On Thursday 27 August 2020 10:05:17 am Slávek Banko wrote:

Lately, I've been seeing more often that probably due to a malfunctioning transparent proxy somewhere at the provider, I'm getting corrupted and apt lists or damaged packages. And I have to download them repeatedly and repeatedly and... For such cases, it usually helps me to set up apt to know that the broken proxy is in the way:

Acquire::http::Pipeline-Depth "0"; Acquire::http::No-Cache=True; Acquire::BrokenProxy=true;

Hi Slávek,

For those of who don't know better, where would those commands go?

Thanks, Michael

PS: I've had this happen (rarely) as well.

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Thursday 27 August 2020 08:17:24 Slávek Banko wrote:

On Thursday 27 of August 2020 17:13:28 Michael wrote:

...

On Thursday 27 August 2020 10:05:17 am Slávek Banko wrote:

...

Lately, I've been seeing more often that probably due to a malfunctioning transparent proxy somewhere at the provider, I'm getting corrupted and apt lists or damaged packages. And I have to download them repeatedly and repeatedly and... For such cases, it usually helps me to set up apt to know that the broken proxy is in the way:

Acquire::http::Pipeline-Depth "0"; Acquire::http::No-Cache=True; Acquire::BrokenProxy=true;

Hi Slávek,

For those of who don't know better, where would those commands go?

Thanks, Michael

PS: I've had this happen (rarely) as well.

This is exactly from one of my machines:

# cat /etc/apt/apt.conf.d/99fixbadproxy Acquire::http::Pipeline-Depth "0"; Acquire::http::No-Cache=True; Acquire::BrokenProxy=true;

Cheers

noted -- I will use them where needed.

Right now I am having better luck with downloads, having used wget to procure the packages by alternate means, then my apt-get and dpkg voodoo.

I am using a direct connection at present (if I did not make that clear). Usually I am always running over Tor, but not until I get the packages I need. (Or are you referring to a proxy not on my end, but somewhere else in the chain?)

Bill

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Thursday 27 August 2020 08:37:52 Slávek Banko wrote:

On Thursday 27 of August 2020 17:26:47 William Morder via trinity-users

wrote:

...

On Thursday 27 August 2020 08:17:24 Slávek Banko wrote:

...

On Thursday 27 of August 2020 17:13:28 Michael wrote:

...

On Thursday 27 August 2020 10:05:17 am Slávek Banko wrote:

...

Lately, I've been seeing more often that probably due to a malfunctioning transparent proxy somewhere at the provider, I'm getting corrupted and apt lists or damaged packages. And I have to download them repeatedly and repeatedly and... For such cases, it usually helps me to set up apt to know that the broken proxy is in the way:

Acquire::http::Pipeline-Depth "0"; Acquire::http::No-Cache=True; Acquire::BrokenProxy=true;

Hi Slávek,

For those of who don't know better, where would those commands go?

Thanks, Michael

PS: I've had this happen (rarely) as well.

This is exactly from one of my machines:

# cat /etc/apt/apt.conf.d/99fixbadproxy Acquire::http::Pipeline-Depth "0"; Acquire::http::No-Cache=True; Acquire::BrokenProxy=true;

Cheers

noted -- I will use them where needed.

Right now I am having better luck with downloads, having used wget to procure the packages by alternate means, then my apt-get and dpkg voodoo.

I am using a direct connection at present (if I did not make that clear). Usually I am always running over Tor, but not until I get the packages I need. (Or are you referring to a proxy not on my end, but somewhere else in the chain?)

Bill

Yes, I mean the proxy "somewhere along the way". In the case of proxies, which I have under my control (ie squid), these problems do not occur there. But if the provider has implemented some "next generation firewall", there may be a lousy transparent proxy at the provider.

Cheers

a-HA.

Well, I have seen that syntax before, in other apt-get commands (for insecure repositories), so I believe I can figure out how to use them.

No insecure connections at the moment, as I am still dealing with the firewall and other concerns.

Bill

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Thursday 27 August 2020 08:05:17 Slávek Banko wrote:

On Thursday 27 of August 2020 16:40:40 William Morder via trinity-users

wrote:

...

Okay guys, so I am stumped and confuzzled.

I just did an upgrade to Devuan Beowulf (= Debian Buster), and everything went fine; except once up and running, I couldn't download more than a few of Trinity's packages.

