|
BrainDance posted:I have no idea how true it is overall, but I do know just recently on my home server I had to, for the first time ever, install a package from experimental, which felt kinda gross. If it makes you feel better you can always just install from the upstream repository or make your own package!
|
#
?
Sep 16, 2023 01:44
|
|
|
|
| # ? May 24, 2024 04:30 |
|
|
Say I have a VPN set up (Mullvad, so it's literally just install package -> `mullvad login` -> `mullvad connect`), and the machine is correctly using it for outgoing connections. How do I make it so that it's still reachable, *without* the VPN, to incoming connections? I've got the router forwarding HTTPS requests to the machine, and it works fine either (a) if I connect from the local network, or (b) if I disable the VPN. I think I need to work with the routing rules somehow, but I'm unable to google it because 99% of people want to be able to reach the machine through the VPN, which is not what I want.
|
|
#
?
Sep 17, 2023 16:21
|
|
|
NihilCredo posted:Say I have a VPN set up (Mullvad, so it's literally just install package -> `mullvad login` -> `mullvad connect`), and the machine is correctly using it for outgoing connections.  you might be better off finding a script that uses namespaces to route specific apps through the vpnI suck at networking so I'm not sure the best way to do what you're actually asking though mystes fucked around with this message at 16:49 on Sep 17, 2023 |
|
#
?
Sep 17, 2023 16:42
|
|
|
mystes posted:If you're using a sketchy vpn for I'm ok with having every app opening new connections through the VPN, but I also host a couple of cloud services for friends and family, and I want them to stay reachable without having to ask them to install Tailscale. You deleted the part about editing the wireguard config - is that not possible? The default generated WG config file looks like this: code:
|
|
#
?
Sep 17, 2023 16:56
|
|
|
https://github.com/ausbin/nsdo may help with that. Run openvpn in a namespace and then run whatever program you want to use the VPN in the same namespace. It's a bit lighter option than full blown containers, which can work as well.
|
|
#
?
Sep 17, 2023 16:57
|
|
|
NihilCredo posted:Say I have a VPN set up (Mullvad, so it's literally just install package -> `mullvad login` -> `mullvad connect`), and the machine is correctly using it for outgoing connections. You fiddle with the routing table, to undo what your VPN did for the IP addresses you want to route through your local router. So like ip route add 317.67.382.96 via 192.168.911.1 Or whatever are the IP addresses for the person outside you want to let in, and your router.
|
|
#
?
Sep 17, 2023 16:59
|
|
|
NihilCredo posted:You deleted the part about editing the wireguard config - is that not possible? The default generated WG config file looks like this:
|
|
#
?
Sep 17, 2023 17:08
|
|
|
cruft posted:You fiddle with the routing table, to undo what your VPN did for the IP addresses you want to route through your local router. I can't use a whitelist, since people will be connecting from mobile devices and whatever. Is there no distinction between incoming and outcoming requests in the `ip route` command? If the machine wants to connect to a non-local IP, it should use the VPN - but if the same IP tries to connect to the machine through any other route (on one of the open ports, ie 443), it should be accepted. mystes posted:I think as long as you can specify an ip range to allow through you can just edit the wireguard config (like in this comment: https://www.reddit.com/r/WireGuard/comments/awudup/comment/ehppsqs/?utm_source=share&utm_medium=web2x&context=3) (so if you just want to allow connections from the local network it will work) but if you can't specify an ip range it won't be possible just with the config I'll give this a try, but I don´t expect it to work - the router is just a basic-rear end residential router, it doesn't actually proxy the requests so the machine sees the originating IP (which is good since it means I can actually secure it w/ fail2ban and other stuff). NihilCredo fucked around with this message at 17:13 on Sep 17, 2023 |
|
#
?
Sep 17, 2023 17:11
|
|
|
Of course you can do an ACL even if they're connecting from mobile clients; look up the IP and use the VLSM, as well as the ISPs ASN and any other ASNs they have, and then do the same for those.
|
|
#
?
Sep 17, 2023 17:14
|
|
|
NihilCredo posted:I'm ok with having every app opening new connections through the VPN, but I also host a couple of cloud services for friends and family, and I want them to stay reachable without having to ask them to install Tailscale. I keep poking at this sort of thing and ending up just asking people to install Tailscale so I get easy auth/access management and it has gone over well so far!
|
|
#
?
