Monday, June 6, 2022

Recent Questions - Server Fault

Recent Questions - Server Fault

GCP instance is not able to ping to external server

Posted: 06 Jun 2022 02:09 PM PDT

I have a python script that is executed by a newly created GCP instance every day at a specific time. The instance is destroyed after that. This has been working fine for the past few months.

I noticed that for the past few days the script was not working. The GET endpoint fired from the script was timing out. I tried curl from the GCP instance and that too timed out. In fact, I am not able to even ping the external web server.

I tried recreating the instance but nothing has worked.

I use the default network, default subnet, and default firewall rules. Nothing has changed from my side. Could someone please give me some pointers?

nginx proxy pass w/o changing the URL

Posted: 06 Jun 2022 01:51 PM PDT

I have the following NGINX configuration:

server {    listen80 default_server;  server_name     _;  client_max_body_size 512M;  root   /var/www/html/;  access_log      /var/log/nginx/domain.access.log;  error_log/var/log/nginx/domain.xyz.error.log;    location / {   index index.php index.html; try_files $uri $uri/ /index.php?$args;  }  location ~ \.php$ {     try_files $uri =404;      include fastcgi_params;             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;  fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;             fastcgi_index index.php;  }

What I wish to achieve is to be able to create a proxy pass for any website containing a string of letters that would load the content from my default server block.

What I've tried is to set the following:

sub_filter '^domain_to_be_proxied(.*).com/' '$host';  sub_filter '^domain_to_be_proxied(.*).com/' '$host';  sub_filter '^domain_to_be_proxied(.*).com/' '$host';  sub_filter_types *;  sub_filter_once off;  # Passthrough headers  proxy_set_header Host default_domain.com;  proxy_pass_header Content-Type;  proxy_set_header X-Forwarded-Host default_domain.com;  proxy_set_header X-Real-IP $remote_addr;  proxy_set_header Accept-Language $http_accept_language;  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  proxy_set_header Accept-Encoding "";  # Proxy passthrough  proxy_pass ^domain_to_be_proxied(.*).com/';  proxy_redirect ^domain_to_be_proxied(.*).com/'

However, that doesn't seem to work. Could anybody help me with a hint of what I'm messing up?

Getting Errors while starting mod wsgi (Django app) via apache

Posted: 06 Jun 2022 12:56 PM PDT

Starting up a dockerised django application as a mod wsgi app via apache. Getting an endless stream of below errors.

Errors:

