logs archiveIRC Archive / Freenode / #centos / 2015 / September / 20 / 1
ctcx
Finally back.
Bahhumbug: I didn't know egroupware had vulnerability issues.......
Bahhumbug
Dezponia_: Thanks for your feedback.
ctcx: Everything has security issues. Some more than others. egroupware is php (if memory serves) and thus subject to all the craptastic code that php 'developers' churn out.
ctcx
Bahhumbug: ..... is php so bad?
fenrus02
everything has security issues.
if you have a php app, and disable selinux, disable iptables, dont use suhosin / ironbee / mod_security, leave your dbms on the same host as the app, and every other manner of bad practice - dont be shocked when your site is completely hacked in under 90sec.
Bahhumbug
In my opinion and the opinion of this author that points out many of the language's flaws... yes: http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/
All languages can be subverted; it's almost always a point of stupid programming. But php itself is just god-awfully designed.
ctcx
This is very discouraging........
fenrus02
why? if you have a php app, then leave selinux enabled/enforcing, use iptables, use suhosin (et al), put your dbms on another host, etc..
ctcx
As a small brief parentheses, if I wanted to use FreeIPA on another non-RH distro, could I just build it from source? Or is it not guaranteed to work well?
Bahhumbug
Freeipa is not a Red Hat specific thing; it's available for debian and its illegitimate offspring and other distros as well.
         

fenrus02
might want to look at Ipsilon as well then. https://fedorahosted.org/ipsilon/
ctcx
https://www.freeipa.org/page/Frequently_Asked_Questions#What.27s_Available_in_FreeIPA_Now.3F_What.27s_in_the_Pipeline.3F
"Linux (currently Fedora or Red Hat Enterprise Linux)"
(Hell, I *hate* the number 9)
fenrus02
https://packages.qa.debian.org/f/freeipa.html
-alis- #freeipa 152 :http://www.freeipa.org | did you know of ipa-advise? | Try RHEL 7.2 beta which includes FreeIPA 4.2 goodness: http://red.ht/1i65UND
ctcx
I wonder if there are packages for SUSE/openSUSE as well...
Just in case.
Bahhumbug
Google knows all.
And the answer is: yes
ctcx
Yes, I already realized (thanks)
But forgot to mention here.
Er, what would SSSD be for?
"cached logins"?
Bahhumbug
(Action) abuses access
@google sssd purpose
centbot
Bahhumbug: FAQ  SSSD - FedoraHosted.org: <https://fedorahosted.org/sssd/wiki/FAQ>; Features/SSSD - FedoraProject: <https://fedoraproject.org/wiki/Features/SSSD>; SSSD | Orderly Chaos: <https://blog-nkinder.rhcloud.com/?cat=4>; 2.3. How SSSD Integrates with an Active Directory Environment: (2 more messages)
Bahhumbug
@more
centbot
Bahhumbug: <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html>; Mapping local users to Kerberos principals with SSSD - Odd Bits: <http://blog.oddbit.com/2015/07/16/mapping-local-users-to-kerberos-principals-with-sssd/>; Centralized authentication using OpenLDAP - Gentoo Wiki: (1 more message)
Bahhumbug
@more
centbot
Bahhumbug: <https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP>; CentOS " View topic - centos 6.5/sssd and ldap_access_filter: <https://www.centos.org/forums/viewtopic.php?f=17&t=46240>; FreeIPAv2:SSSD/SBUS - FreeIPA: <http://www.freeipa.org/page/FreeIPAv2:SSSD/SBUS>
Bahhumbug
(Don't bother trying it, it's not enabled for others in this specific venue)
ctcx
I finished (kind of) reading the eevee's php article; his credits links seem like other bloggers as well though.
However, don't you think php could have changed a bit in these last 3 years?
Bahhumbug
No. The problems with php step from the fact that the people that implemented the language should not have as they are incompetent.
err, s/step/stem/
fenrus02
ctcx, php has changed in 3 years. that much is true. has it become more secure? no. just different. the above guidelines still apply.
odigem
hi i need help
fenrus02
start by asking what you require assistance _with_ .. dont ask to ask
angular_mike_
what were the default permissions for the /var/log folder?
