut -d' ' -f2 -
> 
[snip] useful recipe (similar to mine). The thing is, for me "clamdscan
--no-summary --stdout" won't work. I need to tell it explicitly where
the config file is. I have this in my script:
CLAMSCAN="/bin/clamdscan -c/etc/clamd.d/scan.conf"
CLAMSCANOPT="--no-summary --stdout"

and call it with ${CLAMSCAN} ${CLAMSCANOPT} - < ${MSGTMP}

The same thing happens on the command line:
# clamdscan -V
ERROR: Can't parse clamd configuration file /etc/clamd.conf
# clamdscan -c /etc/clamd.d/scan.conf -V
ClamAV 0.97.5/15376/Wed Sep 19 19:35:38 2012

Any ideas?

Thanks (yet) again...

Mark




signature.asc
Description: This is a digitally signed message part
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Loosing the keyboard

[Sjoerd Mullender]

On 2012-09-19 22:04, Geoffrey Leach wrote:
> I'm running Xfce on Fedora 17. Every so often (daily?) I loose the 
> keyboard. Mouse works fine.  I've been trying to discover what 
> process is running before loss but not after. The only processes that 
> I've been able to identify are kworkers.
> 
> Are there any suggestions as to what the cause might be? 
> 
> The only processes that I can identify from ps before and after are 
> kworkers, most often (but not exclusively) is [kworker/0:2] Is there 
> any way to identify what the kworkers are assigned to? (The problem has 
> continued over several kernels)
> 
> Logout-login cures the problem. 
> 
> Thanks.
> 
> 

Do you use the gdm desktop manager to log in?  Do you perhaps hold the
shift key down for longer than 8 seconds?
Try holding the shift key for at least 8 seconds and see if that helps
getting the keyboard back.

My solution was to switch over to lightdm.

-- 
Sjoerd Mullender



signature.asc
Description: OpenPGP digital signature
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: UEFI bootkit

[Alan Evans]

On Wed, Sep 19, 2012 at 11:05 AM, Mike Wright wrote:
> Great!  MS shoots self in foot, others in head.  We saw it coming :/

Shoots themselves in the foot? Limiting user choice sounds like it's
working just the way they wanted. (Shooting everyone else in the head
was a part of their plan.)
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cd reader external

[Rick Stevens]

On 09/19/2012 12:16 PM, Mikkel L. Ellertson uttered this comment:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 11:50 AM, Rick Stevens wrote:

On 09/19/2012 05:18 AM, Patrick Dupre uttered this comment:

Hello,

Can I use (mount?) a cd reader from another computer?
Both computers are on internet, In aother words can I do a
mount 122.255.988.10:/dev/cdrom or similar?


Not really. You can ssh to the remote box, mount the media on the
remote box, then export that mount from the remote box via NFS or

CIFS.


On your local box, you'd mount the export from the remote box

using the

appropriate mechanism (NFS or CIFS).

I wounder if ISCSI would let you do this?


It would if the remote device was an iSCSI target and everything had
been set up cleanly. Remember that iSCSI only offers up raw block
devices. The mount of the remote device would have to know what
filesystem type the remote device was. iSCSI can be confusing.
--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
--
-   To err is human, to moo bovine.  -
--
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Loosing the keyboard

[Bill Shirley]

On 9/19/2012 5:31 PM, Frank Cox wrote:

On Wed, 19 Sep 2012 14:23:39 -0700
Joe Zeff wrote:


On 09/19/2012 01:15 PM, Mateusz Marzantowicz wrote:

Maybe you have broken keyboard? Does this happen with other keyboards
attached to this computer?

That's an interesting idea.  After all, he says that he's "loosing" the
keyboard not "losing" it.

So all he needs to do is tighten the nut between the keyboard and the chair?


Excellent!  You have my kind of humor. :-)

Bill

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Loosing the keyboard

[Frank Cox]

On Wed, 19 Sep 2012 14:23:39 -0700
Joe Zeff wrote:

> On 09/19/2012 01:15 PM, Mateusz Marzantowicz wrote:
> > Maybe you have broken keyboard? Does this happen with other keyboards
> > attached to this computer?
> 
> That's an interesting idea.  After all, he says that he's "loosing" the 
> keyboard not "losing" it.

So all he needs to do is tighten the nut between the keyboard and the chair?

-- 
MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
www.creekfm.com - FIFTY THOUSAND WATTS of POW WOW POWER!
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Loosing the keyboard

[Joe Zeff]

On 09/19/2012 01:15 PM, Mateusz Marzantowicz wrote:

Maybe you have broken keyboard? Does this happen with other keyboards
attached to this computer?


That's an interesting idea.  After all, he says that he's "loosing" the 
keyboard not "losing" it.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Bill Shirley]

Well had you changed any default settings in clamd to turn on JIT or does it
come with JIT turned on by default?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaMGAACgkQrlYvE4MpobO1hQCgu6O9WCIZ2byEgkkFX09ophHd
0bwAoLJkGJxgx1IWrqpumUEs4M7FHJih
=pzaT
-END PGP SIGNATURE-


I must have.  My best guess is the TestDatabases in freshclam.conf:
# my stuff
LogFacility LOG_DAEMON
DatabaseMirror db.US.clamav.net
TestDatabases yes

Bill

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Bill Shirley]

On 9/19/2012 3:36 PM, Arthur Dent wrote:

On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:

"What tells it that it is a "scan" service? That bit of the puzzle seems
to be missing..."

Whatever is the parameter after the @ and before the dot  becomes %i in
the service file.  Look at the service file:
[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
Restart = on-failure
PrivateTmp = true

so clamd@scan.service invokes clamd with the scan.conf file as it's
configuration file.
This way you can have multiple clamd services each using a different
config file.  Just create another config file in
/etc/clamd.d/my_config.conf and:
ln -s /lib/systemd/system/clamd@.service
/etc/systemd/system/clamd@my_config.service

You should have the /etc/clamd.d/scan.conf I think:

[root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
clamav-scanner-0.97.5-1700.fc17.noarch

Thank you Bill for a helpful and, more importantly, informative reply. I
think this will not only help me to solve my problem but, even better,
help me to understand where I was going wrong.

As before, I don't have access to the machine right now, so i will try
when I get home to work through this and get it right.

I will once again report back later...

Well... Progress!