2022-06-02 16:05:12.225137 [notice] [pid 10002] mpm_unix.c(436): [client AH00052: child pid 10992 exit signal Aborted (6)  2022-06-02 16:05:12.225382 [info] [pid 10002] src/server/mod_wsgi.c(7761): [client mod_wsgi (pid=10992): Process 'in.goibibo.com' has died, deregister and restart it.  2022-06-02 16:05:12.225411 [info] [pid 10002] src/server/mod_wsgi.c(7775): [client mod_wsgi (pid=10992): Process 'in.goibibo.com' terminated by signal 6  2022-06-02 16:05:12.225433 [info] [pid 10002] src/server/mod_wsgi.c(7846): [client mod_wsgi (pid=10992): Process 'in.goibibo.com' has been deregistered and will no longer be monitored.  2022-06-02 16:05:12.227789 [notice] [pid 10002] mpm_unix.c(436): [client AH00052: child pid 10993 exit signal Aborted (6)  2022-06-02 16:05:12.227856 [info] [pid 10002] src/server/mod_wsgi.c(7761): [client mod_wsgi (pid=10993): Process 'in.goibibo.com' has died, deregister and restart it.  2022-06-02 16:05:12.227874 [info] [pid 10002] src/server/mod_wsgi.c(7775): [client mod_wsgi (pid=10993): Process 'in.goibibo.com' terminated by signal 6  2022-06-02 16:05:12.227896 [info] [pid 10002] src/server/mod_wsgi.c(7846): [client mod_wsgi (pid=10993): Process 'in.goibibo.com' has been deregistered and will no longer be monitored.  2022-06-02 16:05:12.228150 [info] [pid 10994] src/server/mod_wsgi.c(9381): [client mod_wsgi (pid=10994): Starting process 'in.goibibo.com' with uid=2, gid=2 and threads=30.  2022-06-02 16:05:12.229803 [info] [pid 10995] src/server/mod_wsgi.c(9381): [client mod_wsgi (pid=10995): Starting process 'in.goibibo.com' with uid=2, gid=2 and threads=30.  2022-06-02 16:05:12.230033 [info] [pid 10994] src/server/wsgi_interp.c(2260): [client mod_wsgi (pid=10994): Initializing Python.  2022-06-02 16:05:12.231306 [info] [pid 10995] src/server/wsgi_interp.c(2260): [client mod_wsgi (pid=10995): Initializing Python.    Fatal Python error: Can't initialize list type  Fatal Python error: Can't initialize list type      2022-06-02 16:03:45.844931 [notice] [pid 10002] mpm_unix.c(436): [client AH00052: child pid 10819 exit signal Aborted (6)  2022-06-02 16:03:45.845108 [info] [pid 10002] src/server/mod_wsgi.c(7761): [client mod_wsgi (pid=10819): Process 'in.goibibo.com' has died, deregister and restart it.  2022-06-02 16:03:45.845125 [info] [pid 10002] src/server/mod_wsgi.c(7775): [client mod_wsgi (pid=10819): Process 'in.goibibo.com' terminated by signal 6  2022-06-02 16:03:45.845139 [info] [pid 10002] src/server/mod_wsgi.c(7846): [client mod_wsgi (pid=10819): Process 'in.goibibo.com' has been deregistered and will no longer be monitored.  2022-06-02 16:03:45.846905 [notice] [pid 10002] mpm_unix.c(436): [client AH00052: child pid 10820 exit signal Aborted (6)  2022-06-02 16:03:45.846964 [info] [pid 10002] src/server/mod_wsgi.c(7761): [client mod_wsgi (pid=10820): Process 'in.goibibo.com' has died, deregister and restart it.  2022-06-02 16:03:45.846977 [info] [pid 10002] src/server/mod_wsgi.c(7775): [client mod_wsgi (pid=10820): Process 'in.goibibo.com' terminated by signal 6  2022-06-02 16:03:45.846988 [info] [pid 10002] src/server/mod_wsgi.c(7846): [client mod_wsgi (pid=10820): Process 'in.goibibo.com' has been deregistered and will no longer be monitored.  2022-06-02 16:03:45.847698 [info] [pid 10821] src/server/mod_wsgi.c(9381): [client mod_wsgi (pid=10821): Starting process 'in.goibibo.com' with uid=2, gid=2 and threads=30.  2022-06-02 16:03:45.848454 [info] [pid 10822] src/server/mod_wsgi.c(9381): [client mod_wsgi (pid=10822): Starting process 'in.goibibo.com' with uid=2, gid=2 and threads=30.  2022-06-02 16:03:45.850028 [info] [pid 10822] src/server/wsgi_interp.c(2260): [client mod_wsgi (pid=10822): Initializing Python.  2022-06-02 16:03:45.850029 [info] [pid 10821] src/server/wsgi_interp.c(2260): [client mod_wsgi (pid=10821): Initializing Python.  Fatal Python error: Can't initialize xrange type  Fatal Python error: Can't initialize xrange type    2022-06-02 16:03:21.742509 [notice] [pid 10002] mpm_unix.c(436): [client AH00052: child pid 10771 exit signal Aborted (6)  2022-06-02 16:03:21.742664 [info] [pid 10002] src/server/mod_wsgi.c(7761): [client mod_wsgi (pid=10771): Process 'in.goibibo.com' has died, deregister and restart it.  2022-06-02 16:03:21.742680 [info] [pid 10002] src/server/mod_wsgi.c(7775): [client mod_wsgi (pid=10771): Process 'in.goibibo.com' terminated by signal 6  2022-06-02 16:03:21.742695 [info] [pid 10002] src/server/mod_wsgi.c(7846): [client mod_wsgi (pid=10771): Process 'in.goibibo.com' has been deregistered and will no longer be monitored.  2022-06-02 16:03:21.744302 [notice] [pid 10002] mpm_unix.c(436): [client AH00052: child pid 10772 exit signal Aborted (6)  2022-06-02 16:03:21.744356 [info] [pid 10002] src/server/mod_wsgi.c(7761): [client mod_wsgi (pid=10772): Process 'in.goibibo.com' has died, deregister and restart it.  2022-06-02 16:03:21.744368 [info] [pid 10002] src/server/mod_wsgi.c(7775): [client mod_wsgi (pid=10772): Process 'in.goibibo.com' terminated by signal 6  2022-06-02 16:03:21.744380 [info] [pid 10002] src/server/mod_wsgi.c(7846): [client mod_wsgi (pid=10772): Process 'in.goibibo.com' has been deregistered and will no longer be monitored.  2022-06-02 16:03:21.745156 [info] [pid 10773] src/server/mod_wsgi.c(9381): [client mod_wsgi (pid=10773): Starting process 'in.goibibo.com' with uid=2, gid=2 and threads=30.  2022-06-02 16:03:21.746628 [info] [pid 10774] src/server/mod_wsgi.c(9381): [client mod_wsgi (pid=10774): Starting process 'in.goibibo.com' with uid=2, gid=2 and threads=30.  2022-06-02 16:03:21.746991 [info] [pid 10773] src/server/wsgi_interp.c(2260): [client mod_wsgi (pid=10773): Initializing Python.  2022-06-02 16:03:21.750834 [info] [pid 10774] src/server/wsgi_interp.c(2260): [client mod_wsgi (pid=10774): Initializing Python.  Fatal Python error: Can't initialize dict type  Fatal Python error: Can't initialize dict type    My httd-vhosts file has below    ** some code above         WSGIDaemonProcess some.somename.com processes=2 threads=30 display-name=httpd-dummy-name request-timeout=30       WSGIProcessGroup some.somename.com       WSGIApplicationGroup %{GLOBAL}    ** some code below

I am able to ssh into the docker container and do the following

  1. /usr/local/myapp/python2.7/bin/python2.7 manage.py shell. ---> this successfully starts manage.py shell
  2. /usr/local/myapp/python2.7/bin/python2.7 manage.py runserver --> this successfully starts the server at Starting development server at http://127.0.0.1:8000/ and is successfully able to serve requests when i run curl on localhost inside the container

But when i try to run it via apache and mod wsgi it starts giving an endless stream of above errors.

new-compliancesearcaction delete more than 10 mails

Posted: 06 Jun 2022 12:42 PM PDT

Do a stupid mistake from my colleague we need to delete all mails before a specific date. When we do a content search it comes to 5 million emails(many items per mailbox, way more than 10)

Is there another way to delete those mails? we used search-mailbox but that is way way way to slow.