After trying different repositories, and playing with my sources list, I managed to do just a bit better, then I saved the day with some extreme voodoo using about config [*I meant to say, apt-get* ... writing on auto-pilot] (scrolling through the manpages to find something that work). I ended up getting enough the Trinity packages to download by using --ignore-hold and dselect-upgrade options. I even searched out the links to deb packages on the developers' repositories, and downloaded them with wget, so that I could try forcing install using dpkg.

Now at least (at last) I do have a working system which is a reasonable facsimile of my previous one, but it does seem like it ought to have been easier. For about the past three days now, I've lived in the command-line.

Also I would like recommendations for a firewall that displays active connections and rules, etc., like the old Firestarter used to do. I catch all kinds of problems by noticing activity on my firewall, but now I cannot seem to find one that displays active connections, and Firestarter can no longer be hacked to make it work on a newer system.

Thanks for any advice or comments,

Bill

Hi Bill,

what problems do you observe? Do packages report incorrect size / checksum after download? Or do you get a 404 response? Or something else?

Lately, I've been seeing more often that probably due to a malfunctioning transparent proxy somewhere at the provider, I'm getting corrupted and apt lists or damaged packages. And I have to download them repeatedly and repeatedly and... For such cases, it usually helps me to set up apt to know that the broken proxy is in the way:

Acquire::http::Pipeline-Depth "0"; Acquire::http::No-Cache=True; Acquire::BrokenProxy=true;

Cheers

Ordinarily I would always use a proxy -- and have no problems at all -- but tork-trinity, tor, etc., are some of the packages that will not download.

The packages are listed when I do apt-cache search, etc., but then when I tried to download, it would ask for dependencies that seemed like they were for Bullseye. So then I tried using Sid, Bullseye, unstable, etc., but finally went back to vanilla Devuan Beowulf, and Buster for the Trinity repositories. When I ran Jessie, I would always use your PSB repo, and now I also have tried PTB repo, but it kept saying I needed 11.0 Buster packages. So I went back to the Trinity ppa repo (I believe it's Tim's or a mirror thereof), along with vanilla Devuan (pkgmaster, etc.), and then I played with dpkg and apt-get as already described.

Now it's working, but I still have problems finding or downloading packages, even though I see them listed.

Bill

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Thursday 27 of August 2020 17:52:16 Slávek Banko wrote:

On Thursday 27 of August 2020 17:13:46 William Morder via trinity-users

wrote:

...

On Thursday 27 August 2020 08:05:17 Slávek Banko wrote:

...

On Thursday 27 of August 2020 16:40:40 William Morder via trinity-users

wrote:

...

Okay guys, so I am stumped and confuzzled.

I just did an upgrade to Devuan Beowulf (= Debian Buster), and everything went fine; except once up and running, I couldn't download more than a few of Trinity's packages.

After trying different repositories, and playing with my sources list, I managed to do just a bit better, then I saved the day with some extreme voodoo using about config [*I meant to say, apt-get* ... writing on auto-pilot] (scrolling through the manpages to find something that work). I ended up getting enough the Trinity packages to download by using --ignore-hold and dselect-upgrade options. I even searched out the links to deb packages on the developers' repositories, and downloaded them with wget, so that I could try forcing install using dpkg.

Now at least (at last) I do have a working system which is a reasonable facsimile of my previous one, but it does seem like it ought to have been easier. For about the past three days now, I've lived in the command-line.

Also I would like recommendations for a firewall that displays active connections and rules, etc., like the old Firestarter used to do. I catch all kinds of problems by noticing activity on my firewall, but now I cannot seem to find one that displays active connections, and Firestarter can no longer be hacked to make it work on a newer system.

Thanks for any advice or comments,

Bill

Hi Bill,

what problems do you observe? Do packages report incorrect size / checksum after download? Or do you get a 404 response? Or something else?

Lately, I've been seeing more often that probably due to a malfunctioning transparent proxy somewhere at the provider, I'm getting corrupted and apt lists or damaged packages. And I have to download them repeatedly and repeatedly and... For such cases, it usually helps me to set up apt to know that the broken proxy is in the way:

Acquire::http::Pipeline-Depth "0"; Acquire::http::No-Cache=True; Acquire::BrokenProxy=true;

Cheers

Ordinarily I would always use a proxy -- and have no problems at all -- but tork-trinity, tor, etc., are some of the packages that will not download.