Because I have done so much tinkering and editing of configs (and had
previously even tried the script I mentioned earlier) I was unsure as to
what should be where, so I blitzed every clam* package with yum erase,
ran updatedb and then deleted any and all clam* files and directories
still left. I also deleted the clam* users that had been created
(including a "clamd user that I had created myself), and then
reinstalled the lot.

A quick edit of the freshclam configs and the /etc/clamd.d/scan.conf
file and a call to systemctl enable clamd@scan.service and systemctl
start clamd@scan.service and I am up and running!

Thank you so much.

All is not _quite_ perfect however. In calling clamdscan from my script
(itself called from procmail) I get the error:
ERROR: Can't parse clamd configuration file /etc/clamd.conf

Note the config file and location. In order to get it to work (which it
does), I need to declare clamdscan in my script as:
"/bin/clamdscan -c/etc/clamd.d/scan.conf"

So where does it default to /etc/clamd.conf ? I have grepped the whole
of /etc/* and can't find a reference to this location, and there is
no /etc/sysconfig/clamd as there used to be.

I think this is the last remaining mystery. After I have solved this I
will be a very happy bunny!

Thank you again.

Mark





/etc/clamd.conf is the old location for the config file.  With the 
flexibility of systemd allowing multiple daemons running, I think the 
packager changed things to use /etc/clam.d/scan.conf but didn't catch 
this change for clamdscan.


I also run a Mandriva mail server that uses procmail to deliver mail.  
Here is a snippet of my IMAP recipe:

:0
VIRUS=| clamdscan --no-summary --stdout - | cut -d' ' -f2 -

:0
* VIRUS ?? !^Can\'t
{
  :0
  * VIRUS ?? !^OK
  {
:0
SUBJECT=| egrep '^Subject:' - | sed -e 's/Subject: //' -
:0 fw
| formail -i "Subject: [VIRUS: ${VIRUS}] ${SUBJECT}" -I 
"X-Clamav-Virus-Detected: Yes, ${VIRUS}"

:0
$DEFAULT.SystemFolders.Infected/
  }

  :0Efw
  | formail -b -f -t -I "X-Clamav-Virus-Detected: No"
}

To be honest, I don't remember what all the commands do except when it 
detects a spam email it puts it in a different directory 
($DEFAULT.SystemFolders.Infected/).  This Mandriva server uses 
/etc/clamd.conf.


Bill

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 04:41 PM, Bill Shirley wrote:
> 
> On 9/19/2012 3:21 PM, Daniel J Walsh wrote: On 09/19/2012 07:36 AM, Bill
> Shirley wrote:
 On 9/19/2012 5:47 AM, Arthur Dent wrote:
>> "What tells it that it is a "scan" service? That bit of the
>> puzzle seems to be missing..."
>> 
>> Whatever is the parameter after the @ and before the dot  becomes
>> %i in the service file.  Look at the service file: [Unit]
>> Description = clamd scanner (%i) daemon After = syslog.target
>> nss-lookup.target network.target
>> 
>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c 
>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp
>> = true
>> 
>> so clamd@scan.service invokes clamd with the scan.conf file as
>> it's configuration file. This way you can have multiple clamd
>> services each using a different config file.  Just create another
>> config file in /etc/clamd.d/my_config.conf and: ln -s 
>> /lib/systemd/system/clamd@.service 
>> /etc/systemd/system/clamd@my_config.service
>> 
>> You should have the /etc/clamd.d/scan.conf I think:
>> 
>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf 
>> clamav-scanner-0.97.5-1700.fc17.noarch
> Thank you Bill for a helpful and, more importantly, informative
> reply. I think this will not only help me to solve my problem but,
> even better, help me to understand where I was going wrong.
> 
> As before, I don't have access to the machine right now, so i will
> try when I get home to work through this and get it right.
> 
> I will once again report back later...
> 
> Thanks again. Your help is much appreciated.
> 
> Mark
> 
> 
 You mentioned scanning email.  I run clamav-milter and stop the virus
 at smtp time.  You may find this helpful:
 
 [root@moses clamav]# rpm -qa | grep clam | sort 
 clamav-data-0.97.5-1700.fc17.noarch 
 clamav-filesystem-0.97.5-1700.fc17.noarch 
 clamav-lib-0.97.5-1700.fc17.x86_64
 clamav-milter-0.97.5-1700.fc17.x86_64 
 clamav-milter-systemd-0.97.5-1700.fc17.noarch 
 clamav-scanner-0.97.5-1700.fc17.noarch 
 clamav-scanner-systemd-0.97.5-1700.fc17.noarch 
 clamav-server-0.97.5-1700.fc17.x86_64 
 clamav-server-systemd-0.97.5-1700.fc17.noarch 
 clamav-update-0.97.5-1700.fc17.x86_64
 
 For clamav-milter, I had to add clamilt to the postfix group (usermod
 -a -G postfix clamilt): [root@moses clamav]# egrep 'post|clam'
 /etc/group mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90: 
 clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989:
 
 
 Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure
 to comment out above: Example
 
 ClamdSocket unix:/var/run/clamd.scan/clamd.sock
 MilterSocket /var/run/clamav-milter/clamav-milter.socket
 ##MilterSocket inet:3381 # usermod -a -G postfix clamilt
 MilterSocketGroup   postfix MilterSocketMode660
 
 OnInfected  Reject AddHeader   Replace
 
 #LogFile/var/log/clamav-milter.log #LogFileMaxSize 1M
 #LogTimeyes LogSyslog   yes LogFacility 
 LOG_MAIL #LogVerbose no LogCleanBasic 
 LogInfected Full
 
 Add to postfix's main.cf: # usermod -a -G clamilt postfix
 smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
 #milter_default_action = accept milter_default_action = tempfail
 
 I can't remember if I had to create the directory, but here is that
 info: [root@moses clamav]# ldpz
 /var/run/clamav-milter/clamav-milter.socket drwxr-xr-x. rootroot
 system_u:object_r:var_t:s0   /var lrwxrwxrwx. rootroot
 system_u:object_r:var_run_t:s0 /var/run -> ../run drwx--x---. clamilt
 clamilt system_u:object_r:clamd_var_run_t:s0 /var/run/clamav-milter
 srw-rw. clamilt postfix system_u:object_r:clamd_var_run_t:s0 
 /var/run/clamav-milter/clamav-milter.socket
 