Sep 17, 2023 17:18
|
|
|
NihilCredo posted:I can't use a whitelist, since people will be connecting from mobile devices and whatever. You can distinguish lots of things using iptables rules, but that's getting to the level of complexity where I'd need a shell on your machine and a couple hours to sort it out. Maybe someone else ITT can give you quick advice on this one. E: honestly, you should consider getting a standalone dedicated router with a nice UI for this. Something like MicroTik or OpenWRT. cruft fucked around with this message at 18:25 on Sep 17, 2023 |
|
#
?
Sep 17, 2023 18:21
|
|
|
cruft posted:You can distinguish lots of things using iptables rules, but that's getting to the level of complexity where I'd need a shell on your machine and a couple hours to sort it out. Maybe someone else ITT can give you quick advice on this one. Ok, I was kind of expecting something like this. I think I'll first try to go the container route - run the VPN inside a container, then put the apps in a user-space network with it. I fiddled with it for a while and couldn't quite get it to work, but at least I knew where to look, so I'll invest some more time on it before dehumanizing and facing to `iptables-apply`.
|
|
#
?
Sep 17, 2023 18:39
|
|
|
I don't know why I keep using ACL's they are absolute trash.pre:[my_user@truenas /mnt/main/root/documents/nextcloud]$ chown nextcloud data/
chown: data/: Operation not permitted
[my_user@truenas /mnt/main/root/documents/nextcloud]$ ls -ald data/
drwxrws---+ 3 my_user local_documents 4 Jan 11 2023 data/
[my_user@truenas /mnt/main/root/documents/nextcloud]$ getfacl data/
# file: data/
# owner: my_user
# group: local_documents
owner@:rwxpDdaARWcCos:fd----I:allow
group@:rwxpDdaARWc--s:fd----I:allow
user:local_documents:rwxpDdaARWcCos:fd----I:allow
group:local_documents:rwxpDdaARWc--s:fd----I:allow
everyone@:--------------:fd----I:allow
Any ideas?
|
|
#
?
Sep 17, 2023 23:52
|
|
|
Mr. Crow posted:I don't know why I keep using ACL's they are absolute trash. chown is a superuser command, so either elevate to root or sudo it.
|
|
#
?
Sep 18, 2023 00:38
|
|
|
No it's not. You should be able to use chown on any file that is owned by your user or a group you're in.
|
|
#
?
Sep 18, 2023 00:45
|
|
|
AlexDeGruven posted:chown is a superuser command, so either elevate to root or sudo it. Thank you! Guess I should assume anything about BSD this was driving me up a wall. waffle iron posted:No it's not. You should be able to use chown on any file that is owned by your user or a group you're in. I think they are right based on https://man.freebsd.org/cgi/man.cgi?chown also the linux one which doednt have this restriction references it being a BSD thing in the notes https://www.man7.org/linux/man-pages/man2/chown.2.html This seems extremely at odds with everything however, including ACLs having a specific "write_owner" flags https://man.freebsd.org/cgi/man.cgi?query=setfacl&sektion=1&format=html Is there some sane way to allow this on a dataset / nfs share?
|
|
#
?
Sep 18, 2023 01:01
|
|
|
waffle iron posted:No it's not. You should be able to use chown on any file that is owned by your user or a group you're in. I don't know of any current systems where that's true anymore. Find me one and I'll gladly add an exception to my post.
|
|
#
?
Sep 18, 2023 02:07
|
|
|
Without bothering to do any research: NFS 4 ACLs are just a copy of Windows ACLs, on Windows that bit is called Take Ownership and if you are granted that permission you can change the owner of the file to your user or one of your groups. Nobody allows you to give files away to random users.
|
|
#
?
Sep 18, 2023 02:27
|
|
|
NFS is not what we're talking about here. We're talking about unix file permissions and whether a non-elevated user can execute chown. I just poked around on my RHEL 9 lab box. I suspected chown was in an sbin, but it's just in /usr/bin owned by root:root. The root group has execute permission, so for fun, I added my user to the group, logged off and back in and tried again. Linux chown is hardcoded to only allow execution by root. And if you can change the ownership of files via NFS that's fine, because guess who is running the nfsd processes... Edit: realized I was talking to a different person, ha. Pardon any snark there. AlexDeGruven fucked around with this message at 03:53 on Sep 18, 2023 |
|
#
?