The packages are listed when I do apt-cache search, etc., but then when I tried to download, it would ask for dependencies that seemed like they were for Bullseye. So then I tried using Sid, Bullseye, unstable, etc., but finally went back to vanilla Devuan Beowulf, and Buster for the Trinity repositories. When I ran Jessie, I would always use your PSB repo, and now I also have tried PTB repo, but it kept saying I needed 11.0 Buster packages. So I went back to the Trinity ppa repo (I believe it's Tim's or a mirror thereof), along with vanilla Devuan (pkgmaster, etc.), and then I played with dpkg and apt-get as already described.

Now it's working, but I still have problems finding or downloading packages, even though I see them listed.

Bill

I remember seeing package availability issues when I wanted to prepare build-root for Devuan Chimaera. There were exclusively Devuan apt sources and for me it seemed that there was some broken state of the merge process of the Debian + Devuan packages on Devuan side. I didn't try to examine it in more detail - I didn't want to waste time - and I put it off until later.

Cheers

Now I took a closer look at the problem on my builder and found that this is not a problem on the Devuan side. On the builder I use squid-deb-proxy and there are listed servers from which the download of packages is allowed. Devuan uses the Debian redirector for Debian packages, as a result there are attempts to download packages from servers that are not allowed in the squid-deb-proxy. That's why it doesn't work properly on my builder. So this is a different problem than you observe.

Cheers

Hi Bill!

Anno domini 2020 Fri, 28 Aug 17:06:31 -0700 William Morder via trinity-users scripsit:

Okay, so a new thread, as things have changed and progressed somewhat, but now I have new problems.

I got my system restored *almost* to how I want it, but some things have changed in my system, and I did not make those changes.

#1 - When installing, I deliberately chose *not* to set a root password; since nobody else ever gets to touch my system, it is enough that my user password is granted root privileges when I use sudo or su.

Always set a root password, even it's 123456789. Not all programs accept root without password.

Anyway, so now, suddenly, I am asked for the root password in order to run gufw and other such stuff. But when I enter my password, I get a message that the password is incorrect. This happened before, long ago, when I first switched from (k)ubuntu to debian; debian seems to have a stricter default policy, which is probably a good thing, and I probably ought to get the hang of this thing, right?

So I need an easier solution than whatever this is that I am doing (or not doing). I have been combing through my Linux pocket guide and Linux in a Nutshell and Linux Bible, etc., but they all say the same thing, and none of them work.

#2 - I still want a graphical firewall that runs like the old Firestarter; gufw isn't quite what I want, or maybe I just haven't yet configured it properly.

didn't know Firestarter, but it loks nice for a firewall. I have to admit I don't like linux firewall (I prefer the BSD way). Anyway, I use "ufw" - it has a nice GUI, depending on your text editor :)

What I want is not just a GUI, but instead, one that displays *active connections* as they appear and disappear, and allows changing rules on the fly. Is there such a thing?

"fierwall-applet" could be what you want, but it drags in a hole bunch of things.

Running it in a terminal would suit me just fine, so long as it is a dynamic display of active connections as they occur. Also an easier way to edit iptables. (I read that there is some new "thing" to replace iptables, meaning that ufw and gufw and their kin will all become obsolete very soon, apparently being phased out, and I had a hard time downloading them.)

Another possible fix would be: to pass my firestarter rules (based on iptables) along to ufw/gufw.

gufw? a gui for ufw? Abomoination! That could definitly be done. Are you in for a bit of shell black magic?

But anyway, what I want is to see my active connections. (See enclosed screenshot.)

Any help or comments or suggestions are appreciated. If not, at least a good joke.

Windows guys suggest to run a firewall in amazon cloud and send all your network through it. I still have not figured out if tis is a bad joke or that they actully do, but I have the strong feeling this is a seriouse advise (there are commertial offers for this kind of stuff).

Bill

P.S. The worst insult is, just before my upgrade, I had got my Jessie system fine-tuned to near-perfection, and was feeling rather smug and virtually bulletproof. On the bright side: Beowulf/Buster does seem to run better, overall, except for when I can't get it to DO WHAT I WANT.

:-\

See screenshot for firewall example.