How to use ssh-copy-id on remote server?

Posted: 06 Jun 2022 12:03 PM PDT

I have an ec2 instance which I can connect using this command with the ssh_key.pem file I have.

ssh -i ssh_key.pem ec2-user@54.174.85.61

I am trying to use ssh-copy-id to add the public key I have on my local machine to remote ec2 instance.

ssh-copy-id -i .ssh/id_ed25519.pub ec2-user@54.174.85.61

output:

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ed25519.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys ec2-user@54.174.85.61: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

But, it is not working, I guess because I didn't provide any parameter of my private key to connect.

But, I am not able to see any such parameters in the help -h also.

Please suggest how to do so.

Redirecting issues with XAMPP, How can I make https://example.com redirect to https://www.example.com?

Posted: 06 Jun 2022 11:54 AM PDT

I'm using XAMPP to run a apache/php/mysql/wordpress server. I'm trying to understand the rewrite module and it's not making much sense to me because of how I have it configured and the results I'm getting are not expected.

Expected Results:

The following URLs will all get redirected to https://www.example.com.

What I'm Seeing Happen:

The first two work great, it's the third one that does not seem to be working correctly. I'm not really sure how the first one is even working though. I have a vhost configured for ServerName www.example.com:80 and nothing for ServerName example.com:80.

Does anyone have any idea what I have configured incorrectly? Thanks!

Contents of \xampp\apache\conf\extra\httpd-vhosts.conf

<VirtualHost *:80>      DocumentRoot "C:\sites\localhost"      ServerName localhost      ServerAdmin admin@localhost            ErrorLog "C:/xampp/apache/logs/localhost/error.log"      TransferLog "C:/xampp/apache/logs/localhost/access.log"            <Directory "C:\sites\localhost">          Options Indexes FollowSymLinks Includes ExecCGI          AllowOverride All          Require all granted      </Directory>  </VirtualHost>    <VirtualHost 192.168.1.10:80>      RewriteEngine on            ServerName www.example.com:80      ServerAdmin admin@example.com            ErrorLog "C:/xampp/apache/logs/example_com/error.log"      TransferLog "C:/xampp/apache/logs/example_com/access.log"            RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]  </VirtualHost>

Contents of \xampp\apache\conf\extra\httpd-ssl.conf

<VirtualHost 192.168.1.10:443>      SSLEngine on      SSLCertificateFile "C:\certs\example.com\example_com.crt"      SSLCertificateKeyFile "C:\certs\example.com\example_com_decrypted.key"        DocumentRoot "C:\sites\example.com"      ServerName www.example.com:443      ServerAdmin admin@example.com            ErrorLog "C:/xampp/apache/logs/example_com/error.log"      TransferLog "C:/xampp/apache/logs/example_com/access.log"      CustomLog "C:/xampp/apache/logs/example_com/ssl_request.log" \        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"            <Directory "C:\sites\example.com">          Options Indexes FollowSymLinks Includes ExecCGI          AllowOverride All          Require all granted      </Directory>            <FilesMatch "\.(cgi|shtml|phtml|php)$">          SSLOptions +StdEnvVars      </FilesMatch>      <Directory "C:/xampp/apache/cgi-bin">          SSLOptions +StdEnvVars      </Directory>        BrowserMatch "MSIE [2-5]" \           nokeepalive ssl-unclean-shutdown \           downgrade-1.0 force-response-1.0    </VirtualHost>    <VirtualHost 192.168.1.10:443>      RewriteEngine on      SSLEngine on      SSLCertificateFile "C:\certs\example.como\example_com.crt"      SSLCertificateKeyFile "C:\certs\example.com\example_com_decrypted.key"            ServerName example.com:443      ServerAdmin admin@example.com            ErrorLog "C:/xampp/apache/logs/example_com/error.log"      TransferLog "C:/xampp/apache/logs/example_com/access.log"      CustomLog "C:/xampp/apache/logs/example_com/ssl_request.log" \            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"                  RewriteRule ^(.*) https://www.%{SERVER_NAME}$1 [R,L]  </VirtualHost>

Field extraction with rsyslog

Posted: 06 Jun 2022 11:51 AM PDT

I'm trying to create a custom rsyslog template in order to fix bad formatting for some logs sent by truenas. I'm able to extract a specific field, but I don't find how to extract from field number 8 to the end.

