KatolaZ | agl: you should be fine then | 00:13 |
---|---|---|
agl | KatolaZ: It works ... slim does also work ... Thank you! | 00:24 |
aitor | hi | 00:32 |
NewGnuGuy | hello aitor | 00:36 |
KatolaZ | agl: good | 00:37 |
aitor | Katolaz: late for you | 00:39 |
aitor | runit + vdev = 40 seconds boot time | 00:45 |
g4570n | hi aitor | 00:46 |
aitor | hi | 00:46 |
g4570n | aitor #devuan-mx | 00:47 |
agl | good bye ... I'am going to bed | 01:31 |
agris | hello | 10:49 |
agris | i've got a fresh Devuan ASCII install here | 10:50 |
agris | can't user the useradd utility | 10:50 |
agris | useradd: cannot lock /etc/passwd; try again later | 10:50 |
muep_ | how are you trying to use it? | 10:50 |
agris | thing is, nothing is using /etc/passwd right now according to lsof | 10:51 |
agris | and the root filesystems is writable | 10:51 |
jaromil | mmmm, haven't tried to use useradd... strange | 10:51 |
agris | useradd -b /var/mc -c "Minecraft Daemon" -r -R /var/mc -s /bin/rbash -U minecraftd | 10:51 |
jaromil | should work | 10:52 |
agris | __Should__ | 10:52 |
agris | i i ran the command with strace | 10:53 |
agris | open("/etc/.pwd.lock", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = -1 ENOENT (No such file or directory) | 10:53 |
agris | however even though the kernel appears to be reporting /etc/.pwd.lock does not exist | 10:54 |
agris | it does | 10:54 |
muep_ | is it doing a chroot? | 10:54 |
agris | -rw------- 1 root root 0 Jun 3 00:17 /etc/.pwd.lock | 10:54 |
agris | no, i'm running useradd as uid0 | 10:54 |
muep_ | but you are using -R /var/mc | 10:55 |
agris | and lsof does not report any process has the lockfile opened | 10:55 |
muep_ | it sounds like it something that would first chroot into /var/mc and then try to change things | 10:55 |
agris | that's the user's chroot | 10:55 |
agris | not root's chroot | 10:55 |
agris | right? | 10:56 |
muep_ | I have never heard of useradd being able fully set up a chroot for a user | 10:56 |
jaromil | the -R flag applies all changes in files present inside that directory, so will look for /var/mc/etc/passwd | 10:56 |
muep_ | to me it sounds like -R is there just for being able to manipulate users in a chroot without having to install useradd into the chroot | 10:57 |
agris | oh, i didn't know chroot could automagiclly setup a chroot for it's operation. i thought you had to do that manually first | 10:57 |
jaromil | man says "use the conf files from the CHROOT_DIR (-R)" | 10:57 |
muep_ | this does not really automagically set up anything | 10:57 |
agris | thanks | 10:58 |
jaromil | yes, presumes you have already a chroot setup there | 10:58 |
jaromil | well, thanks anyway for reporting if there would be such a bug at this point (RC close to final) I guess we'd know it, but there are never enough eyes on these things :^) | 10:59 |
agris | while i'm here might as well talk about another potential bug with RC | 11:00 |
agris | i've been using it on a work desktop and personal laptop | 11:00 |
agris | i've noticed on the laptop, i set it to lock when resuming from suspend or screensavor | 11:00 |
agris | however when i open my laptop back up it does not lock for 2 seconds. | 11:01 |
agris | during those 2 seconds anyone is free to click or type things into my session | 11:01 |
muep_ | sounds a bit as if it does not wait for the locking to complete before going to suspend state | 11:02 |
agris | after 2 seconds are up the screen goes to the Xscreensaver login | 11:02 |
jaromil | I use suspend a lot too with xscreensaver lock and simply do the lock *before* suspend | 11:02 |
jaromil | so it comes back locked | 11:02 |
agris | i would assume so | 11:02 |
agris | i usually just close my lid | 11:03 |
agris | run off to the next meeting and open it back up | 11:03 |
agris | is this fixable via a config tweak? | 11:03 |
jaromil | oh, I cannot debug this since i use my own script rather than the lid's trigger | 11:03 |
agris | eg, wait 3 seconds before entering suspend | 11:04 |
agris | state | 11:04 |
jaromil | ... not sure where those lid triggered scripts are myself | 11:04 |
muep_ | waiting three seconds is quite unreliable because it assumes that the suspend will actually complete during that time | 11:05 |
agris | muep_, no, that's just to wait for the locking script to run | 11:05 |
muep_ | e.g. if the system has a workload competing for disk access, the locking could take more than three seconds | 11:05 |
