IRC chat logs for #ltsp on irc.freenode.net (webchat)


Channel log from 30 May 2016   (all times are UTC)

03:05jenna has joined IRC (jenna!~JJones@unaffiliated/jenna)
03:12jenna has left IRC (jenna!~JJones@unaffiliated/jenna)
03:33vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Quit: leaving)
03:49
<alkisg>
sbalneav: how do you know the uid/gid before ssh'ing ?
03:50
We could have a generic ltsp user, with the necessary uid/gid, and after ssh'ing, we could change its name to $USER
05:02ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
05:04alkisg has left IRC (alkisg!~alkisg@ubuntu/member/alkisg, Ping timeout: 260 seconds)
05:31kjackal has joined IRC (kjackal!~quassel@2a02:587:3117:9e00:e99a:932b:586b:399f)
06:15kjackal has left IRC (kjackal!~quassel@2a02:587:3117:9e00:e99a:932b:586b:399f, Ping timeout: 260 seconds)
06:32lmds_ has left IRC (lmds_!~lmds@tui.pi-et-ro.net, Ping timeout: 244 seconds)
07:01alkisg has joined IRC (alkisg!~alkisg@ubuntu/member/alkisg)
07:05kjackal has joined IRC (kjackal!~quassel@onopfy.static.otenet.gr)
07:05ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
07:07kjackal has left IRC (kjackal!~quassel@onopfy.static.otenet.gr, Remote host closed the connection)
07:37gvy has joined IRC (gvy!~mike@altlinux/developer/mike)
07:54bennabiy has left IRC (bennabiy!~bennabiy@unaffiliated/bennabiy, Ping timeout: 264 seconds)
08:07bennabiy has joined IRC (bennabiy!~bennabiy@unaffiliated/bennabiy)
08:15kjackal has joined IRC (kjackal!~quassel@onopfy.static.otenet.gr)
08:38zamba has left IRC (zamba!marius@flage.org, Ping timeout: 252 seconds)
08:53kjackal has left IRC (kjackal!~quassel@onopfy.static.otenet.gr, Remote host closed the connection)
08:56kjackal has joined IRC (kjackal!~quassel@onopfy.static.otenet.gr)
08:56Statler_ has joined IRC (Statler_!~Georg@p54BFB0E9.dip0.t-ipconnect.de)
09:06zamba has joined IRC (zamba!marius@flage.org)
09:08gvy has left IRC (gvy!~mike@altlinux/developer/mike, Ping timeout: 244 seconds)
09:19gvy has joined IRC (gvy!~mike@altlinux/developer/mike)
10:09lbssousa has joined IRC (lbssousa!~lbssousa@177.143.31.237)
10:37uXus has left IRC (uXus!~uXus@217.77.222.72, Ping timeout: 244 seconds)
10:38uXus has joined IRC (uXus!~uXus@217.77.222.72)
10:59railr has joined IRC (railr!29a246ea@gateway/web/freenode/ip.41.162.70.234)
11:00
<railr>
yo
11:03kjackal has left IRC (kjackal!~quassel@onopfy.static.otenet.gr, Ping timeout: 276 seconds)
11:14railr has left IRC (railr!29a246ea@gateway/web/freenode/ip.41.162.70.234, Quit: Page closed)
11:17ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
11:25Faith has joined IRC (Faith!~paty_@unaffiliated/faith)
11:37ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
11:53kjackal has joined IRC (kjackal!~quassel@2a02:587:3117:9e00:9c80:c571:6c79:bdb6)
12:46_longines has joined IRC (_longines!~longines@static.183.80.201.138.clients.your-server.de)
12:50Phantomas has joined IRC (Phantomas!~ftsamis@ubuntu/member/phantomas)
13:41
<sbalneav>
alkisg: If you look down at the bottom of that python authenticator, during the authentication phase, it actually grabs the userid and groupid.
13:41
Over the ssh connection.
13:41
But I've thought of a better way, so... :D
14:44
<alkisg>
sbalneav: ah, I was still thinking with the shell context of "ssh -M", master socket created with the users uid/gid before knowing them,
14:44
but do you mean that paramiko supports creating the master socket _after_ the connection is established?
14:45
<sbalneav>
The authentication happens, and you've got a ssh connection
14:45
<alkisg>
Running as root, right?
14:46
<sbalneav>
Correct
14:46
<alkisg>
Err or lightdm?