What I have so far:

template(    name="remote-incoming-logs-fix-truenas"    type="string"    string="%TIMESTAMP:::date-rfc3339% %HOSTNAME% %msg:F,32:4%[%msg:F,32:5%]: %msg:F,32:8%\n"  )  template(    name="dynafile-fromhost-facility"    type="string"    string="/data/rsyslogs/%FROMHOST%/%SYSLOGFACILITY-TEXT%.log"  )    if ($programname == "1" and $FROMHOST startswith "nas") then {    action(      type="omfile"      dynaFile="dynafile-fromhost-facility"      template="remote-incoming-logs-fix-truenas"    )

This work great until the 8th field but I would like to get the 8th and all the others than can follow. After reading the doc, seem like there is no way to do that?

GCP - Internat Aware Proxy (IAP) using only "SSH & TCP Resources" (NOT HTTPS resources)

Posted: 06 Jun 2022 11:22 AM PDT

AIM: Enable a few internal websites (hosted on our GCP VMs) to be accessible to the internet w/o VPN. This access must be able to be manually added on a user-by-user or group basis, using Azure as an identity provider.

Situation: We have a few internal websites (like a password reset page, etc) that we want our remote users to be able to access w/o having to use VPN. I have been playing around in the lab and have been able to make this work using IAP, and a HTTPS load balancer. It actually works better than I expected, and we were able to integrate it w/ Microsoft Azure to provide identity verification and assign people's access via the GCP GUI by adding principals and assigning roles.

The problem is that having to use a HTTPS resource means having yet another certificate that we need to track, renew, etc. We already secure these sites w/ certificates internally, using nginx for ssl termination, so I do not want to add yet another cert into this list.

Goal: I'm hoping to just use a TCP Resource in IAP to forward port 443 to nginx, then have the path continue internally as necessary.

Currently in my test lab this only half works. It's "all or nothing". Either it forwards ALL 443 requests allowing anyone who accesses the page externally to get through, or it's off and forwards no one. I need the ability to just "Add Principals" and assign Azure user's access rights, like I can on the HTTP resource.

Am I just missing something, or is this a HTTPS Resource only option?

Redundant server with internet access

Posted: 06 Jun 2022 10:24 AM PDT

First sorry for the noob question, but I am kind of lost here.

Here is what I have: An N number of workstations that are communicating with private servers. Server 1 is production and server 2 is backup. Usually none of them will need internet access to work.

In case Server 1 fail. User will turn on backup server and workstations must automatically start using it (they are running standard web browser).

At any moment I should be able to SSH from internet to both server 1 and/or 2 for maintenance.

Each server have up to 3 spare ports if I need more than 1 connection/network.

For this what should I use for the "something" device? Or is this whole architecture wrong for may needs?

serverfault

Postfix send email through internet instead of sending through local for same-domain addresses

Posted: 06 Jun 2022 09:55 AM PDT

I have multiple email servers for the same domain, one is a send-only postfix server and one is a email suite hosted by Zoho, but when I try to send an email to an address hosted by zoho it will try to send the mail to itself instead of using the internet

Here is my log

to=service@mydomain.net, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=5.1.1, status=bounced (unknown user: "service")

I want to force postfix to send the mail so that it gets routed through the MX addresses set up in my DNS instead of looking for a local address

stress-ng limit cpu usage for vm stressor

Posted: 06 Jun 2022 09:52 AM PDT

I'm trying to test a server under specific workloads. I'm using stress-ng to simulate a x% cpu load: stress-ng -c 1 -l x

I also trying to use stress-ng to simulate a memory load of x megabytes: stress-ng -vm 1 --vm-bytes xM. This command creates a vm stressor that allocates roughly the amount of memory requested. However, it also generates a 100% cpu utilisation. My guess is that this is due to the stressor continuously accessing the allocated memory to force it to be mapped to real memory.

Is there any way to limit the amount of CPU used by the memory stressor?

Remote port forwarding with google vm

Posted: 06 Jun 2022 09:46 AM PDT

I have a node server running on my local machine and I'd like it to receive requests. However these requests can only go to a public url. I have a google vm that has a public url. I used putty to to create a tunnel between the vm and my machine by using remote portforwarding. Once I start up the ssh connection I also see the confirmation message saying "forwarding port etc etc" However Once I try to send a request over postman to test it out I get a "Error: connect ECONNREFUSED" message.

What could I be doing wrong? The ports on the google vm are open and unused, do I need to configure something else as well?

Apache2 server PHP access to files outside document root

Posted: 06 Jun 2022 11:51 AM PDT

I have a Raspberry Pi that I use to host a web server. I am using apache2 2.4.38, php8.1 and MariaDB 15.1 and I wanted to add a Nextcloud server to it. I am using the web installer version. I already have an external USB HDD with BTRFS connected to the raspberry pi, and I have set it to automatically connect on startup using the /etc/fstab file. All of that is working perfectly. I created a directory on the drive, to store the nextcloud data. I configured the directory to be owned by the www-data user, so that Nextcloud could write to it. But this is where I ran into a problem. Both nextcloud and a simple php test file I made, give permission denied errors. I already have enabled Apache2 access to the directory by adding the following to /etc/apache2/apache2.conf:

<Directory /media/backup/nextcloud>      Options Indexes FollowSymLinks      AllowOverride All      Require all granted  </Directory>

(The drive is mounted at /media/backup and the directory I want to use is /media/backup/nextcloud/data. Both the nextcloud directory and the data directory are owned by www-data, the ones above them are owned by root)

