joybuke | Howdy there, im trying to respin Devuan as a personal project and want to be able to make it install. Got pretty far with a tool called "respin" and it boots, just want to know how to make it install onto a system as you would on a Debian, Devuan, or Ubuntu Distro. | 06:14 |
---|---|---|
aliceussr | Hello! I detect security issies with packages: exim4, exim4-light - its packages have suid in debian and devuan repositories - it`s is viruses or troyans! | 07:24 |
clort | thanks for heads up aliceussr | 07:24 |
aliceussr | clort: OK! Please tell about debian security group! | 07:25 |
clort | well idk if a mta agent needs suid | 07:25 |
clort | this looks like a 2016 discussion | 07:25 |
clort | and a 2010 discussion | 07:26 |
clort | https://lists.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html | 07:27 |
aliceussr | The mta agent does not need suid. It works great without it. And with it, he independently changes the logging security settings. | 07:27 |
clort | "as Exim might need to store received messages in user mailboxes, it has to have the ability to regain privileges" | 07:27 |
clort | ok that is understandable | 07:28 |
aliceussr | Ok! Deal with this security issue as you wish. I warned you about the potential danger and compromise of Debian-based systems with exim4 * packages installed | 07:29 |
clort | i'm not seeing that you are informing us of anything new | 07:31 |
clort | but i often don't understand things, so that's perhaps my error | 07:31 |
aliceussr | Новое я вам сообщил: после установки данных пакетов меняются насотройки безопасности в системе. | 07:32 |
aliceussr | but i often don't understand things, so that's perhaps my error | 07:32 |
aliceussr | Sorry! I translate. | 07:32 |
aliceussr | I told you something new: after installing these packages, the security settings in the system change. | 07:33 |
clort | what settings changed? | 07:35 |
aliceussr | /var/logs/ | 07:36 |
gnarface | pure FUD | 07:40 |
gnarface | completely normal use of suid | 07:40 |
gnarface | and by far not the only example | 07:41 |
gnarface | and yea, you're gonna have trouble supporting Maildir without it | 07:41 |
gnarface | but feel free to disable it if you only ever deliver mail to root and you don't give a fuck about logs | 07:42 |
clort | seems like a thing that usergroups could be used for. you have a group for mail transfer agent, and make user mailboxes writeable by that? | 07:43 |
clort | and yes, there are quite a few suid userspace packages, that need suid | 07:44 |
aliceussr | Yes, such packages exist, but they do not run in daemon mode and do not have ALL privileges on the system, like exim4 running as root in daemon mode !!!!!!!!! | 07:46 |
aliceussr | Debian and Ubuntu developers have pushed Linux again !!! | 07:47 |
gnarface | it's not though | 08:02 |
gnarface | clort: it doesn't run as root in daemon mode, it drops permissions immediately. he's lying | 08:02 |
aliceussr | suid in daemon mode - root privileges on the system! | 08:04 |
gnarface | aliceussr: if you were serious you'd be reporting it to upstream, we can't do anything about it here anyway | 08:04 |
aliceussr | gnarface: You are right, I'm not very interested in this, since I always check my system for potential threats and fix them, unlike you. You continue to use what you give thoughtlessly. | 08:06 |
gnarface | aliceussr: this is a support channel. unless you need actual help with something, stuff it. | 08:09 |
aliceussr | gnarface: Ok! | 08:09 |
golinux | gnarface: +1! | 08:14 |
Atari-Frosch | On one server: dpkg: error processing archive /var/cache/apt/archives/mariadb-server-core-10.3_1%3a10.3.25-0+deb10u1_amd64.deb (--unpack): trying to overwrite '/usr/bin/my_print_defaults', which is also in package mariadb-server-10.3 1:10.3.23+maria~stretch | 13:42 |