 
 For clamav, to avoid selinux problems issue command: setsebool -P 
 clamd_use_jit on
 
 Add to end of scan.conf: # my stuff # be sure to commend out above: 
 Example
 
 #LogFile/var/log/clamav/clamd.scan #LogFacility 
 LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo
 yes LocalSocket /var/run/clamd.scan/clamd.sock
 #LocalSocketGroup virusgroup #LocalSocketMode660
 FixStaleSocket  yes CrossFilesystemsno ExcludePath
 ^/proc/ ExcludePath ^/sys/ ExcludePath ^/fuse/
 ExcludePath ^/backup/ ExcludePath ^/bacula/
 SelfCheck   3600
 
 
 And finally freshclam, add to the end of freshclam.conf: # my stuff 
 Log

Re: Loosing the keyboard

[Andras Simon]

2012/9/19, Geoffrey Leach :
> I'm running Xfce on Fedora 17. Every so often (daily?) I loose the
> keyboard. Mouse works fine.  I've been trying to discover what
> process is running before loss but not after. The only processes that
> I've been able to identify are kworkers.
>
> Are there any suggestions as to what the cause might be?

Have a look at this:

http://forums.fedoraforum.org/showthread.php?t=277298

HTH,
Andras
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Bill Shirley]

On 9/19/2012 3:21 PM, Daniel J Walsh wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 07:36 AM, Bill Shirley wrote:

On 9/19/2012 5:47 AM, Arthur Dent wrote:

"What tells it that it is a "scan" service? That bit of the puzzle
seems to be missing..."

Whatever is the parameter after the @ and before the dot  becomes %i
in the service file.  Look at the service file: [Unit] Description =
clamd scanner (%i) daemon After = syslog.target nss-lookup.target
network.target

[Service] Type = simple ExecStart = /usr/sbin/clamd -c
/etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp =
true

so clamd@scan.service invokes clamd with the scan.conf file as it's
configuration file. This way you can have multiple clamd services each
using a different config file.  Just create another config file in
/etc/clamd.d/my_config.conf and: ln -s
/lib/systemd/system/clamd@.service
/etc/systemd/system/clamd@my_config.service

You should have the /etc/clamd.d/scan.conf I think:

[root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
clamav-scanner-0.97.5-1700.fc17.noarch

Thank you Bill for a helpful and, more importantly, informative reply. I
think this will not only help me to solve my problem but, even better,
help me to understand where I was going wrong.

As before, I don't have access to the machine right now, so i will try
when I get home to work through this and get it right.

I will once again report back later...

Thanks again. Your help is much appreciated.

Mark



You mentioned scanning email.  I run clamav-milter and stop the virus at
smtp time.  You may find this helpful:

[root@moses clamav]# rpm -qa | grep clam | sort
clamav-data-0.97.5-1700.fc17.noarch
clamav-filesystem-0.97.5-1700.fc17.noarch
clamav-lib-0.97.5-1700.fc17.x86_64 clamav-milter-0.97.5-1700.fc17.x86_64
clamav-milter-systemd-0.97.5-1700.fc17.noarch
clamav-scanner-0.97.5-1700.fc17.noarch
clamav-scanner-systemd-0.97.5-1700.fc17.noarch
clamav-server-0.97.5-1700.fc17.x86_64
clamav-server-systemd-0.97.5-1700.fc17.noarch
clamav-update-0.97.5-1700.fc17.x86_64

For clamav-milter, I had to add clamilt to the postfix group (usermod -a
-G postfix clamilt): [root@moses clamav]# egrep 'post|clam' /etc/group
mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90:
clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989:


Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure to
comment out above: Example

ClamdSocket unix:/var/run/clamd.scan/clamd.sock MilterSocket
/var/run/clamav-milter/clamav-milter.socket ##MilterSocket
inet:3381 # usermod -a -G postfix clamilt MilterSocketGroup   postfix
MilterSocketMode660

OnInfected  Reject AddHeader   Replace

#LogFile/var/log/clamav-milter.log #LogFileMaxSize
1M #LogTimeyes LogSyslog   yes LogFacility
LOG_MAIL #LogVerbose no LogCleanBasic
LogInfected Full

Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters =
unix:/var/run/clamav-milter/clamav-milter.socket #milter_default_action =
accept milter_default_action = tempfail

I can't remember if I had to create the directory, but here is that info:
[root@moses clamav]# ldpz /var/run/clamav-milter/clamav-milter.socket
drwxr-xr-x. rootrootsystem_u:object_r:var_t:s0   /var
lrwxrwxrwx. rootrootsystem_u:object_r:var_run_t:s0 /var/run ->
../run drwx--x---. clamilt clamilt system_u:object_r:clamd_var_run_t:s0
/var/run/clamav-milter srw-rw. clamilt postfix
system_u:object_r:clamd_var_run_t:s0
/var/run/clamav-milter/clamav-milter.socket


For clamav, to avoid selinux problems issue command: setsebool -P
clamd_use_jit on

Add to end of scan.conf: # my stuff # be sure to commend out above:
Example

#LogFile/var/log/clamav/clamd.scan #LogFacility
LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo   yes
LocalSocket /var/run/clamd.scan/clamd.sock #LocalSocketGroup
virusgroup #LocalSocketMode660 FixStaleSocket  yes
CrossFilesystemsno ExcludePath ^/proc/ ExcludePath
^/sys/ ExcludePath ^/fuse/ ExcludePath ^/backup/
ExcludePath ^/bacula/ SelfCheck   3600


And finally freshclam, add to the end of freshclam.conf: # my stuff
LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases yes


Note in all the clamav configuration file there is a line: Example that has
to be commented out for the service to run.

Don't forget to systemctl enable these to services: [root@moses clamav]#
systemctl is-active clamav-milter.service active [root@moses clamav]#
systemctl is-active clamd@scan.service active

Hope this helps, Bill




Is this the default setting for clamd now?  clamd_use_jit on  Should we turn
this on by default?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iE

Re: Loosing the keyboard

[Matthew Miller]

On Wed, Sep 19, 2012 at 01:04:30PM -0700, Geoffrey Leach wrote:
> I'm running Xfce on Fedora 17. Every so often (daily?) I loose the 
> keyboard. Mouse works fine.  I've been trying to discover what 

usb keyboard?