14:46
<sbalneav>
Root.
14:46
<alkisg>
OK
14:46
At what point will the master socket be created?
14:47
<sbalneav>
After we bring across the information needed to start the master socket
14:47
i.e. the uid and gid of the user that we've authenticated as.
14:47
<alkisg>
And you'll do a second ssh connection using the stored user/pass?
14:47
<sbalneav>
Right, we're still in the auth phase, so we have access to the userid and password.
14:48
<alkisg>
OK so you create a new user first and then spawn the ssh command with that uid/gid
14:48
<sbalneav>
right
14:49
Then we can bring over all the group information later via the master socket
14:49
Or, I suppose, we could bring it all over at the same time.
14:49
<alkisg>
Yeah it would be better to have all the user info before any processes start
14:51
<sbalneav>
That shouldn't be hard, since we've now got access to scripting. We can plumb the master socket, pull over the userid and groupid information, all while still in the authentication phase in pam.
14:52
That's the power of pam-external
14:52
<alkisg>
pam_exec can exec scripts and pass the password to their stdin, but it's less general than pam-external...
14:52
<sbalneav>
right.
14:52
And it *can't* do the authentication itself.
14:53
pam-external's one-stop-shop
14:53
<alkisg>
I meant that you could change the original pam-sshauth .c implementation to do something similar to pam_exec, and we would have shell scripting in ltsp then,
14:53
but it would only be enough for the ltsp needs, it wouldn't be as generic as you envisioned it :)
14:55adrianorg has left IRC (adrianorg!~adrianorg@189.58.226.223.dynamic.adsl.gvt.net.br, Ping timeout: 240 seconds)
14:55
<sbalneav>
Right, I want a general purpose tool that ANYONE can use; if we're going to exert effort, we should (wherever possible) produce tools that benefit everyone, instead of tools that just benefit us. The bits that "just affect us" should be scripts that don't require huge amounts of work. The pam-external could (potentially) be used by LOTS of people, which means that we'll (hopefully) have far more eyes looking
14:55
at it.
14:57adrianorg has joined IRC (adrianorg!~adrianorg@177.134.57.76)
14:58
<sbalneav>
With, of course, commensurate bug fixes, feature improvements, etc :D
15:00
<alkisg>
Yup, it's a nice approach. Sometimes there's the opposite danger of overengineering / making things too complicated / never finishing projects, but hopefully ltsp 6 will be finished soon (tm)! :D
15:05
<sbalneav>
If this all goes "The Way I Envision It" (R) (TM), we're going to take a bunch of stuff now (ldm, libpam-sshauth, etc) which is very custom, and very hard to maintain, and replace it with much smaller ((pam/nss)-external) lightdm-webkit-greeter, etc) bits that are easier to maintain, and the glue will be the stuff we've already got competency with: scripting. We're going make LTSP much more "lego-like", and I
15:05
can't see that that's anything other than "a good thing"
15:13
<quinox>
sounds great
16:14gvy has left IRC (gvy!~mike@altlinux/developer/mike, Quit: Leaving)
16:30
<alkisg>
stgraber: `ubuntu-upload-permission -a epoptes` says it's in the edubuntu packageset so I can upload it
16:30
But `ubuntu-upload-permission -a ltsp` says it's in the ubuntu-desktop packageset so I can't upload it
16:31
...I think you did give me the necessary rights and I did upload ltsp to xenial, but I'm somewhat confused now, do I still have enough rights to upload new versions to e.g. yakkety?
16:31
Or does ltsp need to go to the edubuntu packageset?
16:32
Or do I need to apply as a per-package uploader for ltsp?
16:32
<stgraber>
Hmm, maybe someone ran the packageset script and broke things again
16:35
alkisg: oh and I'm no longer on the DMB so I can't fix it for you :(
16:35
<alkisg>
:)
16:36
stgraber: what steps should I do now? Ping someone? File some bug report? Apply as a per-package uploader?
16:36
<stgraber>
alkisg: any chance you can e-mail devel-permissions@lists.ubuntu.com and ask for ltsp, ltspfs and ldm to be put in the edubuntu packageset as this isn't actually shipped by anyone else?
16:36
<alkisg>
Sure, thanks a lot, doing so...