Atari-Frosch | On another it worked. | 13:42 |
Atari-Frosch | mysqld stopped working, but fortunately I was able to start it again without problems. | 13:44 |
Atari-Frosch | Oh, both servers are running Beowulf. | 13:44 |
gnarface | probably an upstream bug, Atari-Frosch but it doesn't sound serious | 13:58 |
gnarface | they're probably the same file | 14:01 |
Atari-Frosch | I see. I hope that it will be OK now with the restart … | 14:15 |
gnarface | well, it might be worth checking for a bug at bugs.debian.org | 14:21 |
gnarface | if anything breaks usually someone posts a temporary workaround | 14:21 |
gnarface | but i can't imagine it would be anything other than "use the other file" | 14:21 |
gnarface | i don't really think a reboot would change things but i don't know | 14:22 |
Atari-Frosch | I'll check bugs.debian.org, thank you. | 14:32 |
Atari-Frosch | It says mariadb is not in Debian … | 14:34 |
xinomilo | you probably have mariadb repo version installed. | 14:36 |
gnarface | hmmm | 14:36 |
xinomilo | cant have both | 14:37 |
xinomilo | this is not from debian : mariadb-server-10.3 1:10.3.23+maria~stretch | 14:38 |
gnarface | hmm, also it's for an older release than current | 14:39 |
gnarface | you're right that bugs.debian.org is curiously free of any mention of mariadb but maybe they push them upstream or something, packages.debian.org shows it definitely present (as does pkginfo.devuan.org) | 14:39 |
xinomilo | mixing repos/versions is not a debian bug | 14:40 |
xinomilo | https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mariadb-server-10.3;dist=stable | 14:43 |
GyrosGeier | 14:01 < gnarface> they're probably the same file | 14:52 |
GyrosGeier | if the file moved, the packages need a Replaces: | 14:52 |
Atari-Frosch | gnarface: So it seems. The server was running under Stretch before, and I remember that in Stretch I had to fetch MariaDB from a different source. The other one, where it worked, had a start installation with Debian Jessie, and before making any installations I brought it to Devuan ASCII, later updated to Beowulf. | 14:57 |
Atari-Frosch | So this only hits hosts which were running Debian (Stretch) before. | 14:57 |
gnarface | Atari-Frosch: just purge them and get the devuan versions, they're probably blocking upgrades too | 15:00 |
Atari-Frosch | This IS the Devuan version of MariaDB, updated over the Stretch version in May of this year. | 15:01 |
gnarface | hmmm | 15:02 |
gnarface | well do this and just make sure all the packages match versions: dpkg -l |grep mariadb | 15:03 |
Atari-Frosch | Uh, funny. When I do this, I get versions from Jessie, Stretch, and Devuan ;-) | 15:05 |
Atari-Frosch | But the older ones are not installed, I cannot remove them. | 15:06 |
Atari-Frosch | Stop, typo. They can. | 15:07 |
GyrosGeier | aptitude should be able to tell you if you have obsolete/local packages | 15:08 |
gnarface | the old listings might be harmless if the left column doesn't say "ii" but they can't be helping anything | 15:10 |
Atari-Frosch | ii mariadb-server-10.3 1:10.3.23+maria~stretch | 15:10 |
Atari-Frosch | But there is no server version from another source as far as I can see. | 15:11 |
gnarface | maybe your config is missing beowulf-security? | 15:12 |
gnarface | https://pkginfo.devuan.org/cgi-bin/d1pkgweb-query?search=mariadb&release=beowulf | 15:12 |
gnarface | it shows up here | 15:12 |
Atari-Frosch | gnarface: Security is in the sources. | 15:12 |
gnarface | hmmm | 15:12 |
Atari-Frosch | deb http://deb.devuan.org/merged beowulf-security main | 15:13 |
gnarface | hmmm, something has to be missing though | 15:13 |
gnarface | i'm seeing it here | 15:13 |
Atari-Frosch | This is what I get with dpkg -l | grep mariadb: | 15:15 |