I created a test file to trigger the error without having to re-enter a nextcloud password in the setup wizard every time and the php error log just gives a permission denied error. I got the info from the log using tail -n 20 /var/log/apache2/error.log and this is what the log says (with IP addresses censored of course):

[Sat Jun 04 22:38:46.485149 2022] [php:warn] [pid 1504] [client ____] PHP Warning:  include(/media/backup/nextcloud/data/cheese.txt): Failed to open stream: Permission denied in /var/www/html/sus.php on line 2  [Sat Jun 04 22:38:46.485437 2022] [php:warn] [pid 1504] [client ____] PHP Warning:  include(): Failed opening '/media/backup/nextcloud/data/cheese.txt' for inclusion (include_path='.:/usr/share/php') in /var/www/html/sus.php on line 2

What makes this even weirder to me is that I can read from /usr/share (which is open to apache2 by default) with the same PHP script.

I don't know what to do. The permissions are 770, the directories exist and are writable by www-data, I tested that with sudo -u www-data touch grass.txt. Any help would be greatly appreciated. Thank you in advance!

Details:

  • OS: Raspbian lite 10 (buster), kernel 5.10.103-v7l+
  • Device: Raspberry Pi 4B
  • My PHP test file: <?php include "/media/backup/nextcloud/data/cheese.txt";?>
  • The next cloud server is in /var/www/nextcloud, because I am planning on using a virtualhost in the future. For now, I am using a symlink in /var/www/html/cloud that points to /var/www/nextcloud. I thought maybe the symlink would be the problem, but after some thinking I realised that my test file is in /var/www/html and it has the same problem, so the symlink can't be the problem.
  • Versions of used software:
    • apache2 2.4.38
    • php8.1
    • MariaDB 15.1
  • open_basedir is not set, so that can't be it either

Can you access VM instance in Google Cloud without being root?

Posted: 06 Jun 2022 11:09 AM PDT

I'm trying to access GCP VM instance but I messed it up and now I'm getting this error: sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

but I don't have the root password. Is there a way I can access GCP VM instance as a rot user directly? Without using the command line? Because sudo commands are not working, to use su you need a password

How to convert string to pem?

Posted: 06 Jun 2022 10:12 AM PDT

as part of automation in pipeline.

i am passing the ssh key pem file content as variable value.

The echo seems to show exact content but the file written back is not doing ssh

echo $ADMIN_SERVER_SSH_KEY > $CI_PROJECT_DIR/ssh_key.pem  chmod 400 ssh_key.pem

Below is the context. The ssh_key.pem works fine normally. But, as I am using this in a pipeline of gitlab(or any CI server). I am passing the ssh_key.pem content as a string.

The string value picked in input parameter($ADMIN_SERVER_SSH_KEY) is written to a pem file and when I echo that, the data is identical.But getting permission denied error.

ssh is giving permission denied

Client-side UAC seems to be enough to permit code to be "Run As Administrator" on Windows Server [closed]

Posted: 06 Jun 2022 01:56 PM PDT

I have discovered what seems to be a way for users to run code located in a shared folder on a network server, despite not having permission to do so, and I'm looking for a way to prevent it.

The background:

There is a Windows 2019 Server Essentials machine with some shared folders on it. There are Windows 10 Pro PCs on the same LAN and their users have credentials to access network shares, which do not permit execution of files located on those network shares. (This is accomplished by placing server user accounts - they are all Standard users in the server domain - in groups, and providing permissions to certain folders allowing certain groups to have access. The permissions are applied to the folders, not the shares. I have used Advanced permissions to deny Folder traverse / execute files. I also deny Full Control, Change Permissions and Take Ownership. Apart from that, people can do what they want.)

Some of the PCs users log in to their machines using Windows Standard accounts. Some log in using Admin accounts.

Although the server is configured as a DC, none of the PCs belongs to the server domain. The user accounts which people use to log in to Windows on their PCs are all local to the PC in question. The accounts, and credentials, which they use to access the network shares are distinct from the accounts and credentials they use to log in to their PCs.

The requirement:

If, for example, someone creates a batch file in one of their shared folders and they can execute that batch file, they can, via the commands in the batch file, (potentially) affect things on the server outside of their shared folders. Since no-one (who isn't also a server admin) needs to be able to do that, it is a breach of minimum privilege, which I want to prevent.

The problem:

When someone who is logged into a Windows PC as a Standard user attempts to run such a batch file in any of the usual ways, they get "Access Denied." So far so good. If they try to Run As Administrator, they get challenged for Admin credentials, which they don't have. I am happy that this is secure enough.

By contrast, although if someone who is logged in to a Windows PC as an Admin user attempts to run a batch file on a server share, they get the same "Access Denied" as a Standard user, if they ask to Run As Administrator, they get a simple UAC challenge from the PC, and all they need to do is respond "Yes". At this point, the batch file runs on the server.

So a UAC "Yes" from a (non-domain-attached) PC is enough to cause the server to allow execution of a file on that server, even though the person responding to the UAC hasn't provided credentials to permit file execution on the server.

This seems like a security flaw, albeit that the possible exploits seem (to me) to be pretty limited. But I don't spend much of my time dreaming up security exploits, and other people do it for a living.