Incidentally, is there somewhere where all the default folder permssions are listed?
hosler
whats it called when server A caches the website on server B and server A is the only server public facing?
         

angular_mike_
hosler: single point of access?
hosler: facede?
harish: reverse proxy?
hosler: ^^
hosler
hmm ok
thanks
server B is slow and i was thinking i could use the fast internet on server A to publish server B's stuff to the we
web*
weird setup but im bored
angular_mike_
fenrus02: I require assistance with setting /var/log folder permissions to what they were before and insulating myself from not knowing defeault permssions in the future
fenrus02
angular_mike_, $ rpm -qlfv /var/log |grep ' /var/log$'
angular_mike_
hosler: why not throw out server B out of the picutre completely then?
fenrus02: ty
fenrus02
hosler, reverse proxy
hosler
angular_mike_: server B is versatile and useful
and server A might be temporary
angular_mike_
lol, it seems I set them back correctly by guessing
fenrus02
rpm has a --setperms option too if you want it to be automatic.
odigem
i update curl to 7.44 . now when i run yum i got /usr/lib64/libcurl.so.4: undefined symbol: ldap_init_fd
fenrus02
odigem, run this, and if it outputs anything - fix the problems it points out. $ rpm -Va --nofiles --noscripts
odigem
fenrus02: nothing
fenrus02
odigem, how did you update curl? did you do something silly like compile it yourself without using the packages provided?
odigem
fenrus02: no, i add city-fun repo and yum update curl
fenrus02
complain to the wonky repo owner that they've broken their package, and also your installation.
odigem
ok, problem in pycurl. but i no have pycurl
i uninstall it
but python have this module
fenrus02
you've broken your installation.
i'm not sure how to explain it to you in any other way.
LOTS of things require a working curl. you pulled curl from a VERY BADLY BROKEN repo.
@repos odigem
centbot
Additional packages are often in 3rd party repos. Information on additional CentOS repos is available at http://wiki.centos.org/AdditionalResources/Repositories Pay attention to the reference on yum-priorities.
Bahhumbug
odigem: So. You replaced a critical core compoent with some half-assed package from some repo no one ever heard of and you wonder why things break?
Restore from backups or reinstall and learn from your mistake.
fenrus02: I can explain it. It's unsupported.
There. Done.
fenrus02
Bahhumbug, but that's so succinct that the user will do it again and again and again, returning each time to whinge that it does not work.
Bahhumbug
I don't have access to the repos page on the wiki and I don't feel like requesting it otherwise this would be fixed already.
fenrus02
first i've heard of "city-fun" repo .. known crap?
MerlinTHP
city-fan repo
iirc it isn't stunningly great
Bahhumbug
I've come across it before. It always ends in bloody tears of impotent rage for those that use it.
ctcx
https://fedoraproject.org/wiki/Features/SSSD
"The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, and FreeIPA services to provide an offline mode, to ease the use of centrally managing laptop users."
"Laptop users will have offline access to their network logons, eliminating the need for local laptop accounts when traveling."
Aaahhh.
Ok, understood at least this feature.
When you said "you should have separate servers", did you mean separate physical PC's necessarily, or could it be one PC with an OS i neach partition?
ke4nhw
In setting recursive default ACL's is it 'setfacl -Rdm u::rwx g::r o:: /hereonward' or is it 'satfacl -Rm d:u:rwx d:g:r d:o: /hereonward' I'm seeing several examples online and not sure which will give me the result I want.
fenrus02
why are you using setfacl that way? if you want to do that, 'chmod -R 0740 ..' but that's going to be bad. u+x vs g-x is a bad mix
drwx--x--x and drwxr-xr-x make sense. drwxr----- does not
ke4nhw
chmod works, recursively, one time. However when a user writes a new file to the directory it would retain the old settings, right? And on the permissions you're right. I wanted user to have full rights to his file, other members of the group to have only read capability to that file (cannot write to it) and other to have none.
And so it is. I want to set access control lists so that, regardless, the permissions are set consistently all the time, to keep things consistent.
I could see drwxr-x--- is that something that is workable?
The only ways I can accomplish this goal is to either go through and modify the umasks (impractical and a bad idea overall) or force permissions by acl's, that I know of. Are there other workable ways that are better?
« prev 1 2 3 4 next »