Atari-Frosch | https://pastebin.com/qbBHMUPm | 15:15 |
Atari-Frosch | BTW, I just tried apt autoremove and it doesn't remove anything. | 15:16 |
gnarface | i would purge everything with ~stretch or ~jessie in the name | 15:16 |
Atari-Frosch | And if the server version gets lost install it anew? | 15:16 |
Atari-Frosch | I mean, I need that server running ;-) | 15:17 |
gnarface | ok, well there's a download-only option for the deb files | 15:17 |
gnarface | for apt-get | 15:17 |
gnarface | just use download-only first | 15:17 |
gnarface | make sure it's coming from the right place | 15:17 |
Atari-Frosch | hm, ok | 15:17 |
gnarface | make sure the other repos *aren't* in the sources anymore, and make sure you don't forget to "apt-get update" first | 15:17 |
gnarface | this is a super common outcome from repo/distro mixing, and the damage could have been much worse | 15:18 |
Atari-Frosch | The other repos aren't in the sources since May, since I updated to Beowulf. | 15:18 |
Atari-Frosch | If there was no update for MariaDB since then, I guess the Stretch version was just kept. | 15:21 |
gnarface | Atari-Frosch: the way it is named might override even later versions though, is the thing. the rules are a little weird | 15:27 |
gnarface | the "+maria~stretch" thing might sabotage 10.5 | 15:28 |
Atari-Frosch | Solution: apt remove mariadb-server-10.3; apt install mariadb-server-10.3 – it was already downloaded, just could not be installed over the Stretch version. | 15:28 |
Atari-Frosch | Now the correct version is running. | 15:28 |
gnarface | cool | 15:28 |
joybuke | Howdy there, asked this last night, but came back today. I am currently working on respin of Devuan just for fun and got it up and running and am now wondering how I can get the OS to do a proper install rather than just being a live cd. I am using a tool called LinuxRespin (https://gitlab.com/remastersys/LinuxRespin), but don't mind learning live-boot if anyone has some good documentation on it. I want it to have an | 18:25 |
joybuke | installer like that of Debian or Ubuntu, but do not mind it just being a script akin to Arch if need be. Thanks for reading and hopefully helping! | 18:25 |
fling | sh: 1: /usr/bin/procmail: Operation not permitted | 18:30 |
fling | but no error when run with strace ^ | 18:30 |
fling | how to debug? :D | 18:30 |
clort | with a debugger? | 18:34 |
fling | clort: with what debugger? | 18:34 |
clort | gdb? | 18:34 |
joybuke | fling try doing chmod +x on the file and see if it works | 19:04 |
joybuke | might need sudo for it | 19:04 |
fling | joybuke: I don't want to +x it | 19:05 |
fling | joybuke: also not going to run procmail as root | 19:05 |
joybuke | you don't need to, its in your /usr/bin | 19:05 |
joybuke | its just making it executable | 19:05 |
joybuke | so you can run it as a user | 19:05 |
fling | I can run it as user | 19:05 |
joybuke | then what is your goal? | 19:06 |
fsmithred | joybuke, I'm not sure if anyone is still using live-build with devuan. You could check at the forum. | 19:06 |
fling | joybuke: to run in the regular way without strace or anything | 19:06 |
fsmithred | Maybe Crows is made that way. Star used to be made that way but now uses live-sdk. | 19:06 |
fsmithred | Here's a way to do what you want (make a live iso that has the debian(devuan) installer | 19:07 |
fsmithred | https://dev1galaxy.org/viewtopic.php?pid=25396#p25396 | 19:07 |
joybuke | ey thanks for pointing me in the right direction | 19:07 |
joybuke | mind also spoonfeeding me the documentation on live-sdk? | 19:08 |
fsmithred | there's probably still documentation in aitor's fork, but it's probably outdated. He made a lot of changes. | 19:08 |
joybuke | got a link? | 19:08 |
joybuke | or some search term I should be looking up? | 19:09 |