Sep 18, 2023 03:47
|
|
|
Been playing around and yup, your right, not sure how I haven't realized this in 10 years. The hell. Maybe this is why I've been having random ACL issues through the years... This actually came about migrating my nas over to a new truenas system and I had setup the MAPROOT to a local user (local_documents) thinking I would be able to chown stuff if needed locally with sudo if I had an ACL on the dataset giving full control of everything to that user. I was then running a bunch of ansible playbooks that do various ownership and permissions checks and everything started blowing up... So the tasks have become: true, and my old server I had direct SSH access to so sudo actually meant sudo, but I was just running everything against an nfs mount on the same server instead of directly on the new BSD machine out of lazyiness and also because I didn't want to start monkeying around adding BSD support to my playbooks when all I was trying to do this weekend was wrap up moving all my crap over and get my jellyfin server back up. I guess I'll have to rethink how I have stuff organized and maybe split out dedicated service filesystems from my general datasets of "media", "downloads" and "documents".
|
|
#
?
Sep 18, 2023 03:56
|
|
|
AlexDeGruven posted:NFS is not what we're talking about here. We're talking about unix file permissions and whether a non-elevated user can execute chown. I didn't believe you and was preparing to write a sample program to illustrate how wrong you were. Step 1: RTFM TFM posted:Only a privileged process (Linux: one with the CAP_CHOWN This is actually what I expected. Owned by root does not man suid to root. What does ls -l chown say? Any s in there?
|
|
#
?
Sep 18, 2023 14:25
|
|
|
I'll have to double check, but I believe there's no extra perms. I'm guessing if you look at the source or run strings against the executable that execute alert is hardcoded. Skepticism is good, but I was pretty confident on that one after 20+ years, heh. Yup: homeserv ~]$ ls -l `which chown` -rwxr-xr-x. 1 root root 61448 Jan 6 2023 /usr/bin/chown Maybe some ACL stuff deeper in, but I doubt it, personally. This is RHEL 9.2.
|
|
#
?
Sep 18, 2023 23:10
|
|
|
Being able to give away files wouldn’t be great from a security/system-management perspective either.
|
|
#
?
Sep 18, 2023 23:25
|
|
|
There's a whole bunch of security attacks that can be attempted if standard users could re-assign arbitrary files to arbitrary users. If you really need it, just write a script* to do what you need and put in as a passwordless option in sudoers. * being really careful to only allow the minimum changes that need your needs (eg limiting user ids and locations/type of files given away) and triple check the script for holes.
|
|
#
?
Sep 18, 2023 23:27
|
|
|
It looks like chown originally didn't let anyone but the super-user give away file permissions was done because user-accounting wasn't implemented in 4.1BSD back in the mid-80s. Of course, this isn't helped by the fact that user-accounting was never standardized as part of POSIX or any other standard, and as such remains what can best be described as "a right mess" even today, even if you ignore the security considerations - a fact that which seem to have occurred to Keith Bostic in October of 1990, but which isn't part of the POSIX specification, even today. Also, Mr. Crow - are you sure you want maproot rather than mapall?
|
|
#
?
Sep 18, 2023 23:43
|
|
|
Subjunctive posted:Being able to give away files wouldn’t be great from a security/system-management perspective either.
|
|
#
?
Sep 19, 2023 00:32
|
|
|
I am so confused. I think I completely missed what y'all are talking about, LOL. I thought someone was saying chown needs to be suid root. I blame this horrible toothache and the resultant 3-day-long headache. Root canal, here I come.
|
|
#
?
Sep 19, 2023 00:34
|
|
|
Anyone know the best way to get NUT/UPS shutdown working with an IP based UPS card? I'm using a cyber power RMCARD205 and want to shut down ~10 or so servers/VMs in my lab
|
|
#
?
Sep 19, 2023 00:43
|
|
|
Gyshall posted:Anyone know the best way to get NUT/UPS shutdown working with an IP based UPS card? I'm using a cyber power RMCARD205 and want to shut down ~10 or so servers/VMs in my lab I dont think I had any issues check NUT over ip in the past whats the issue? I'm just posting this off memory / phone and some quick conf searches but I think you just tell upsd.conf to bind to a public address then you can configure upsmon on your external machines to talk to that host that is actually talking to the ups, unless this is something else...? BlankSystemDaemon posted:Also, Mr. Crow - are you sure you want maproot rather than mapall? Originally yes, but the more I think about it and run into issues throughout the years I'm thinking mapall might just be easier and screw it. Wanted multi-user shares and ownership a long time ago for homelab for... reasons... but to be honest I think its just caused me more grief than anything. Think I'd just rather do that than some maproot with privileged permissions or something.
|
|
#
?