-- 
Matthew Miller  _☁_  Fedora Cloud Architect  _☁_  
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: mysql-test and mysql-test-run.pl

[Remi Collet]

Le 19/09/2012 19:30, Mark Haney a écrit :
> Can someone tell me why the mysql-test-run.pl file is missing from the
> mysql-test package?  (F17, that is) Most docs on the web indicate that
> the perl script is the way to initiate a test.  Am I missing something?
> 

I see it
=> /usr/share/mysql-test/mysql-test-run.pl


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Loosing the keyboard

[Mateusz Marzantowicz]

On 19.09.2012 22:04, Geoffrey Leach wrote:
> I'm running Xfce on Fedora 17. Every so often (daily?) I loose the 
> keyboard. Mouse works fine.  I've been trying to discover what 
> process is running before loss but not after. The only processes that 
> I've been able to identify are kworkers.
>
> Are there any suggestions as to what the cause might be? 
>
> The only processes that I can identify from ps before and after are 
> kworkers, most often (but not exclusively) is [kworker/0:2] Is there 
> any way to identify what the kworkers are assigned to? (The problem has 
> continued over several kernels)
>
> Logout-login cures the problem. 
>
> Thanks.
>
>

Sounds very mysterious, especially this part with lost keyboard. What
exactly does it mean? Are you unable to type in characters or what? What
apps are involved and how do you know that keyboard is lost?

kworker is a kernel thread and it has nothing to do with keyboard. The k
in the beginning stands for kernel not keyboard.

Maybe you have broken keyboard? Does this happen with other keyboards
attached to this computer?


Mateusz Marzantowicz
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Loosing the keyboard

[Geoffrey Leach]

I'm running Xfce on Fedora 17. Every so often (daily?) I loose the 
keyboard. Mouse works fine.  I've been trying to discover what 
process is running before loss but not after. The only processes that 
I've been able to identify are kworkers.

Are there any suggestions as to what the cause might be? 

The only processes that I can identify from ps before and after are 
kworkers, most often (but not exclusively) is [kworker/0:2] Is there 
any way to identify what the kworkers are assigned to? (The problem has 
continued over several kernels)

Logout-login cures the problem. 

Thanks.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Arthur Dent]

On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:
> > "What tells it that it is a "scan" service? That bit of the puzzle seems
> > to be missing..."
> >
> > Whatever is the parameter after the @ and before the dot  becomes %i in
> > the service file.  Look at the service file:
> > [Unit]
> > Description = clamd scanner (%i) daemon
> > After = syslog.target nss-lookup.target network.target
> >
> > [Service]
> > Type = simple
> > ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
> > Restart = on-failure
> > PrivateTmp = true
> >
> > so clamd@scan.service invokes clamd with the scan.conf file as it's
> > configuration file.
> > This way you can have multiple clamd services each using a different
> > config file.  Just create another config file in
> > /etc/clamd.d/my_config.conf and:
> > ln -s /lib/systemd/system/clamd@.service
> > /etc/systemd/system/clamd@my_config.service
> >
> > You should have the /etc/clamd.d/scan.conf I think:
> >
> > [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
> > clamav-scanner-0.97.5-1700.fc17.noarch
> 
> Thank you Bill for a helpful and, more importantly, informative reply. I
> think this will not only help me to solve my problem but, even better,
> help me to understand where I was going wrong.
> 
> As before, I don't have access to the machine right now, so i will try
> when I get home to work through this and get it right.
> 
> I will once again report back later...

Well... Progress!

Because I have done so much tinkering and editing of configs (and had
previously even tried the script I mentioned earlier) I was unsure as to
what should be where, so I blitzed every clam* package with yum erase,
ran updatedb and then deleted any and all clam* files and directories
still left. I also deleted the clam* users that had been created
(including a "clamd user that I had created myself), and then
reinstalled the lot.

A quick edit of the freshclam configs and the /etc/clamd.d/scan.conf
file and a call to systemctl enable clamd@scan.service and systemctl
start clamd@scan.service and I am up and running!

Thank you so much.

All is not _quite_ perfect however. In calling clamdscan from my script
(itself called from procmail) I get the error:
ERROR: Can't parse clamd configuration file /etc/clamd.conf

Note the config file and location. In order to get it to work (which it
does), I need to declare clamdscan in my script as:
"/bin/clamdscan -c/etc/clamd.d/scan.conf"

So where does it default to /etc/clamd.conf ? I have grepped the whole
of /etc/* and can't find a reference to this location, and there is
no /etc/sysconfig/clamd as there used to be.

I think this is the last remaining mystery. After I have solved this I
will be a very happy bunny!

Thank you again.