Anno domini 2020 Sat, 29 Aug 01:28:56 -0700 William Morder via trinity-users scripsit:

On Saturday 29 August 2020 01:10:15 Dr. Nikolaus Klepp wrote:

...

Hi Bill!

Anno domini 2020 Fri, 28 Aug 17:06:31 -0700

William Morder via trinity-users scripsit:

...

Okay, so a new thread, as things have changed and progressed somewhat, but now I have new problems.

I got my system restored *almost* to how I want it, but some things have changed in my system, and I did not make those changes.

#1 - When installing, I deliberately chose *not* to set a root password; since nobody else ever gets to touch my system, it is enough that my user password is granted root privileges when I use sudo or su.

Always set a root password, even it's 123456789. Not all programs accept root without password.

Yeah, I tried that, but I always end up with this same problem. When I tried setting a root password before (because it always seemed like the *right* answer), I got this same result.

When I made the move from Kubuntu to Debian, I went through this root-password thing at least 5 or 6 times. I always ended up with a system where I could not be granted admin or root privileges ... EXCEPT in a sudo su shell! So that's what I usually do: I create a sudo su shell, then exit and allow permissions to expire, then when I need quick access again, I just hit my UP arrow key, re-enter password, and go back into sudo su to kill something or whatever else needs immediate attention.

Now, it would be nice to crack this nut, once and for all, but I don't want to keep asking my own machine for permission to do things. The question is, which of us is master?

Hm. I'm quite sure I'm master on my systems, but that could be a delusion ...

What I have not understood yet: you can get root access from terminal with "su" or you have to use "sudo bash" ?

...

...

Anyway, so now, suddenly, I am asked for the root password in order to run gufw and other such stuff. But when I enter my password, I get a message that the password is incorrect. This happened before, long ago, when I first switched from (k)ubuntu to debian; debian seems to have a stricter default policy, which is probably a good thing, and I probably ought to get the hang of this thing, right?

So I need an easier solution than whatever this is that I am doing (or not doing). I have been combing through my Linux pocket guide and Linux in a Nutshell and Linux Bible, etc., but they all say the same thing, and none of them work.

#2 - I still want a graphical firewall that runs like the old Firestarter; gufw isn't quite what I want, or maybe I just haven't yet configured it properly.

didn't know Firestarter, but it loks nice for a firewall. I have to admit I don't like linux firewall (I prefer the BSD way). Anyway, I use "ufw" - it has a nice GUI, depending on your text editor :)

...

What I want is not just a GUI, but instead, one that displays *active connections* as they appear and disappear, and allows changing rules on the fly. Is there such a thing?

"fierwall-applet" could be what you want, but it drags in a hole bunch of things.

Will check it out, thanks.

...

...

Running it in a terminal would suit me just fine, so long as it is a dynamic display of active connections as they occur. Also an easier way to edit iptables. (I read that there is some new "thing" to replace iptables, meaning that ufw and gufw and their kin will all become obsolete very soon, apparently being phased out, and I had a hard time downloading them.)

Another possible fix would be: to pass my firestarter rules (based on iptables) along to ufw/gufw.

gufw? a gui for ufw? Abomoination! That could definitly be done. Are you in for a bit of shell black magic?

I am always prepared for some black magic. That is why I keep my *Linux in a Nutshell* grimoire always close to hand. Oh, and salt, burning sulfur, candles and incense, and some cats.

I used to keep goats and chickens, but nowadays my landlord is always complaining.

Seriously, whatever you can recommend to get me back "in control" of the Mother Ship.

Thanks a bunch!

...

...

But anyway, what I want is to see my active connections. (See enclosed screenshot.)

Any help or comments or suggestions are appreciated. If not, at least a good joke.

Windows guys suggest to run a firewall in amazon cloud and send all your network through it. I still have not figured out if tis is a bad joke or that they actully do, but I have the strong feeling this is a seriouse advise (there are commertial offers for this kind of stuff).

It sounds like these kids forget everything about security, privacy, whenever somebody says the word "cloud" -- then it's all okay.

...

...

Bill

P.S. The worst insult is, just before my upgrade, I had got my Jessie system fine-tuned to near-perfection, and was feeling rather smug and virtually bulletproof. On the bright side: Beowulf/Buster does seem to run better, overall, except for when I can't get it to DO WHAT I WANT.

