|00:49||vagrantc has left IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:40, Quit: leaving)|
|04:55||eu^ip-178-46-130 has joined IRC (firstname.lastname@example.org)|
Good morning. Help with brainstorming, the server is on 172.20.0.210, you need to set up a connection on 3 subnets, Mikrotik is responsible for 172.20.0.0/24, there are also 2 more networks 192.168.110.0/24 and 192.168.111.0/24 for which dhcp is responsible on windows server , /ltsp/images/x86_64.img and server 172.20.0.210 were registered on
Mikrotik, now dhcp works from Mikrotik, as it should be, on windows server in dhcp settings the same path was registered /ltsp/images/x86_64.img and server 172.20 .0.210, but when connecting from PC 192.168.110.* via pxe there is no connection, maybe the path is not correct?
|04:57||M_i_k_a_ela[m] has joined IRC (M_i_k_a_ela[m]!~mikaelama@2001:470:69fc:105::2:cc84)|
|04:59||eu^ip-178-46-130 is now known as M_i_k_a_ela|
|04:59||* M_i_k_a_ela[m] uploaded an image: (93KiB) < https://libera.ems.host/_matrix/media/v3/download/matrix.org/sjaRaPysDLIAtAXKHlPuSYIn/%D0%B8%D0%B7%D0%BE%D0%B1%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D0%B5_2022-11-29_095947744.png >|
eu^ip-178-46-130: 3 different paths are needed, undionly.kpxe for bios, snponly.efi for uefi, and ltsp.ipxe after ipxe is loaded
Many DHCP servers don't have an "if" command like isc-dhcp and dnsmasq do
So it's usually easier to NOT provide any boot filenames, and configure the LTSP server in its default proxyDHCP mode, where it sends the boot filename WITHOUT sending an IP
|06:36||woernie has joined IRC (email@example.com)|
|07:05||ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)|
|07:21||* M_i_k_a_ela[m] uploaded an image: (5KiB) < https://libera.ems.host/_matrix/media/v3/download/matrix.org/dCjNWiZbUrpdZykbZmpoAWlP/%D0%B8%D0%B7%D0%BE%D0%B1%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D0%B5_2022-11-29_122143781.png >|
I did it, but the PC with another gateway does not connect, maybe
You may use pxelinux if you wish, which requires only a single file although it doesn't support UEFI: https://ltsp.org/guides/pxelinux/
Or you can build undionly.kpxe/snponly.efi locally, and include an ipxe script inside it; that way ipxe can also do a single filename
M_i_k_a_ela: see https://github.com/ltsp/ltsp/discussions/760#discussioncomment-3858807 about the last option ^
|08:17||jgee118 has left IRC (firstname.lastname@example.org, Quit: Ping timeout (120 seconds))|
I filed https://github.com/ltsp/ltsp/issues/773 regarding this issue ^
|08:50||alkisg_irc has joined IRC (alkisg_irc!~Thunderbi@srv1-dide.ioa.sch.gr)|
|08:52||alkisg has left IRC (alkisg!~Thunderbi@2a02:587:744e:8500:c24a:ff:fe02:bc1e, Ping timeout: 264 seconds)|
|08:52||alkisg_irc is now known as alkisg|
|09:17||jgee118 has joined IRC (email@example.com)|
|09:48||vagrantc has joined IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20)|
|10:42||vagrantc has left IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20, Quit: leaving)|
|11:27||M_i_k_a_ela has left IRC (M_i_k_a_elafirstname.lastname@example.org, Quit: Client closed)|
|14:58||vagrantc has joined IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20)|
|17:54||woernie has left IRC (email@example.com, Remote host closed the connection)|
Hi, anyone have a suggestion for marking a .desktop file as trusted for all users of an LTSP server? I have a folder structure in /opt that I'm symlinking to particular user's desktops, with some .desktop files in it
I know this isn't strictly ltsp specific, but likely encountered on ltsp servers frequently
I don't want the users to have write access to the files
the .desktop files are owned by root, and the user is a member of the file's group with rwx permissions
(it exists within the ltsp image, so obviously thye can't *actually* write to it)
|18:01||vagrantc has left IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20, Quit: leaving)|
|19:04||woernie has joined IRC (firstname.lastname@example.org)|
|19:07||bluejaypop has left IRC (bluejaypop!~7f000001@user/josefig)|
MUHWALT: not sure what the blocker is there; if the files are already +x when they're in /opt, why would you need to +x them again?