Mark





signature.asc
Description: This is a digitally signed message part
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 07:36 AM, Bill Shirley wrote:
> 
> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>> "What tells it that it is a "scan" service? That bit of the puzzle
>>> seems to be missing..."
>>> 
>>> Whatever is the parameter after the @ and before the dot  becomes %i
>>> in the service file.  Look at the service file: [Unit] Description =
>>> clamd scanner (%i) daemon After = syslog.target nss-lookup.target
>>> network.target
>>> 
>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c
>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp =
>>> true
>>> 
>>> so clamd@scan.service invokes clamd with the scan.conf file as it's 
>>> configuration file. This way you can have multiple clamd services each
>>> using a different config file.  Just create another config file in 
>>> /etc/clamd.d/my_config.conf and: ln -s
>>> /lib/systemd/system/clamd@.service 
>>> /etc/systemd/system/clamd@my_config.service
>>> 
>>> You should have the /etc/clamd.d/scan.conf I think:
>>> 
>>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf 
>>> clamav-scanner-0.97.5-1700.fc17.noarch
>> Thank you Bill for a helpful and, more importantly, informative reply. I 
>> think this will not only help me to solve my problem but, even better, 
>> help me to understand where I was going wrong.
>> 
>> As before, I don't have access to the machine right now, so i will try 
>> when I get home to work through this and get it right.
>> 
>> I will once again report back later...
>> 
>> Thanks again. Your help is much appreciated.
>> 
>> Mark
>> 
>> 
> 
> You mentioned scanning email.  I run clamav-milter and stop the virus at
> smtp time.  You may find this helpful:
> 
> [root@moses clamav]# rpm -qa | grep clam | sort 
> clamav-data-0.97.5-1700.fc17.noarch 
> clamav-filesystem-0.97.5-1700.fc17.noarch 
> clamav-lib-0.97.5-1700.fc17.x86_64 clamav-milter-0.97.5-1700.fc17.x86_64 
> clamav-milter-systemd-0.97.5-1700.fc17.noarch 
> clamav-scanner-0.97.5-1700.fc17.noarch 
> clamav-scanner-systemd-0.97.5-1700.fc17.noarch 
> clamav-server-0.97.5-1700.fc17.x86_64 
> clamav-server-systemd-0.97.5-1700.fc17.noarch 
> clamav-update-0.97.5-1700.fc17.x86_64
> 
> For clamav-milter, I had to add clamilt to the postfix group (usermod -a
> -G postfix clamilt): [root@moses clamav]# egrep 'post|clam' /etc/group 
> mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90: 
> clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989:
> 
> 
> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure to
> comment out above: Example
> 
> ClamdSocket unix:/var/run/clamd.scan/clamd.sock MilterSocket
> /var/run/clamav-milter/clamav-milter.socket ##MilterSocket
> inet:3381 # usermod -a -G postfix clamilt MilterSocketGroup   postfix 
> MilterSocketMode660
> 
> OnInfected  Reject AddHeader   Replace
> 
> #LogFile/var/log/clamav-milter.log #LogFileMaxSize
> 1M #LogTimeyes LogSyslog   yes LogFacility
> LOG_MAIL #LogVerbose no LogCleanBasic 
> LogInfected Full
> 
> Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters =
> unix:/var/run/clamav-milter/clamav-milter.socket #milter_default_action =
> accept milter_default_action = tempfail
> 
> I can't remember if I had to create the directory, but here is that info: 
> [root@moses clamav]# ldpz /var/run/clamav-milter/clamav-milter.socket 
> drwxr-xr-x. rootrootsystem_u:object_r:var_t:s0   /var 
> lrwxrwxrwx. rootrootsystem_u:object_r:var_run_t:s0 /var/run ->
> ../run drwx--x---. clamilt clamilt system_u:object_r:clamd_var_run_t:s0 
> /var/run/clamav-milter srw-rw. clamilt postfix
> system_u:object_r:clamd_var_run_t:s0 
> /var/run/clamav-milter/clamav-milter.socket
> 
> 
> For clamav, to avoid selinux problems issue command: setsebool -P
> clamd_use_jit on
> 
> Add to end of scan.conf: # my stuff # be sure to commend out above:
> Example
> 
> #LogFile/var/log/clamav/clamd.scan #LogFacility
> LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo   yes 
> LocalSocket /var/run/clamd.scan/clamd.sock #LocalSocketGroup
> virusgroup #LocalSocketMode660 FixStaleSocket  yes 
> CrossFilesystemsno ExcludePath ^/proc/ ExcludePath
> ^/sys/ ExcludePath ^/fuse/ ExcludePath ^/backup/ 
> ExcludePath ^/bacula/ SelfCheck   3600
> 
> 
> And finally freshclam, add to the end of freshclam.conf: # my stuff 
> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases yes
> 
> 
> Note in all the clamav configuration file there is a line: Example that has
> to be commented out for the service to run.
> 
> Don't forget to systemctl enable these to services: [root@moses clamav]#
> systemctl is-active clamav-milter.service active [root@moses clamav]#
> systemctl is-active clamd@scan.

Re: cd reader external

[Mikkel L. Ellertson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 11:50 AM, Rick Stevens wrote:
> On 09/19/2012 05:18 AM, Patrick Dupre uttered this comment:
>> Hello,
>>
>> Can I use (mount?) a cd reader from another computer?
>> Both computers are on internet, In aother words can I do a
>> mount 122.255.988.10:/dev/cdrom or similar?
>
> Not really. You can ssh to the remote box, mount the media on the
> remote box, then export that mount from the remote box via NFS or
CIFS.
>
> On your local box, you'd mount the export from the remote box
using the
> appropriate mechanism (NFS or CIFS).
I wounder if ISCSI would let you do this?

Mikkel
- -- 
Do not meddle in the affairs of dragons, for thou art crunchy and
taste good with Ketchup!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBaGgQACgkQqbQrVW3JyMQ/uACcClU5ahcZjmbpVGAO9yrmoONM
F2oAnAu8IcRf1/58x3oJCH7+4u9UOBhS
=ad2h
-END PGP SIGNATURE-

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: [389-users] groupOfURLS, groupOfUniqueNames, and memberURL issues

[Nick Cappelletti]

greg,

The dynamic group is going to be based on a search in the users accounts for 
anyone that has an OU of "supervisor".  There are some other requirements that 
I was looking at, but this about as simple as it gets.

Here is some information about it: 
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Advanced_Entry_Management-Using_Groups.html


Nick Cappelletti
n...@switchtower.com


On Sep 18, 2012, at 5:51 AM, Grzegorz Dwornicki  wrote:

> Let me get your idea right. You want to use static and dynamic group as the 
> same time as 1 group?
> 
> Greg.
> 
> 17 wrz 2012 21:03, "Nick Cappelletti"  napisał(a):
> Hello Everyone,
> 
> I've been banging my head against this one for a few hours and was hoping for 
> some input.  I have a group:
> 
> dn: cn=mxadmins,cn=groups,cn=accounts,dc=int,dc= example,dc=com
> memberURL: ldap:///cn=users,cn=accounts,dc=int,dc= example,dc 
> =com??sub?(ou=Supervisor)
> cn: mxadmins
> description: MX administrators group
> objectClass: top
> objectClass: groupOfUniqueNames
> objectClass: groupOfURLs
> 
> From the documentation I've read, there shouldn't be much more I need to then 
> query that group and pull all the unique members into the list, but 
> unfortunately I'm not getting the results I /think/ I should.
> 
> I'm running an older version of DS: 
> 
> 389 Project
> 389-Directory/1.2.5 B2010.012.2024
> 
> Perhaps that's part of the issue, but if anyone can help point me in the 
> right direction it would be greatly appreciated.
> 
> Nick Cappelletti
> n...@switchtower.com
> 
> --
> 389 users mailing list
> 389-us...@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-us...@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

UEFI bootkit

[Mike Wright]

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1)  "Writing a bootkit couldn't be an easier task for virus writers with 
the UEFI framework available, much easier than before when they needed 
to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally signed 
UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user choice."