:-\

See screenshot for firewall example.

---

To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

Anno domini 2020 Sat, 29 Aug 04:24:07 -0700 William Morder via trinity-users scripsit:

[... sniped a lot of text ...] On Saturday 29 August 2020 04:04:55 Dr. Nikolaus Klepp wrote:

...

What I have not understood yet: you can get root access from terminal with "su" or you have to use "sudo bash" ?

Thanks, Nik! I'm glad somebody is willing to explain this to me like I am a child. I probably ought to have got this years and years ago, but since I don't need it so much in a group setting, or office, I could put it off.

Some of this discussion has been superseded by another email, as they crossed paths.

However, in answer to this point: When I open a terminal, type "sudo su", I can enter my password, and then I am root. I can do whatever I want to my system, no matter how ill-conceived and dangerous. However, I cannot use it to launch gui programs, only to run some root commands, such as when I want to run pkill to kill several processes all at once, because they relate to something else that is running away.

Ok. To run programs as root on X11 you need to transfer X credentials to root. This can be done by hand (eek!) or just use "sux". That package was was kicked on debian in ~ 2014 by applying greater wisdom. Still in the source tree here https://sources.debian.org/src/sux/ - but better get the original from here http://fgouget.free.fr/sux/sux-readme.shtml - I've found it to be a very valuable piece of software.

"sudo su" should do the same as "sudo bash". "su" should work on a clean install, but it will refuse to work if you have no password set for root. so the first thing on ubuntu is to do a "sudo passwd" :) Anyway, "sudo" asks for your password, "su" for the root password.

When I am done, I type exit, or I can even kill su processes, rather than waiting for permissions to expire.

But when I (was) try(ing) to run a gui program (for example, gufw), I would be asked for my password, then told that it was incorrect. I have set my system not to allow root logins. There is no separate admin apart from the present author, although I cannot just do anything; I still must enter my password to become su.

However, without having installed quite all the trinity-sudo packages, I was denied root permissions, except in the shell, by running "sudo su".

Sorry for the tedious details, but I do want to get to the bottom of this issue, even though it may be self-inflicted.

There are no tedious details. If things are unclear they must be addressed - and everybody is free to ignore or give input at any time. Nowadays with that windows nomenclatura mixed in ... well, some days ago there was athread on "how to all a file or folder or directory thingie" on devuan :)

Nik

Bill

...

...

...

...

Anyway, so now, suddenly, I am asked for the root password in order to run gufw and other such stuff. But when I enter my password, I get a message that the password is incorrect. This happened before, long ago, when I first switched from (k)ubuntu to debian; debian seems to have a stricter default policy, which is probably a good thing, and I probably ought to get the hang of this thing, right?

So I need an easier solution than whatever this is that I am doing (or not doing). I have been combing through my Linux pocket guide and Linux in a Nutshell and Linux Bible, etc., but they all say the same thing, and none of them work.

#2 - I still want a graphical firewall that runs like the old Firestarter; gufw isn't quite what I want, or maybe I just haven't yet configured it properly.

didn't know Firestarter, but it loks nice for a firewall. I have to admit I don't like linux firewall (I prefer the BSD way). Anyway, I use "ufw" - it has a nice GUI, depending on your text editor :)

...

What I want is not just a GUI, but instead, one that displays *active connections* as they appear and disappear, and allows changing rules on the fly. Is there such a thing?

"fierwall-applet" could be what you want, but it drags in a hole bunch of things.

Will check it out, thanks.

...

...

Running it in a terminal would suit me just fine, so long as it is a dynamic display of active connections as they occur. Also an easier way to edit iptables. (I read that there is some new "thing" to replace iptables, meaning that ufw and gufw and their kin will all become obsolete very soon, apparently being phased out, and I had a hard time downloading them.)

Another possible fix would be: to pass my firestarter rules (based on iptables) along to ufw/gufw.

gufw? a gui for ufw? Abomoination! That could definitly be done. Are you in for a bit of shell black magic?

I am always prepared for some black magic. That is why I keep my *Linux in a Nutshell* grimoire always close to hand. Oh, and salt, burning sulfur, candles and incense, and some cats.

I used to keep goats and chickens, but nowadays my landlord is always complaining.