agris | wait for the lock script to give a return code before swithing states? | 11:06 |
agris | oh and another thing, the rc-config utility is missing from ASCII and jessie OpenRC | 11:07 |
muep_ | yes if completion of the locking script indicates that the screen is really locked | 11:07 |
agris | while other utilties could be used to supplement the missing rc-config utility's functionality it really is not ideal | 11:08 |
muep_ | I do not know how it really works in devuan's default setup or with xscreensaver in general, but I would not be surprised if the script just exists right after sending some message through some IPC channel to the xscreensaver daemon | 11:08 |
muep_ | s/exists/exits | 11:08 |
agris | What's the best way to implement no shell for a user? | 11:28 |
agris | should i just write a small helloworld-like C program that printf shell access is not permitted, and add it to /etc/shells or is there a specific way of doing that for devuan? | 11:29 |
agris | i noticed /bin/false was not in /etc/shells | 11:29 |
muep_ | you could just not set a password for the account | 11:32 |
agris | yeah, but that wouldn't do much for daemon accounts | 11:32 |
agris | where init can just su - daemonaccount | 11:33 |
agris | i want to be able to launch an executable as a certain user and not have the executable be able to access anything | 11:33 |
muep_ | even if you set its shell configuration to some non-sense shell, it could run su - daemonaccount -c bash | 11:34 |
agris | so even if it gets hacked, it can't spawn a native bash shell or access the rest of the system | 11:34 |
agris | not in a chroot | 11:34 |
muep_ | if it is in a chroot that does not have shells available, it does not matter much what you have for it in /etc/passwd outside the chroot | 11:35 |
muep_ | but normally if someone has an "execute arbitrary code over network" exploit for your service, it can use that to copy in a bash executable (or some smaller shell, or any other program) and then fork+exec that | 11:37 |
agris | yeah, but that is pretty unlikely unless it's a targeted attack | 11:38 |
agris | and they would have to compile it for a certain executable | 11:38 |
agris | and pretty detectable | 11:38 |
agris | if bash was a child process of httpd i'd be pretty worried | 11:38 |
muep_ | AFAIK it can do a few forks and become a child process of init | 11:39 |
agris | or if bash showed up anywhere under the httpd user | 11:39 |
muep_ | but of course it would then usually be running as www-data | 11:40 |
muep_ | I'm getting lost with if you are running a httpd or some minecraft service | 11:40 |
agris | Right now i'm just isolated a minecraft server, but used httpd for simple example purposes | 11:41 |
muep_ | httpd is not a very simple example because it has some security mechanisms of its own | 11:42 |
muep_ | like, you normally start the main process as root but then the daemon itself manages a transition to a safer user that processes data from network | 11:43 |
agris | init forks a daemon proccess as a different user | 11:44 |
muep_ | typically a program like a game server daemon would not have that built-in. there the usual thing would be to directly start them as non-privileged | 11:44 |
agris | the daemon transitions form root to non-root is only needed for low port numbers | 11:44 |
agris | minecraft uses port 25565 so it does not need a root process to bind any ports for it | 11:45 |
muep_ | it would also be needed for many other things, like if the daemon has its own mechanism for setting up a chroot or other confined environment for parts of the service | 11:46 |
muep_ | but indeed your minecraft service likely does not need anything like that | 11:47 |
jonadab | \/w 56 | 12:25 |
ibanja | What Version Control System do Devuan developers use? I am asking because I want to use one for my personal scripting needs, and was curious to see what Devuan chose. | 17:15 |
gnarface | they're using git | 17:24 |
gnarface | everyone's using git these days | 17:24 |
gnarface | https://git.devuan.org/ | 17:25 |
muep_ | even if devuan did choose something else, indeed "everyone" is using git | 17:27 |
fbt | Well it's not the most popular for completely no reason | 17:33 |
fbt | But I'd look into the existing ones and figure out which one fits your use-case better | 17:33 |
fbt | Migrating isn't that much of a pain for personal shit | 17:34 |
fbt | Try things | 17:34 |