16:36
<stgraber>
alkisg: I'm reasonably sure it's a bug in the update script, but someone needs to fix it :)
16:45vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)
16:51Faith has left IRC (Faith!~paty_@unaffiliated/faith, Ping timeout: 244 seconds)
16:51Faith has joined IRC (Faith!~paty_@200.144.182.219)
17:02Faith has left IRC (Faith!~paty_@200.144.182.219, Ping timeout: 244 seconds)
17:15Faith has joined IRC (Faith!~paty_@143.107.231.49)
17:31Statler_ has left IRC (Statler_!~Georg@p54BFB0E9.dip0.t-ipconnect.de, Read error: Connection reset by peer)
17:32
<Leolo_2>
the socket's uid/gid can be changed after it is created
17:33
or not?
17:37
<sbalneav>
root@ltsp20:~# ssh -MNn -S /tmp/foop -l sbalneav server
17:37
root@ltsp20:/tmp# ls -la /tmp/foop
17:37
srw------- 1 root root 0 May 30 12:37 /tmp/foop
17:38
root@ltsp20:/tmp# chown sbalneav:sbalneav /tmp/foop
17:38
root@ltsp20:/tmp# ls -al /tmp/foop
17:38
srw------- 1 sbalneav sbalneav 0 May 30 12:37 /tmp/foop
17:38
sbalneav@ltsp20:~$ ssh -S /tmp/foop server date
17:38
sbalneav@ltsp20:~$
17:38
multiplex uid mismatch: peer euid 1111 != uid 0
17:38
No. You can't
17:38
you have to setuid before you ssh
17:43Statler_ has joined IRC (Statler_!~Georg@p54BFB0E9.dip0.t-ipconnect.de)
17:45
<sbalneav>
vagrantc: Do GPL headers need to be in shell scripts? I'm guessing yes?
17:46Statler_ has left IRC (Statler_!~Georg@p54BFB0E9.dip0.t-ipconnect.de, Read error: Connection reset by peer)
17:46Statler_ has joined IRC (Statler_!~Georg@mail.lohn24.de)
17:50
<Leolo_2>
what version of ssh is that?
17:52
because chowning the socket works on 5.3p1
17:53
<sbalneav>
openssh-client 1:6.7p1-5+deb8u1
17:56
<Leolo_2>
if ((euid != 0) && (getuid() != euid)) {
17:56
hmmm
17:59
<sbalneav>
It's not a problem, we just need to grab the uid and gid from the remote server before we spawn the ssh, and setgid and setuid to that before spawning the ssh master socket.
18:01
<alkisg>
One way to implement localapps/remoteapps (and general client/server communication) is through the ssh stdio
18:01
E.g. instead of plain echo LTSPROCKS, to run an "ltsp-session" script that keeps reading from a server-side socket for commands, and echoes them to stdout
18:02
Then the client side script can launch the ltsp-localapps processes
18:02
So, if the client side is already setuid/setgid, and even has all the user groups, it's much easier to properly spawn the localapps command
18:02
<sbalneav>
Right.
18:02
<alkisg>
...an additional benefit to do it like sbalneav says :)
18:03
<sbalneav>
:D
18:04
alkisg: So, you know nss-extrafiles, right?
18:04
<alkisg>
sbalneav: vagrantc has worked with pam; I declare that I'm completely n00b with it :)
18:04
I've heard of nss-extrafiles, I know what it's supposed to do
18:04
But I think it didn't include system groups?
18:04
<sbalneav>
http://pastebin.com/txjBzu6r
18:05
nss-external + that shell script = nss-extrafiles, with the added benefit that you can have MULTIPLE passwd and/or group files.
18:06
<alkisg>
Woah... /me needs some time to digest that...
18:06
<sbalneav>
So, if you have a terminal, and multiple people log in, you can save each of their passwd and group information in *separate* files, which makes cleaning them out without affecting other users dead simple; just delete the file.
18:06
No 'grepping' through a single file to remove the lines you're interested in :D
18:08
<alkisg>
OK I can understand the end result, but I'm again missing a lot of background information
18:08kjackal has left IRC (kjackal!~quassel@2a02:587:3117:9e00:9c80:c571:6c79:bdb6, Ping timeout: 260 seconds)
18:09
<alkisg>
nss is supposed to be able to provide passwd-like lists, either whole lists or single entries?
18:09
And group lists too?
18:09
<sbalneav>
right.
18:09
so nss-external's like pam-external
18:09
<alkisg>
What if it returns duplicate entries etc?