fsmithred | https://git.devuan.org/devuan-sdk/live-sdk | 19:09 |
fsmithred | that's the official live-sdk | 19:09 |
joybuke | ah, didn't know it was official | 19:09 |
fsmithred | see the forum link for aitor's fork that includes debian-installer | 19:09 |
joybuke | how did I miss this? | 19:09 |
fsmithred | that's how we make the live isos | 19:09 |
joybuke | gotcha | 19:10 |
fsmithred | and here's the horribly outdated devuan live-build: https://git.devuan.org/devuan/live-build | 19:10 |
fsmithred | no clue if it works, but if you want to try to fork a current live-build, it might be helpful | 19:11 |
joybuke | I built my own live build, just need an installer to get it into a system for good | 19:11 |
fsmithred | if you want the standard debian-installer (what our installer isos use) then look at those links. There's a way to do it with live-build. | 19:12 |
fsmithred | If you just need some installer, there's refractainstaller in the repo and also calamares. | 19:12 |
joybuke | neato. Will write those down and look for documentation | 19:13 |
fsmithred | documentation for refracta tools is at refracta.org or ask me. I'm the author. | 19:13 |
joybuke | didn't know I was talking with a dev, good to know you're here if I need help. | 19:14 |
fsmithred | my installer doesn't do lvm or raid. I don't know if calamares does those things. | 19:14 |
fsmithred | although there's a way to use my installer if you do some manual stuff to get lvm or raid ready. | 19:15 |
golinux | s/he didn;t want a live cd | 19:15 |
joybuke | lvm would be nice, but not needed. The OS is mainly going to be one I give out to friends who I want to introduce to Linux | 19:15 |
joybuke | basically a grower distro akin to mint but with less GUI stuff and no systemd | 19:15 |
joybuke | just a small hobby project | 19:15 |
fsmithred | yeah, they will probably do single partition | 19:15 |
fsmithred | read about refractasnapshot. It's a different work flow. You install a system (hardware or VM) and configure it how you want, and then it makes the live iso from the running system, with your config changes. | 19:17 |
joybuke | thats likely more my speed | 19:17 |
joybuke | newbie to the whole remixing thing | 19:17 |
fsmithred | WYSIWYG | 19:17 |
joybuke | just dipping my toes in to eventually get into things like gentoo and LFS | 19:18 |
unixbsd | On xfce4, there is magical pulseaudio, coming from gnome and modern desktop ecosystem. HOw to launch festival? echo "test "| festival --tts does not work! | 19:18 |
fsmithred | apt purge pulsaudio? | 19:22 |
fsmithred | just a guess | 19:22 |
fsmithred | unixbsd, I can confirm that your test command does not work in the absence of pulseaudio. I don't have a way to test it with PA. | 19:37 |
fling | which package for poppler? | 19:38 |
fsmithred | poppler-utils? | 19:38 |
fsmithred | apt-cache search poppler | 19:38 |
fling | thanks | 19:38 |
unixbsd | we havent a virtual machine of devuan on the web? maybe a little devuan live might have PA to test. | 19:39 |
unixbsd | Actually, PA is pretty handy to use. It helped me to uswe microsoft ms teams. | 19:39 |
fsmithred | lol | 19:39 |
fsmithred | ok, I don't need that. | 19:39 |
fsmithred | yeah, I could try in a VM, but something is wrong here | 19:40 |
fsmithred | It's not installing all that it needs. | 19:40 |
fsmithred | and it can't find files | 19:40 |
fsmithred | like /usr/share/festival/dicts/cmu/cmulex.scm | 19:41 |
fsmithred | added festlex-cmu and I get less error | 19:42 |
fsmithred | lexicon english_poslex not defined | 19:43 |
fsmithred | installed festlex-poslex and it works. | 19:44 |
fsmithred | ok, that's extremely creepy - it sounds like my voice | 19:44 |
fsmithred | unixbsd, any luck? | 19:50 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!