muep_ | I'd mostly suggest using something non-git if you already are comfortable with it but still want something else | 17:35 |
muep_ | especially if the motivation for asking is to be able to participate more in the community that writes free software | 17:36 |
ibanja | had to step away... I was thinking of using git too. | 17:51 |
ibanja | anybody tried bazaar? | 17:51 |
muep_ | yes. it is slow and unmaintained and has fewer features than git | 17:52 |
ibanja | muep_ you mention non-git... anything specific in mind? | 17:53 |
muep_ | mercurial is quite reasonable | 17:53 |
ibanja | subversion? | 17:53 |
muep_ | I don't like subversion much also otherwise, but then you additionally need to run a server for it if you intend to use your version control on multiple computers | 17:54 |
ibanja | mercurial is the one I haven't looked into... I'll have to check it out. | 17:54 |
muep_ | I'd think subversion is one of those options where you would be worse off than with bzr | 17:54 |
ibanja | My use case is one user on multiple computers | 17:54 |
ibanja | as in I might be on my laptop or desktop | 17:55 |
muep_ | with either multiple users or multiple computers, it makes sense to pick a distributed VCS | 17:55 |
muep_ | because otherwise you'd tend to need a server. and if you had a subversion server, you would be unable to commit when you are offline on your laptop | 17:56 |
ibanja | ok... good point. I've seen that stated while googling. | 17:57 |
muep_ | I sometimes use RCS for single-file things because it is so cute and simple | 17:58 |
muep_ | but it's not really made for multiple files that belong to the same logical whole, and it is sometimes difficult to predict if I end needing to split a single-file program into multiple files | 17:59 |
ibanja | looks like I should just go with git. | 18:00 |
muep_ | going with git is often the easy way forward, just because there are so many people using it | 18:01 |
ibanja | I have been using rsync with hard links, but it's a bit tedious | 18:01 |
muep_ | you can use a simple ssh server for synchronising the repos on your laptop and desktop, and there are services that you can use for it | 18:02 |
ibanja | yes. | 18:02 |
ibanja | thanks for the input | 18:03 |
ibanja | now to google for a good git tutorial... :) I've only use it minimally | 18:04 |
mubarak | ibanja: Lynda.com - Git Essential Training | 18:14 |
xrogaan | err | 23:08 |
xrogaan | So, there is no snapd for devuan? | 23:08 |
xrogaan | > https://packages.debian.org/stretch/snapd | 23:08 |
xrogaan | 'cause some software in the repository are buggy and I need a newer version. | 23:08 |
* xrogaan slowly remembers why he preferred archlinux some years back. | 23:09 | |
xrogaan | aaah, snapd requires systemd. Damn it all! Damn it all to hell! | 23:09 |
fsmithred | ok, this is weird - I see snapd in ascii with auto.mirror, but not with pkgmaster | 23:11 |
xrogaan | oh. Right, that is weird. I am on pkgmaster. | 23:12 |
xrogaan | fsmithred: any idea why that would happen? | 23:20 |
fsmithred | xrogaan, I don't know the inner workings of amprolla to understand it, but the two repos use different versions. | 23:22 |
fsmithred | auto.mirror/packages uses the original amprolla, pkgmaster uses amprolla3 | 23:23 |
fsmithred | I guess v3 has a better filter | 23:23 |
xrogaan | should I switch to auto.mirror? | 23:24 |
xrogaan | you know, it would be helpful to have the list of mirrors easily accessible from the website. | 23:25 |
golinux | <fsmithred> I guess v3 has a better filter | 23:26 |
golinux | This ^^^ | 23:26 |
golinux | xrogaan: https://beta.devuan.org/get-devuan | 23:27 |
xrogaan | thanks <3 | 23:27 |
golinux | Maybe not the mirrors you're talking about | 23:27 |
xrogaan | indeed | 23:30 |
xrogaan | heh: http://dpaste.com/11D6YCG | 23:32 |
fsmithred | pkgmaster is better. switching to auto.mirror would not enable you to install snapd. | 23:33 |
fsmithred | oh, I see you got the same message | 23:34 |
xrogaan | no, on pkgmaster snapd wouldn't be present. | 23:38 |
xrogaan | snapd can't work without systemd I presume. | 23:38 |
xrogaan | auto.mirror.devuan.org (2001:41d0:8:2c55::a2) < takes forever to answer :/ | 23:45 |
xrogaan | is it even online? | 23:46 |
fsmithred | I'm getting hits on auto.mirror when I update | 23:49 |
xrogaan | the ipv6 address do not seem to be configured. | 23:51 |
xrogaan | ipv4 works just fine. | 23:52 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!