Is there any way to make the server enforce its own folder permissions strictly?

Install pip3 on new Ubuntu Server 22.04 install (Raspberry Pi)

Posted: 06 Jun 2022 01:01 PM PDT

I have just installed Ubuntu Server 22.04 LTS on my RPi, and I cannot for the life of me get pip3 to install. (It should already be there, no?)

Here's my /etc/os-releasse:

PRETTY_NAME="Ubuntu 22.04 LTS"  NAME="Ubuntu"  VERSION_ID="22.04"  VERSION="22.04 (Jammy Jellyfish)"  VERSION_CODENAME=jammy  ID=ubuntu  ID_LIKE=debian  HOME_URL="https://www.ubuntu.com/"  SUPPORT_URL="https://help.ubuntu.com/"  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"  UBUNTU_CODENAME=jammy

Here's my /etc/apt/sources.list:

## ...  deb http://ports.ubuntu.com/ubuntu-ports jammy main restricted  # ...  deb http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted  # ...  deb http://ports.ubuntu.com/ubuntu-ports jammy universe  # ...  deb http://ports.ubuntu.com/ubuntu-ports jammy-updates universe  # ...  deb http://ports.ubuntu.com/ubuntu-ports jammy multiverse  # ...  deb http://ports.ubuntu.com/ubuntu-ports jammy-updates multiverse  # ...  deb http://ports.ubuntu.com/ubuntu-ports jammy-backports main restricted universe multiverse  # ...  deb http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted  # ...  deb http://ports.ubuntu.com/ubuntu-ports jammy-security universe  # ...  deb http://ports.ubuntu.com/ubuntu-ports jammy-security multiverse  # ...

I ran # apt update after every change I tried.

I keep running # apt install python3-pip, but it fails with:

Reading package lists... Done  Building dependency tree... Done  Reading state information... Done  Package python3-pip is not available, but is referred to by another package.  This may mean that the package is missing, has been obsoleted, or  is only available from another source    E: Package 'python3-pip' has no installation candidate

And even if I run # python3 -m pip install ansible it gives me:

/usr/bin/python3: No module named pip

I have been trying to manually add entries to the apt sources files (e.g. /etc/apt/sources.list.d/pip.list) but I cannot figure out what the correct entry would look like.
Bonus points for anyone who can tell me how to find the repo for a specific package, and how to format that sources line.

Error with database authentication in Apache Guacamole

Posted: 06 Jun 2022 11:08 AM PDT

I'm setup a new Ubuntu Server 22.04 VM and am following the documentation here:

https://guacamole.apache.org/doc/gug/jdbc-auth.html

Guacamole 1.4 installs fine along with Tomcat9 and Nginx proxy; I can access the site fine with user-mapping.xml

After installing MariaDB, importing the schema files and placing extensions / lib files I am getting an error on the site:

ERROR
An error has occurred and this action cannot be completed. If the problem persists, please notify your system administrator or check your system logs.

However I am not seeing any errors in Tomcat's catalina log files to further troubleshoot.

Files:
/etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.4.0.jar
/etc/guacamole/lib/mariadb-java-client-3.0.5.jar
/etc/guacamole/guacamole.properties

# Hostname and port of guacamole proxy  guacd-hostname: localhost  guacd-port:     4822    # Allow 24 hours for sign-ins  api-session-timeout: 1440    # Database authentication  mysql-hostname: localhost  mysql-port: 3306  mysql-database: guacamole  mysql-username: guacamole_user  mysql-password: mZWY********9YoA  mysql-server-timezone: America/New_York

I'd appreciate any help with where I'm going wrong and/or locate the necessary log files to troubleshoot.

How to apply new default kube-scheduler config?

Posted: 06 Jun 2022 10:36 AM PDT

Kubernetes version 1.22. Cluster created by kops.

I'm trying to alternate default kube-scheduler config (adding profiles) as descibed here https://kubernetes.io/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration .

apiVersion: kubescheduler.config.k8s.io/v1beta3  kind: KubeSchedulerConfiguration  profiles:    - schedulerName: default-scheduler      pluginConfig:  blah-blah...

But simple kubectl command fails:

kubectl apply -n kube-system -f scheduler-config.yaml  error: unable to recognize "scheduler-config.yaml": no matches for kind "KubeSchedulerConfiguration" in version "kubescheduler.config.k8s.io/v1beta3"

The KubeSchedulerConfiguration is in "kubescheduler.config.k8s.io/v1beta3". Should I use some another command to apply it?

Thank you for any help!

/Serguei

How to install a validated SSL certificate on Ubiquiti UniFi Network Application (Controller) running on Linux

Posted: 06 Jun 2022 12:50 PM PDT

I want to replace the self signed Unifi certificate used for the web interface of the UniFi Network application / server v6.5 (on Ubuntu 18 Linux) with a signed (wildcard) certificate and private key I already have.

Where should I put the private key, where the cert and how do I configure the UniFi Network Application / Controller to use this cert?

I found some information but none of them worked for me or seemed to be ways to complicated.

How to restart the IIS application pool remotely via command line and MSDeploy

Posted: 06 Jun 2022 01:08 PM PDT

I am creating GitHub actions to automatically deploy my website.