Seriously, whatever you can recommend to get me back "in control" of the Mother Ship.

Thanks a bunch!

...

...

But anyway, what I want is to see my active connections. (See enclosed screenshot.)

Any help or comments or suggestions are appreciated. If not, at least a good joke.

Windows guys suggest to run a firewall in amazon cloud and send all your network through it. I still have not figured out if tis is a bad joke or that they actully do, but I have the strong feeling this is a seriouse advise (there are commertial offers for this kind of stuff).

It sounds like these kids forget everything about security, privacy, whenever somebody says the word "cloud" -- then it's all okay.

...

...

Bill

P.S. The worst insult is, just before my upgrade, I had got my Jessie system fine-tuned to near-perfection, and was feeling rather smug and virtually bulletproof. On the bright side: Beowulf/Buster does seem to run better, overall, except for when I can't get it to DO WHAT I WANT.

:-\

See screenshot for firewall example.

---

To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

---

To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Saturday 29 August 2020 06:37:22 Gerhard Zintel wrote:

On 29/08/2020 15:12, Dr. Nikolaus Klepp wrote:

...

Ok. To run programs as root on X11 you need to transfer X credentials to root. This can be done by hand (eek!) or just use "sux".

To do it on command line just look up: man xhost

Gerhard

Thanks, everybody! I believe that will help me solve the password problem.

Now there only remains for me to find a suitable replacement for Firestarter, or to learn better how to use ufw/gufw. Like I said, to be able to see my connections in real time is a nice feature. Reading logs is just not the same; by the time I catch a bad actors, they have already made their exits.

Bill

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

Sehr geehrter Dr. Nikolaus Klepp,

Ok. To run programs as root on X11 you need to transfer X credentials to root. This can be done by hand (eek!) or just use "sux".

Probably also the reason sux is dead upstream and sux was pretty much a Debian issue.

To /etc/pam.d/su add: ---8<--- # Forward xauth keys between users if invoker is root or UID 1000 or higher session optional pam_xauth.so systemuser=999 --->8---

A 6 year old patch, that still works.

Regards, Peter.

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Saturday 29 August 2020 12:46:42 pm E. Liddell wrote:

Let me ask a question that may sound rather odd at first: Why do you have sudo installed at all? It doesn't offer much in the way of security improvement in a typical one-person home-LAN setup (in fact, if you don't take the time to configure it properly, you might even get negative security out of it). Is having to type in logins slightly less often really worth the extra opacity? Or is this a Debian thing, as the problem with starting GUI packages from the command line as root seems to be?

(Note that I'm not against sudo in general—there are good use cases for it, but they're in larger environments with a sysadmin who takes the time to curate /etc/sudoers and related files and make sure every account has exactly the access it needs and no more.)

Hi E.,

To the best of my (limited user level) knowledge, it's that. Debian barfs running GUI packages from the root command line. I'm under the impression it is completely intentional. I could run anything I wanted to from the CentOS root command-line (with proper X environment args).

Try either of these to bypass the [imposed] restriction:

tdesu {root-gui} su-to-root -X -c {root-gui}

Best, Michael

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Saturday 29 August 2020 06:11:01 am William Morder via trinity-users wrote:

Okay, so I solved part of the sudoers list / root password problem. Turns out that I had not downloaded quite all the sudo packages, particularly some of the tde-trinity packages, or kde-trinity transition packages, or something in that lot.

michael@local [~]# dpkg -S /opt/trinity/bin/tdesu tdebase-trinity-bin: /opt/trinity/bin/tdesu

Do you have tdebase-trinity-bin installed?

I know tdesu is one of the more important programs, a TDE dev will have to help beyond that.

Another option:

Disk space is cheap? Install everything with trinity in the package name?

michael@local [~]# axi-cache search trinity 1723 results found. michael@local [~]# aptitude search '~n trinity' ...

Now I just need to figure out how to find where Firestarter keeps its iptables files.

Make a rule in gufw that you know you had in Firestarter, save it, and use that to grep with to find the Firestarter list???

I have my rules, of course, which I have kept meticulously collected and curated now for 15 years, but ufw or gufw doesn't seem to recognize these, and I don't see how they relate to iptables, even though I have read that firestarter uses iptables. If I can get ufw/gufw to use my firestarter rules, then life would become tolerable again.