18:09
<sbalneav>
That's what the ;exit does in the awk script; guarentees it only returns the first match.
18:10
<alkisg>
Suppose that user1 logs in to server1 with uid=1000, and user2 to server2 with uid=1000, and nss-external is asked to return all the entries
18:10
<sbalneav>
That's a problem.
18:11
But that's a problem anyway, since you've now got a server that's got user1 and user2 able to attack each others files.
18:11
So you'd want to avoid that situation anywy.
18:11
<alkisg>
OK, but what part converts the passwd-like information to structures and lists etc? Is it your own code, or some nss library?
18:12
Hmm I think glancing through nss-external's code would help me with that... /me reads...
18:13
<sbalneav>
alkisg: My code. The nss-external library
18:13
<alkisg>
!learn ltsp-git as https://code.launchpad.net/~ltsp-upstream/+git
18:13
<ltsp>
The operation succeeded.
18:14
<sbalneav>
it parses text lines into passwd, group, and shadow structures.
18:14Phantomas has left IRC (Phantomas!~ftsamis@ubuntu/member/phantomas)
18:14
<sbalneav>
cool, I can make that script even simpler :D
18:17
<alkisg>
OK so nss is stackable, and you've implemented some interface that it expects, and you call the shell script and expect it to provide passwd-like entries...
18:17
<sbalneav>
you got it!
18:17
<alkisg>
And the group will be symlinked like "group" or "passwd" so that it looks in the correct subdir
18:17
*the script, sorry
18:17
<sbalneav>
Yup, exactly right.
18:18
<alkisg>
Pretty cool!
18:19
<sbalneav>
You begin to see why I'm kinda excited about all this :D
18:20
<alkisg>
sbalneav: what happens when `getent passwd` is called?
18:20
nss tells to all the stackable modules to list all their users?
18:20
<sbalneav>
then /etc/nss-external/passwd is called with no arguments
18:20
<alkisg>
But which part does the final "merge"?
18:20kjackal has joined IRC (kjackal!~quassel@2a02:587:3117:9e00:9c80:c571:6c79:bdb6)
18:20
<sbalneav>
alkisg: The operating system
18:20
<alkisg>
No no behind the scenes, not at the script level
18:20
<sbalneav>
that's done as part of the entire NSS services. It's "invisible" to you
18:21
<alkisg>
So nss by itself has _some_ support for "multi-" modules/scripts/files...
18:21
<sbalneav>
they're all merged together.
18:21
<alkisg>
But when `getent passwd specific-user` is called, it stops at the first module that it replies that it knows the user?
18:21
<sbalneav>
right, it will automatically merge all of the nss methods together; compat, ldap, eternal, etc.
18:21
hmmm, not sure.
18:22
I'd have to test
18:22
<alkisg>
Ah probably not, unless [NOTFOUND=return] is inserted between "compat" and your nss module
18:22
Err FOUND=return... hmm ok anyway I got it
18:23
I'm just not sure if it would be simpler to fake a simple ldap server from the passwd entries instead
18:24
That way we would only need to have the ldap pam client or whatever it is called in the chroot
18:24
And everything supports ldap, so compatibility-wise it'd be fine...
18:24
<sbalneav>
ah, ok
18:25
"fake a simple ldap server" heh
18:25
the ldap network protocol is.... non-trivial :D
18:26
<alkisg>
Using appropriate tools of course, not reimplementing it
18:26
<sbalneav>
Script's now down to:
18:27
#!/bin/sh
18:27
VARDIR=/var/lib/nss-multifile
18:27
DB=${0##*/}
18:27
test -d "${VARDIR}/${DB}" || exit 0
18:27
if [ -z "$1" ]; then
18:27
# No arg supplied, return all
18:27
cat ${VARDIR}/${DB}/* 2> /dev/null
18:27
else
18:27
# Passed an argument, search
18:27
cat ${VARDIR}/${DB}/* 2> /dev/null | \
18:27
awk -F: -v search=$1 '$1 == search || $3 == search { print $0; exit; }'
18:27
fi
18:27* sbalneav so happy
18:28
<sbalneav>
Could probably make it even simpler....
18:28
<alkisg>
Haha no need, it's fine :)
18:28
The shell part we can handle!