I have everything working other than the ability to remotely restart the application pool.

From what I've read, I need to stop the application pool, publish the site, start the application pool

shell: cmd    run: '"C:/Program Files (x86)/IIS/Microsoft Web Deploy V3/msdeploy.exe" -verb:sync -allowUntrusted -source:recycleApp -dest:recycleApp="${{ env.IIS_WEBSITE_NAME }}",recycleMode="StopAppPool",computerName="${{ env.DOMAIN_URL }}:8172/msdeploy.axd?site=${{ env.IIS_WEBSITE_NAME }}",username="${{ env.IIS_SERVER_USERNAME }}",password="${{ env.IIS_SERVER_PASSWORD }}",AuthType="Basic"'

The output from this command is

Info: Using ID '0a153730-a072-4bb1-868e-ae39a3e7659b' for connections to the remote server.
Info: Adding MSDeploy.recycleApp (MSDeploy.recycleApp).
Info: Adding recycleApp (***).
Error: (11/23/2020 7:08:08 AM) An error occurred when the request was processed on the remote computer.
Error: Unable to perform the operation. Please contact your server administrator to check authorization and delegation settings.

I don't know how to work out why this is the case! MSDeploy.exe works fine to deploy the website using the same remote path, username and password.

Do I need to enable remote recycling of application pools on the remote machine? I found the folder where the logs are stored but found nothing useful (although I likely don't know what I am looking for)

I don't know how to make this work. as the output is not telling me what I need to do.

Microsoft Outlook freeze for users on terminal server - Exchange 2013 in-house

Posted: 06 Jun 2022 11:07 AM PDT

This has been ongoing for about six months. Microsoft Support is also clueless.

Periodically (aprox. twice a day [two different users]), Outlook will freeze on a customer's terminal server session, forcing them to force close and start it back up. There is only one symptom that is common between every occurance - CPU usage is stuck at 6%. What's interesting is, the TS had Office 2010 installed, and this happened only to about five users out of the total 45. We tried an upgrade to Office 2013, and now those five users don't experience this problem, but five different users do.

We have about 45 users on a Server 2008 R2 terminal server assigned with 52GB of RAM and 8 CPU cores on a Server 2012 R2 Hyper-V Host (2x Intel Xeon E5-2640).

Outlook is connected to the on-premise Exchange 2013 server - same host, but VM is Server 2012 R2 and has 18GB of RAM assigned with 8 CPU.

This has persisted across two AD domains, three terminal server rebuilds, and two Exchange server installations with new databases per instance. I've rebuilt the Exchange DB, created new DBs, tried to repair mailboxes, etc. Exchange is at the latest CU.

Event logs show nothing in either the Exchange Server or on the Terminal Server in regards to this issue.

Using Apple Configurator 2, Prepare iOS Device Without Updating iOS

Posted: 06 Jun 2022 01:08 PM PDT

I essentially have an updated version of this question: https://apple.stackexchange.com/q/151020/30844

I have an iOS 9.0.2 device. I want to Prepare and Supervise it with Configurator 2 (Apple's new OS X - iOS mobile device management tool), but do not want to update the device to iOS 9.1. With the old Configurator, this was possible (see answer to linked question).

Does anyone know if there is a similar way to do this with the new Configurator 2?

How to enable LDAP over SSL/TLS in AD without installing AD Certificate Services

Posted: 06 Jun 2022 11:07 AM PDT

I am installing a Sonicwall firewall into my organization. I've connected the Sonicwall with the Active Directory domain, however now on the status page of the appliance there is a huge warning:

WARNING: LDAP is being used without TLS - this is highly insecure.

I understand that connection between the FW and the DC is made with clear text and although this is not much of a problem because the Sonicwall and the Domain Controllers are in the local network and in the same subnet, we still want to encrypt the traffic to comply with our regulations.

As I made my search on other forums people are mentioning that I need to apply a certificate to the Domain Controller as per this MS article which is also mentioning the installation of AD Certificate services.

Is there any other way to do encrypt the LDAP traffic without installation of the additional role (AD CS) on the Domain Controller? Installing additional role to the Domain Controller, just for one simple task seems like an overkill to me - like nailing a needle with a sledgehammer.

Also If I am really to install and deploy a Certification Authority to our organization what would be the impact on it? I don't have experience working with it, so are there any implications and/or problems for which I am to be aware of?

Change Block Tracking settings not retained for a VM on VMWare 5.5

Posted: 06 Jun 2022 10:06 AM PDT

I'm trying to enable Change Block Tracking as per this VMWare KB article but the setting ctkEnabled is not being retained in the advanced options or being added to the vmx file.
The setting scsi0:0.ctkEnabled is being retained and I see a file vmname-ctk.vmdk in the datastore. I've verified that the vm doesn't have any snapshots but don't see any other suggestions in the KB (or google, of course.)

Edit:

The last comment on this community post. It's a slightly different circumstance, but suggests that there is an known bug editing these settings in the web-gui.