Great!  MS shoots self in foot, others in head.  We saw it coming :/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

mysql-test and mysql-test-run.pl

[Mark Haney]

Can someone tell me why the mysql-test-run.pl file is missing from the 
mysql-test package?  (F17, that is) Most docs on the web indicate that 
the perl script is the way to initiate a test.  Am I missing something?


--

Mark Haney
Software Developer/Consultant
AB Emblem
ma...@abemblem.com
Linux marius.homelinux.org 3.5.1-1.fc17.x86_64 GNU/Linux
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Connect to nfs from iPad -

[Rick Stevens]

On 09/19/2012 04:03 AM, Emilio Lopez uttered this comment:

Does anyone have any experience connecting to an nfs4 server from an
  iPad/


What about using ssh or ftp as server, and find any ios client that
support ssh or ftp?


I believe the browser (Safari) on the iPad will do "ftp://"-style
URLs. I believe there's also Chrome for iPad which will do ftp:// for
certain.

There are some ssh/sftp and plain-old FTP clients available for the
iPad as well, but I don't know if any are free.
--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
--
- Warning:  You are logged into reality as the root user...  -
--
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cd reader external

[Rick Stevens]

On 09/19/2012 05:18 AM, Patrick Dupre uttered this comment:

Hello,

Can I use (mount?) a cd reader from another computer?
Both computers are on internet, In aother words can I do a
mount 122.255.988.10:/dev/cdrom or similar?


Not really. You can ssh to the remote box, mount the media on the
remote box, then export that mount from the remote box via NFS or CIFS.

On your local box, you'd mount the export from the remote box using the
appropriate mechanism (NFS or CIFS).
--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
--
-   I haven't lost my mind.  It's backed up on tape somewhere, but   -
-   probably not recoverable.-
--
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: NFS no traslate UID,GID

[Bill Davidsen]

Tiziana Manfroni wrote:

Hi, I haxe a NFS server with NIS on RHEL6.3. When the client mounts a directory
the system doesn't traslate UID e GID but uses nobody.

On server
The /etc/exports :
/users   192.168.114.101(rw,sync)

/etc/default/nfs-common
NEED_IDMAPD=yes

/etc/idmapd.conf
Domain = domainserver
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
Method = nsswitch

/etc/nsswitch
passwd: files nis
group:  files nis

The file /etc/fstab on client is
serverNFS:/users/users   nfs4  rw,bg,intr,soft,sec=sys 0 0

but ls -la /users
drwx--  28 nobody nobody 4096 23 lug 17:24 utente

How can I resolve this problem?


I presume you have idmapd running on client and server.


Thanks
 Tiziana


   
  / /  \   Tiziana Manfroni
 / / /\ \  Dipartimento di Matematica
/ / /\ \ \ Universita' Roma Tre
   / /_/__\ \ \tel : 0657338237
  /\ \ \   fax : 0657338080
  .___\/   e-mail : manfr...@mat.uniroma3.it




--
Bill Davidsen 
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

PackageKit -nogpgcheck?

[Frank Murphy]

How do I turn off the requiremnt for PackageKit to have signed pkgs?

--
Regards,
Frank
"Jack of all, fubars"
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cd reader external

[Jack Craig]

plug it in, use lsusb to see what dev ref it enumerates to, then mount that
device.

On Wed, Sep 19, 2012 at 5:18 AM, Patrick Dupre  wrote:

> Hello,
>
> Can I use (mount?) a cd reader from another computer?
> Both computers are on internet, In aother words can I do a
> mount 122.255.988.10:/dev/cdrom or similar?
>
> Thank.
>
> --
> ==**==**==
>  Patrick DUPRÉ|   |  email: pdu...@kegtux.org
> ==**==**==
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.**org/mailman/listinfo/users
> Guidelines: 
> http://fedoraproject.org/wiki/**Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

SOLVED - xorg.conf and Nouveau

[Jim]

On 09/19/2012 12:24 AM, Anthony Messina wrote:

On Tuesday, September 18, 2012 05:17:25 PM Jim wrote:

Fedora 17 / KDE

Can I use the nouveau driver in xorg.conf to Lock in the resolution ?.

I have a computer that defaults to 1920x1080 and that resolution is to
high, and I have a older friend that will be using this computer and I
want to Lock into
1280x1024x75 .

I don't want to use the nvidia drivers they are to unstable and nouveau
drivers
are doing a good job on this computer.

Try adding something like the following to your /etc/X11/xorg.conf file, where
the "Identifier" is what you get from `xrandr -q`.

Section "Monitor"
 Identifier   "DVI-I-1"
 Option   "PreferredMode" "1280x1024"
EndSection

Section "Device"
 Identifier  "Device0"
 Driver  "nouveau"
EndSection


-A




Thanks for the initial Info.

After I got it working  I found this a Fedoraproject.

https://fedoraproject.org/wiki/How_to_create_xorg.conf


This did the job:


Section "Monitor"
Identifier  "VGA-1"
Modeline"1280x1024_75.00"  108.88  1280 1360 1496 1712 1024 
1025 1028 1060  -HSync +Vsync

Option  "PreferredMode" "1280x1024_75.00"
EndSection
Section "Device"
Identifier  "Device0"
Driver  "nouveau"
Option  ""
EndSection
Section "Screen"
Identifier  "Primary Screen"
Device  ""
DefaultDepth24
SubSection "Display"
Depth   24
Modes   "1280x1024" "1024x768" "640x480"
EndSubSection
EndSection

Section "ServerLayout"
Identifier  "Default Layout"
Screen  "Primary Screen"
EndSection




-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Arthur Dent]