Did some digging, it seems if you have an copy of a system where you had Firestarter running you can just grab its iptables. (And probably import, or copy/paste?, that into gufw.)

Otherwise see if you can find an old copy of the 'Mepis Wiki: Firestarter'

References:

<quote> https://forum.mxlinux.org/viewtopic.php?f=94&t=36087&p=338486#p33848... Post by lucky9 » Tue Apr 29, 2014 8:33 am Both Firestarter and gufw/ufw are simply GUI front-ends for IP Tables. My understanding of IP Tables is limited. But it's simply a configuration file telling which ports to allow/disallow

Post by dolphin_oracle » Fri Jan 23, 2015 10:06 am 4.5.1 Firewall

Firestarter. A personal firewall configuration utility that makes it easier for the user to configure the firewall. Mepis Wiki: Firestarter Firestarter tutorial

According to the description in synaptic firestarter is no longer maintained and users should switch to gufw. </quote>

I wonder if developers can be persuaded to create firestarter-trinity packages, updated to handle ipv6? Gufw does have some nice features, but it is good to be able to see my connections, in real time

You can do that in gufw:

active connections > Report tab rules > Rules tab change logging level > Edit, Preferences

I wonder if developers can be persuaded to create firestarter-trinity

kmyfirewall-trinity - iptables based firewall configuration tool for TDE [Trinity]

Saw that in the output from aptitude search above, probably easier ways to find trinity firewall packages though...

Best, Michael

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Sunday 30 August 2020 11:19:03 Slávek Banko wrote:

On Saturday 29 of August 2020 13:11:01 William Morder via trinity-users

Sorry to take so long to respond. I was AFK and lost in the physical world, and dealing with the problems of living in meatspace.

wrote:

...

Okay, so I solved part of the sudoers list / root password problem. Turns out that I had not downloaded quite all the sudo packages, particularly some of the tde-trinity packages, or kde-trinity transition packages, or something in that lot.

If you do not set a root password and use sudo, then the tdesudo-trinity package is appropriate to ensure that all tdesu calls are actually tdesudo => instead of su and root passwords will use sudo and the user's password.

The mysterious E (for Enigmatic) raised the issue of su against sudo; and I've also heard Nik mention that su is better for the single home user, which is myself. Until now, sudo + tdesudo has always done the trick for me, but if it is less secure, and my system will work, then at least I ought to make myself aware of the distinctions. I've tried out su, but so far I don't see any benefit, and only hear about the perils of sudo.

It is possible that I can change my habits, so I will look into su. But if anybody can explain why su or why *not* sudo, I would be grateful, as the technical descriptions I can find online, or in my Linux guides, do not guide me toward any decisive points, and I see no reason to change what works. However, I will suppose that E knows something that I don't on this point, so I am considering how to implement such a change in my working habits.

...

I wonder if developers can be persuaded to create firestarter-trinity packages, updated to handle ipv6? Gufw does have some nice features, but it is good to be able to see my connections, in real time -- especially when it seems that it was being hijacked, or derailed, by a tor exit node. It seems a pity that such a great package should be deemed obsolete, and not worth adapting or upgrading, but there may be technical reasons that make it unavoidable.

Firestarter is a GTK+ application - it somewhat diminishes the motivation for inclusion in the TDE tree. Did you try KMyFirewall? I've never used it, but it's an application that's already incorporated into TDE.

...

Bill

Cheers

Yes, I gathered that Firestarter is probably not worth the effort. Anyway, after reading Michael's praise of gufw, I decided I ought to explore that option more deeply, but the last couple days have been busy. I did try KMyFirewall, and while it looks like it has loads of features, I've never been able to get it to do anything more than start up; beyond that, so far as I can tell, it does NOTHING. For now I will look into ufw/gufw, as I can see a way forward there.

Thanks to all the other comments and suggestions. (I'll respond to more of them individually, as I have time again.)

I've mentioned before that I wanted to make some hardware upgrades, and needed to get a few items that would not only help me in my work, but indeed will bestow upon me superpowers. :-} So I have been making the nest ready for the new arrivals; yesterday was a big day, and I am still exhausted.

For these upgrades, I needed to search out the software packages, which are posted; for Brother printers, in particular, the deb packages were always really old (Hardy 8.04 = Debian pre-Wheezy, I believe). Now, however, I noticed that packages were being kept current for certain models, so it looked more promising: I could keep a printer working for a few years into the future, without force-installing old packages.