18:29
You can also put the "cat" outside of the case, i.e. cat | case
18:31kjackal has left IRC (kjackal!~quassel@2a02:587:3117:9e00:9c80:c571:6c79:bdb6, Ping timeout: 264 seconds)
18:31
<sbalneav>
#!/bin/sh
18:31
VARDIR=/var/lib/nss-multifile
18:31
DB=${0##*/}
18:32
test -d "${VARDIR}/${DB}" || exit 0
18:32
# No arguments, return everything
18:32
test -z "$1" && cat ${VARDIR}/${DB}/* 2> /dev/null && exit 0
18:32
# Passed an argument, search
18:32
cat ${VARDIR}/${DB}/* 2> /dev/null | \
18:32
awk -F: -v search=$1 '$1 == search || $3 == search { print $0; exit; }'
18:32
BOOM
18:32
9 line replacement for nss-extrafiles :D
18:32
<alkisg>
Haha
18:33here_and_there has left IRC (here_and_there!~ivaylo@193.54.153.250, Ping timeout: 260 seconds)
18:41
<Leolo_2>
I note you do zero verification that $0 is a sane filename. though it's probably not important
18:41
also : why use awk and not grep?
18:44Statler_ has left IRC (Statler_!~Georg@mail.lohn24.de, Read error: Connection reset by peer)
18:44
<sbalneav>
Leolo_2: $0 is called by the nss-external library and is guarenteed to be either one of "/etc/nss-external/passwd" ".../group" or ".../shadow"
18:44Statler_ has joined IRC (Statler_!~Georg@p54BFB0E9.dip0.t-ipconnect.de)
18:44
<sbalneav>
And I use awk because I want to search on a specific column.
18:45
<Leolo_2>
oh, right
18:46
though I wonder which is faster awk or egrep "[^:]+:[^:]+:$1"
18:46
not that it matters, really
18:46
<alkisg>
at that point, readability is more important than speed
18:47
<Leolo_2>
one question I have : all the ltsp scripts are written for sh. Given that they will always run on Linux, why not use bash and open up regexes ?
18:47
<alkisg>
There was a trend to replace all bash scripts with sh scripts, to speed up booting
18:47
6-7 years ago, in debian and ubuntu
18:47
It made a lot of difference; bash is very slow
18:48
<Leolo_2>
ls -l /bin/sh
18:48
lrwxrwxrwx 1 root root 4 Oct 8 2014 /bin/sh -> bash*
18:48
$ ls -l /bin/sh
18:48
lrwxrwxrwx 1 root root 4 May 10 16:47 /bin/sh -> dash
18:48
huh
18:48
<alkisg>
I think we're only using bash in ltsp-build-client because they needed arrays of variables
18:49
<Leolo_2>
ok, sh in RHEL is in fact bash. sh in ubuntu is in fact dash
18:49
<alkisg>
Our scripts should be able to run in both
18:49
(posh, too)
18:49
<Leolo_2>
right
18:50
I was under teh erroneous assumption that sh is always bash
18:50
<alkisg>
fedora etc try to use less shell
18:50
debian etc use a lot of shell, even in initramfs (vs dracut)
18:51
So the default shell being bash (=being slow) isn't as important in fedora as it is in debian
19:25kjackal has joined IRC (kjackal!~quassel@athedsl-4547229.home.otenet.gr)
19:41Statler_ has left IRC (Statler_!~Georg@p54BFB0E9.dip0.t-ipconnect.de, Remote host closed the connection)
20:05ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
20:11lbssousa has left IRC (lbssousa!~lbssousa@177.143.31.237, Quit: Leaving)
20:12
<vagrantc>
sbalneav: yup, shell scripts are copyrightable, and default copyright unless otherwise specified is non-permissive ...
20:13
sbalneav: if in doubt, explicitly state license terms
20:13
sbalneav: worst that happens is it's not copyrightable, and it doesn't matter
20:13
sbalneav: the inverse case is that it's copyrightable, and nobody can use it without pestering you all the time
20:21Faith has left IRC (Faith!~paty_@143.107.231.49, Changing host)
20:21Faith has joined IRC (Faith!~paty_@unaffiliated/faith)
20:46alumno___ has joined IRC (alumno___!c857ba7c@gateway/web/freenode/ip.200.87.186.124)
21:01Faith has left IRC (Faith!~paty_@unaffiliated/faith, Quit: Leaving)
21:23ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
21:38kjackal has left IRC (kjackal!~quassel@athedsl-4547229.home.otenet.gr, Ping timeout: 250 seconds)