Sep 19, 2023 01:09
|
|
|
I'm installing python3's pip on my TrueNAS SCALE box, because some configuration tool is python based. Looking at the dependencies it needs to install, next to gcc, there's plenty of image and video decoder libraries and such. Uh, why?
|
|
#
?
Sep 19, 2023 18:08
|
|
|
I think SCALE is Debian based. The Debian python3-pip package has recommends of build-essentials and python3-dev. Probably pulling in a bunch of recommends of recommends. I would tell you to install with the apt argument "--no-install-recommends". Also if you need packages that will only be used by one user, you can install pipx in addition to/in place of python3-pip.
|
|
#
?
Sep 19, 2023 18:56
|
|
|
Thanks for the info. I didn't know about that flag. I really only needed pip to install configshell_fb, so that some other config tool needing it could run.
|
|
#
?
Sep 19, 2023 20:03
|
|
|
A year and a half ago ITT I posted this:Klyith posted:OTOH the Wayland vs X11 thing still seems inconclusive. I've switched back and forth a few times and both have had problems. (Note that the reason I would lose a desktop was because my DP monitor occasionally drops signal when resuming from sleep, which makes the GPU think it's been unplugged. This is a monitor problem and it happened on windows too, so only the symptoms after were linux.) Since then: 1. They fixed the problem of desktop getting broken about a year ago. 2. But some widgets would get positioned weird, and windows resized to the smaller monitor. 3. I just had a cut out and not only did it restore with zero jank, but also re-positioned all windows back to where they were perfectly. IE the thing that MS made a windows 11 exclusive
|
|
#
?
Sep 19, 2023 21:20
|
|
|
Is there a best way to get Office to run in Fedora? I just installed Fedora on an old MacBook Pro that is no longer getting OSX updates. From what I've seen about Bottles is that everyone just recommends using Office 365 instead or doing something janky like running a headless RDP server to a Windows VM running Office.
|
|
#
?
Sep 27, 2023 19:27
|
|
|
Mantle posted:Is there a best way to get Office to run in Fedora? I just installed Fedora on an old MacBook Pro that is no longer getting OSX updates. From what I've seen about Bottles is that everyone just recommends using Office 365 instead or doing something janky like running a headless RDP server to a Windows VM running Office. If you need Microsoft Office your best bet is going to be as a web app of Office 365. I'm not aware of any way to get it working locally outside of a VM.
|
|
#
?
Sep 27, 2023 19:32
|
|
|
Yeah, I use Office365 (although I despise it) for some volunteer work I do through the web app. It sucks but it might be your best shot if you have to use Office in Linux.
F_Shit_Fitzgerald fucked around with this message at 21:01 on Sep 27, 2023 |
|
#
?
Sep 27, 2023 19:34
|
|
|
I guess as an alternative, how is LibreOffice/OpenOffice/FreeOffice with compatibility these days? It's been decades since I've tried but last I did some things like tables didn't work perfectly. Is there a clear winner of the three?
|
|
#
?
Sep 27, 2023 20:45
|
|
|
Mantle posted:I guess as an alternative, how is LibreOffice/OpenOffice/FreeOffice with compatibility these days? It's been decades since I've tried but last I did some things like tables didn't work perfectly. Is there a clear winner of the three? They probably work fine/better than ever on local documents but I assume they can’t do sharing of docs with o365 which, in my experience, is rapidly becoming critical in a work environment
|
|
#
?
Sep 27, 2023 20:50
|
|
|
LibreOffice tends to get a lot of positive feedback and my experiences with it have been fine.
|
|
#
?
Sep 27, 2023 20:50
|
|
|
|
| # ? May 24, 2024 04:30 |
|
|
Mantle posted:I guess as an alternative, how is LibreOffice/OpenOffice/FreeOffice with compatibility these days? It's been decades since I've tried but last I did some things like tables didn't work perfectly. Is there a clear winner of the three? The web version of Office365 at least probably won't screw up your files, but it is missing a bunch of small functionality so if you're doing something esoteric you may run into things it can't do. If you need perfect compatibility and don't want to use the web version... you just have to run office in a vm. mystes fucked around with this message at 21:03 on Sep 27, 2023 |
|
#
?
Sep 27, 2023 20:58
|
|