>
> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>> "What tells it that it is a "scan" service? That bit of the puzzle
>>> seems
>>> to be missing..."
>>>
>>> Whatever is the parameter after the @ and before the dot  becomes %i in
>>> the service file.  Look at the service file:
>>> [Unit]
>>> Description = clamd scanner (%i) daemon
>>> After = syslog.target nss-lookup.target network.target
>>>
>>> [Service]
>>> Type = simple
>>> ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
>>> Restart = on-failure
>>> PrivateTmp = true
>>>
>>> so clamd@scan.service invokes clamd with the scan.conf file as it's
>>> configuration file.
>>> This way you can have multiple clamd services each using a different
>>> config file.  Just create another config file in
>>> /etc/clamd.d/my_config.conf and:
>>> ln -s /lib/systemd/system/clamd@.service
>>> /etc/systemd/system/clamd@my_config.service
>>>
>>> You should have the /etc/clamd.d/scan.conf I think:
>>>
>>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
>>> clamav-scanner-0.97.5-1700.fc17.noarch
>> Thank you Bill for a helpful and, more importantly, informative reply. I
>> think this will not only help me to solve my problem but, even better,
>> help me to understand where I was going wrong.
>>
>> As before, I don't have access to the machine right now, so i will try
>> when I get home to work through this and get it right.
>>
>> I will once again report back later...
>>
>> Thanks again. Your help is much appreciated.
>>
>> Mark
>>
>>
>
> You mentioned scanning email.  I run clamav-milter and stop the virus at
> smtp time.  You may find this helpful:
>
[Snip of some very useful stuff]

Thanks (again!) Bill,

That is very interesting. I have to say however, that my machine is a
simple home system serving web and mail for me and my family only.

I collect mail from (several) ISPs using fetchmail and then procmail to
scan (clamd and spamd) and filter into folders.

I am on a dynamic IP address so, whilst I know it is not impossible,
running my own SMTP operation is more work than I wish to take on at this
time. I have thought about this, but I think it will have to be an
iteresting project for when I retire - in about 10yrs time... (unless you
can convice me otherwise!)

Thanks again

Mark


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cd reader external

[Terry Polzin]

On Wed, 2012-09-19 at 14:18 +0200, Patrick Dupre wrote:
> Hello,
> 
> Can I use (mount?) a cd reader from another computer?
> Both computers are on internet, In aother words can I do a
> mount 122.255.988.10:/dev/cdrom or similar?
> 
> Thank.
> 
> -- 
> ==
>   Patrick DUPRÉ|   |  email: pdu...@kegtux.org
> ==

If the host has it NFS exported maybe


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cd reader external

[Jim]

On 09/19/2012 08:48 AM, Mark Haney wrote:

On 09/19/2012 08:18 AM, Patrick Dupre wrote:

Hello,

Can I use (mount?) a cd reader from another computer?
Both computers are on internet, In aother words can I do a
mount 122.255.988.10:/dev/cdrom or similar?

Thank.



What exactly are you trying to do?  Maybe there is a better way to 
accomplish what you want.  I've done that very thing with sshfs and 
NFS, but only for RO operations.





  /dev/sr0
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cd reader external

[Mark Haney]

On 09/19/2012 08:18 AM, Patrick Dupre wrote:

Hello,

Can I use (mount?) a cd reader from another computer?
Both computers are on internet, In aother words can I do a
mount 122.255.988.10:/dev/cdrom or similar?

Thank.



What exactly are you trying to do?  Maybe there is a better way to 
accomplish what you want.  I've done that very thing with sshfs and NFS, 
but only for RO operations.



--

Mark Haney
Software Developer/Consultant
AB Emblem
ma...@abemblem.com
Linux marius.homelinux.org 3.5.1-1.fc17.x86_64 GNU/Linux
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

cd reader external

[Patrick Dupre]

Hello,

Can I use (mount?) a cd reader from another computer?
Both computers are on internet, In aother words can I do a
mount 122.255.988.10:/dev/cdrom or similar?

Thank.

--
==
 Patrick DUPRÉ|   |  email: pdu...@kegtux.org
==
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Bill Shirley]

On 9/19/2012 5:47 AM, Arthur Dent wrote:

"What tells it that it is a "scan" service? That bit of the puzzle seems
to be missing..."

Whatever is the parameter after the @ and before the dot  becomes %i in
the service file.  Look at the service file:
[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
Restart = on-failure
PrivateTmp = true

so clamd@scan.service invokes clamd with the scan.conf file as it's
configuration file.
This way you can have multiple clamd services each using a different
config file.  Just create another config file in
/etc/clamd.d/my_config.conf and:
ln -s /lib/systemd/system/clamd@.service
/etc/systemd/system/clamd@my_config.service

You should have the /etc/clamd.d/scan.conf I think:

[root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
clamav-scanner-0.97.5-1700.fc17.noarch

Thank you Bill for a helpful and, more importantly, informative reply. I
think this will not only help me to solve my problem but, even better,
help me to understand where I was going wrong.

As before, I don't have access to the machine right now, so i will try
when I get home to work through this and get it right.

I will once again report back later...

Thanks again. Your help is much appreciated.

Mark




You mentioned scanning email.  I run clamav-milter and stop the virus at 
smtp time.  You may find this helpful:


[root@moses clamav]# rpm -qa | grep clam | sort
clamav-data-0.97.5-1700.fc17.noarch
clamav-filesystem-0.97.5-1700.fc17.noarch
clamav-lib-0.97.5-1700.fc17.x86_64
clamav-milter-0.97.5-1700.fc17.x86_64
clamav-milter-systemd-0.97.5-1700.fc17.noarch
clamav-scanner-0.97.5-1700.fc17.noarch
clamav-scanner-systemd-0.97.5-1700.fc17.noarch
clamav-server-0.97.5-1700.fc17.x86_64
clamav-server-systemd-0.97.5-1700.fc17.noarch
clamav-update-0.97.5-1700.fc17.x86_64

For clamav-milter, I had to add clamilt to the postfix group (usermod -a 
-G postfix clamilt):

[root@moses clamav]# egrep 'post|clam' /etc/group
mail:x:12:postfix
postfix:x:89:clamilt
postdrop:x:90:
clamscan:x:987:clamilt
clamilt:x:988:postfix
clamupdate:x:989:


Add to the end of /etc/mail/clamav-milter.conf:
# my stuff
# be sure to comment out above: Example

ClamdSocket unix:/var/run/clamd.scan/clamd.sock
MilterSocket/var/run/clamav-milter/clamav-milter.socket
##MilterSocket  inet:3381
# usermod -a -G postfix clamilt
MilterSocketGroup   postfix
MilterSocketMode660

OnInfected  Reject
AddHeader   Replace

#LogFile/var/log/clamav-milter.log
#LogFileMaxSize 1M
#LogTimeyes
LogSyslog   yes
LogFacility LOG_MAIL
#LogVerbose no
LogCleanBasic
LogInfected Full

Add to postfix's main.cf:
# usermod -a -G clamilt postfix
smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
#milter_default_action = accept
milter_default_action = tempfail