The blocker is the scary popup in mate that says the .desktop file is untrusted. With the perms how they are, the user has no option of "mark as trusted", only "Launch anyways"
I gave up on symlinking to the files in /opt and now I'm just checking group membership in .profile and copying the .desktop files to the user's Desktop ;)
seems like a lot of work to get this working, though 🤣
Why don't you put them in the menu (/usr/share/applications), the users can't find them there?
There's sensitive info in the .desktop files and I only want certain ones to be available to users based on their group
I know that's *not* ideal, but that's where I'm at :D
(it involves IP cameras and RTSP)
Btw, symlinking e.g. /opt/firefox.desktop (with mode=755) to /home/alkisg/Desktop allows me to run it without any popups
more specifically i had like...
/opt/cameras/office1 <-- root:office1 740
/opt/cameras/office2 <-- root:office2 740
with .desktop files under each "office" dir
and I was symlinking to /opt/cameras
not the .desktop files themselves
But /opt/cameras/office1/launcher.desktop was 755?
740 all the way through
everyone should not be able to access, the group should be able to read and not edit
ultimately this *should* be done with proper authentication/authorization with our cameras... but we're a social services non-profit 🤣
the .desktop files have the viewer username/password for our cams... e.g., Exec=xdg-open rtsp://user:pass@camera
Make the desktop file 755; you can restrict access further up from the directory permissions and owner
Also I guess you probably mean that the sensitive info is in "Exec=program params"; this will show up in `ps`, so it shouldn't really be done like thais if you want security
A person running `while true; do ps > file` will capture all the passwords
Only if they have access to the workstation already
at that point...
well, you know :D
But yeah, ideally we'd have some web-based NVR thing with usernames and access control that way... but holy crap have you looked at how complicated zone minder is? :D
this lets them launch the stream w/ vlc and record if they want
Nah I haven't used any IP cameras yet, no idea about the related software
it's a *mess*
What does xdg-open rtsp actually open, vlc, firefox?
or celluloid if that's what's on there
The debian vlc package actually excludes rtsp support, if you ever go down that route :<
the ubuntu snap package has it in there...
but we remove snap :D
And you put /opt into the image?
it was just that "trust" thing that was causing issues
I mean, if you put your passwords in /srv/ltsp/images/x86_64.img, they can be seen by almost anyone on the network
sure, but you'd need to know what you're looking for
we are playing the obscurity game, but trying to balance out doing what we need to do, and not advertising access to those cameras
It would probably be better to create an /etc/xdg/autostart/create-symlinks.desktop entry, that will run ltsp remoteapps /srv/private/create-symlinks, that will create the appropriate .desktop entry for them
As that will run on the server, the passwords won't need to reside in the image; and making it post-login ensures the user has already authenticated
that makes sense
ltsp image / excludes /srv?
is what I'm taking away from this
or rather wouldn't include /srv/<some dir I create>
thanks for the tip!
Yes, of course you can also configure it to exclude other locations
# grep srv /usr/share/ltsp/server/image/image.excludes
it looks like remoteapps will automatically generate an ssh key for the user?
|21:03||woernie has left IRC (email@example.com, Remote host closed the connection)|
I couldn't get the desktop file in /etc/xdg/autorun to work, so I ended up just dropping the `ltsp remoteapps ...` in ~/.profile, which does work
I just seem to have a ton of problems with .desktop files 🤣
made it on my own desktop... it worked from there... sudo cp to /etc/xdg/autorun/ and it blows up
|21:43||ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)|