How to remove the path with an nginx proxy_pass

Posted: 06 Jun 2022 12:33 PM PDT

I have a running web-application at http://example.com/, and want to "mount" another application, on a separate server on http://example.com/en. Upstream servers and proxy_pass seem to work, but for one issue:

upstream luscious {   server lixxxx.members.linode.com:9001;  }    server {    root /var/www/example.com/current/public/;    server_name example.com;      location /en {      proxy_pass http://luscious;    }  }

When opening example.com/en, my upstream application returns 404 not found /en. This makes sense, as the upstream does not have the path /en.

Is proxy_path the right solution? Should I rewrite "upstream" so it listens to /en instead, as it root path? Or is there a directive that allows me to rewrite the path passed along to upstream?

Apache2 / debian wheezy serving only default virtual host

Posted: 06 Jun 2022 10:06 AM PDT

I have seen all other questions around this topic, but none of the answers have worked.

Situation: VPS on 1 IP, debian wheezy 7 running with apache2.

Even simple virtualhost will not work, as named in sites-enabled "www.domain.net":

<VirtualHost *:80> ServerName domain.net ServerAlias www.domain.net DocumentRoot /var/www/domain </VirtualHost>

Output of apache2ctl -S :

VirtualHost configuration:  xx.xx.xxx.xxx:443     is a NameVirtualHost  default server xx.domain1.net (/etc/apache2/conf.d/owncloud5-ssl.conf:1)  port 443 namevhost xx.domain1.net (/etc/apache2/conf.d/owncloud5-ssl.conf:1)  xx.xx.xxx.xxx:80      oc.domain1.net (/etc/apache2/sites-enabled/oc.domain.net:8)  wildcard NameVirtualHosts and _default_ servers:  *:80                   is a NameVirtualHost       default server domain1.net (/etc/apache2/sites-enabled/000-default:8)       port 80 namevhost domain1.net (/etc/apache2/sites-enabled/000-default:8)       port 80 namevhost mail.domain2.net (/etc/apache2/sites-enabled/mail.domain2.net:8)       port 80 namevhost domain2.net (/etc/apache2/sites-enabled/www.domain2.net:1)  Syntax OK

Still is the index.html in /var/www served as the default virtual host (domain1). Which should indeed be the catch all virtual host. But domain2 and subdomains of both domains are not picked up by apache2. All domains have an A-name in DNS setting, all pointing to same public IP. All resolves to this ip and to default virtual host.

NTFS volume GUID

Posted: 06 Jun 2022 11:53 AM PDT

I'm currently experimenting with my own backup software, and just wondered where the NTFS volume GUID (i.e. the one that appears as \?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}) is actually stored, offset wise, on the partition? Is it always at a calculatable offset, or is it part of the $MFT or $Volume record or something like that?

Using nginx: require authentication when request from public IP, not needed when local

Posted: 06 Jun 2022 02:08 PM PDT

I wrote a simple file browser app which is served using node on port 3000. I use nginx as a front-end which proxies this service. This is on my home server.

I would like to be able to require basic HTTP authentication when I'm accessing it over my public IP, but not when I'm at home. I have this configuration:

location /files {    satisfy any;    allow 10.1.0.0/24;    deny all;    auth_basic "Authentication Required";    auth_basic_user_file /etc/access_list;    proxy_pass http://127.0.0.1:3000/;  }

However, this isn't working. When I'm on my home network on the same subnet, it is still requiring me to do the basic HTTP authentication. I had thought the order "allow > deny > auth" paired with "satisfy any" is correct. Am I doing anything wrong here? Is this possible?

User directive in nginx generates error despite running as UID root

Posted: 06 Jun 2022 02:08 PM PDT

I'm running nginx on a MacOS X machine, installed with brew, and when I launch nginx, even with sudo, I get the following warning in my log file over and over again:

4/21/11 2:03:42 AM  org.nginx[3788] nginx: [warn] the "user" directive  makes sense only if the master process runs with super-user privileges,  ignored in /usr/local/etc/nginx/conf/nginx.conf:2

From nginx.conf:

user  jschuur staff;

I'm already launching nginx with sudo, since I want the thing to listen on port 80. Shouldn't that be enough to give it the proper super user privileges?

The nginx binary as it's installed:

jschuur@Glenna:sbin → master ls -la  total 4544  drwxr-xr-x   3 jschuur  staff      102 Apr 12 20:53 .  drwxrwxr-x  15 jschuur  staff      510 Apr 12 15:25 ..  -rwxr-xr-x   1 jschuur  staff  2325648 Apr 12 20:39 nginx

FWIW, I recompiled the binary to set passenger up and moved it around from it's original location into /usr/local/sbin.

Update: As it turns out MacOS X was restarting nginx after I'd stopped it, because the launchd plist in ~/Library/LaunchAgents had set it to 'KeepAlive'. However, because I installed this plist into my local user's LaunchAgents folder as opposed to /Library/LaunchAgents (or better yet /Library/LaunchDaemons, which run before you even log on), it wasn't executed as root. Because of an error about not having permissions to use port 80, it actually exited right away, but still wrote to the same log file as the nginx process I started with sudo. I had thought the errors stemming from the automatic restart were actually coming from my manual restart via sudo.

So, bottom line, problem solved. The real problem here was the homebrew instructions specifically asking you to install the plist file into an area that wouldn't allow a local site to use port 80.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)