I can't remember if I had to create the directory, but here is that info:
[root@moses clamav]# ldpz /var/run/clamav-milter/clamav-milter.socket
drwxr-xr-x. rootrootsystem_u:object_r:var_t:s0   /var
lrwxrwxrwx. rootrootsystem_u:object_r:var_run_t:s0 /var/run -> 
../run
drwx--x---. clamilt clamilt system_u:object_r:clamd_var_run_t:s0 
/var/run/clamav-milter
srw-rw. clamilt postfix system_u:object_r:clamd_var_run_t:s0 
/var/run/clamav-milter/clamav-milter.socket



For clamav, to avoid selinux problems issue command:
setsebool -P clamd_use_jit on

Add to end of scan.conf:
# my stuff
# be sure to commend out above: Example

#LogFile/var/log/clamav/clamd.scan
#LogFacilityLOG_MAIL
LogFacility LOG_DAEMON
ExtendedDetectionInfo   yes
LocalSocket /var/run/clamd.scan/clamd.sock
#LocalSocketGroup   virusgroup
#LocalSocketMode660
FixStaleSocket  yes
CrossFilesystemsno
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/fuse/
ExcludePath ^/backup/
ExcludePath ^/bacula/
SelfCheck   3600


And finally freshclam, add to the end of freshclam.conf:
# my stuff
LogFacility LOG_DAEMON
DatabaseMirror db.US.clamav.net
TestDatabases yes


Note in all the clamav configuration file there is a line:
Example
that has to be commented out for the service to run.

Don't forget to systemctl enable these to services:
[root@moses clamav]# systemctl is-active clamav-milter.service
active
[root@moses clamav]# systemctl is-active clamd@scan.service
active

Hope this helps,
Bill



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Connect to nfs from iPad -

[Bob Goodwin - Zuni, Virginia, USA]

On 19/09/12 07:03, Emilio Lopez types:

Does anyone have any experience connecting to an nfs4 server from an
  iPad/

What about using ssh or ftp as server, and find any ios client that
support ssh or ftp?

Emilio.


   My son-in-law installed an application "Filebrowser" on it last
   night so I will see if I can get that to work. According to what I
   found on Google it has worked with Windows and hope it will work for
   me with F-17. Will try that today.

   Bob

   -- 
   http://www.qrz.com/db/W2BOD


   box9

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Connect to nfs from iPad -

[Emilio Lopez]

> Does anyone have any experience connecting to an nfs4 server from an
>  iPad/

What about using ssh or ftp as server, and find any ios client that
support ssh or ftp?

Emilio.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: xorg.conf and Nouveau

[Steven I Usdansky]

From: Anthony Messina 
>To: Community support for Fedora users  
>Sent: Tuesday, September 18, 2012 11:24 PM
>Subject: Re: xorg.conf and  Nouveau
> 
>On Tuesday, September 18, 2012 05:17:25 PM Jim wrote:
>> Fedora 17 / KDE
>> 
>> Can I use the nouveau driver in xorg.conf to Lock in the resolution ?.
>> 
>> I have a computer that defaults to 1920x1080 and that resolution is to 
>> high, and I have a older friend that will be using this computer and I 
>> want to Lock into
>> 1280x1024x75 .
>> 
>> I don't want to use the nvidia drivers they are to unstable and nouveau 
>> drivers
>> are doing a good job on this computer.
>
>Try adding something like the following to your /etc/X11/xorg.conf file, where 
>the "Identifier" is what you get from `xrandr -q`.
>
>Section "Monitor"
>        Identifier   "DVI-I-1"
>        Option       "PreferredMode" "1280x1024"
>EndSection
>
>Section "Device"
>        Identifier  "Device0"
>        Driver      "nouveau"
>EndSection
>
>
>-A

From my xorg.conf file (monitor does not properly report EDID): 

Section "Monitor"

Identifier   "Monitor0"

VendorName   "Monitor Vendor"
ModelName    "Monitor Model"
DisplaySize  432270
HorizSync    30.0 - 86.0
VertRefresh  56.0 - 76.0
ModeLine     "1440x900" 106.5 1440 1520 1672 1904 900 901 904 932 -hsync +vsync
ModeLine     "1680x1050" 147.1 1680 1784 1968 2256 1050 1051 1054 1087 -hsync 
+vsync
Modeline     "1920x1080"  172.80  1920 2040 2248 2576  1080 1081 1084 1118  
-HSync +Vsync
Option    "PreferredMode" "1680x1050"
EndSection

Section "Screen"
Identifier "Screen0"
Device     "Card0"
Monitor    "Monitor0"
SubSection "Display"
Viewport   0 0
Depth     24
Modes    "1920x1080" "1680x1050" "1440x900" "1280x1024"

EndSubSection

EndSection

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Clamd and systemd

[Arthur Dent]

> "What tells it that it is a "scan" service? That bit of the puzzle seems
> to be missing..."
>
> Whatever is the parameter after the @ and before the dot  becomes %i in
> the service file.  Look at the service file:
> [Unit]
> Description = clamd scanner (%i) daemon
> After = syslog.target nss-lookup.target network.target
>
> [Service]
> Type = simple
> ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
> Restart = on-failure
> PrivateTmp = true
>
> so clamd@scan.service invokes clamd with the scan.conf file as it's
> configuration file.
> This way you can have multiple clamd services each using a different
> config file.  Just create another config file in
> /etc/clamd.d/my_config.conf and:
> ln -s /lib/systemd/system/clamd@.service
> /etc/systemd/system/clamd@my_config.service
>
> You should have the /etc/clamd.d/scan.conf I think:
>
> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
> clamav-scanner-0.97.5-1700.fc17.noarch

Thank you Bill for a helpful and, more importantly, informative reply. I
think this will not only help me to solve my problem but, even better,
help me to understand where I was going wrong.

As before, I don't have access to the machine right now, so i will try
when I get home to work through this and get it right.

I will once again report back later...

Thanks again. Your help is much appreciated.

Mark


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Samba 3.6.8 released yesterday

[Fernando Cassia]

On Wed, Sep 19, 2012 at 1:04 AM, Rahul Sundaram  wrote:
> Depends. One of the factors would be users asking for it.  File a RFE in
> bugzilla and request it

Thanks Rahul.

FC
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org