My machine already violates the laws of nature, as well as plain common sense; a little of that sort of thing is already too much. Then, when I tried to upgrade my Jessie system, I found that the Devuan netinstall disc for Jessie no longer could download packages; which, I surmised, had been moved to the archives, meaning that the download URLs in the netinstall disc would not work. (That's one advantage to using a full installation disc.) So I was forced into upgrading, like it or not, since I only had the netinstall discs for Devuan.

When I had tried to upgrade from Devuan Jessie to Ascil/Stretch, I ended up with networking problems, but when I tried a new installation of Beowulf/Buster, it went well, and moreover it proves much faster to get from nothing to a working system (with a working TDE desktop).

It used to take me about 5 hours to install the Jessie system, sometimes longer, sometimes a few days, if I didn't follow all the steps exactly right; but with Beowulf/Buster, the initial installation is less than an hour, and getting TDE installed is only a little longer -- so maybe less than two hours to reinstall completely -- and now that I have packages already downloaded, it will be faster yet.

Michael did raise one interesting possibility, and maybe I ought to direct it to the developers: Is it possible to download *all* the packages in the TDE repositories (that is, that will run on my system), rather than having to pick through and guess? I have lists of packages from Jessie and earlier, but then I have to weed out the obsolete packages. What I want is to create my own local repository, to use when I have connection problems or Internet is down.

In Debian, for example, I can download not only the installation discs, but also all the current packages (which usually takes about 3 or 4 discs, I believe). I thought that I had already downloaded tdesudo, for instance, but it got lost in the shuffle; also some of the repositories in my sources.list had been marked as sid instead of jessie (which worked better for me at the time), but with an upgrade to Beowulf/Buster, it is preferable to stick with stable, beowulf or buster (which are equivalent, at present), depending on which repository I'm using.

Anyway ... so now Beowulf/Buster with TDE is installed, and my system is stable, and I feel confident in deleting all my old packages that are eating up space on that hard drive. I miss some of the old favorites that have fallen out, but I've also discovered newer packages that fill the void, and usually improve upon what I had, so now I have found a way forward again.

Thanks to the devs for all their hard work, as well as to everybody who helped out with suggestions and comments. This was rather a rush job for me, as I do not yet have a test machine that I can use for experiments, and I needed to get my desktop up and running quickly, within a few days, as I was pressed to make some decisions in the real world, here at home, and I had deadlines and commitments and so on. Now this part is done, and I can relax a little.

Bill

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Sun, 30 Aug 2020 15:46:58 -0700 "William Morder via trinity-users" trinity-users@lists.pearsoncomputing.net wrote:

On Sunday 30 August 2020 11:19:03 Slávek Banko wrote:

...

On Saturday 29 of August 2020 13:11:01 William Morder via trinity-users

Sorry to take so long to respond. I was AFK and lost in the physical world, and dealing with the problems of living in meatspace.

...

wrote:

...

Okay, so I solved part of the sudoers list / root password problem. Turns out that I had not downloaded quite all the sudo packages, particularly some of the tde-trinity packages, or kde-trinity transition packages, or something in that lot.

If you do not set a root password and use sudo, then the tdesudo-trinity package is appropriate to ensure that all tdesu calls are actually tdesudo => instead of su and root passwords will use sudo and the user's password.

The mysterious E (for Enigmatic) raised the issue of su against sudo; and I've also heard Nik mention that su is better for the single home user, which is myself. Until now, sudo + tdesudo has always done the trick for me, but if it is less secure, and my system will work, then at least I ought to make myself aware of the distinctions. I've tried out su, but so far I don't see any benefit, and only hear about the perils of sudo.

It is possible that I can change my habits, so I will look into su. But if anybody can explain why su or why *not* sudo, I would be grateful, as the technical descriptions I can find online, or in my Linux guides, do not guide me toward any decisive points, and I see no reason to change what works. However, I will suppose that E knows something that I don't on this point, so I am considering how to implement such a change in my working habits.

It isn't really all that complex. There are two reasons (well, three, really, but the third is distro-specific) why none of my systems have sudo installed:

First of all, su is the older default piece of software that is installed on every Linux system. sudo is an add-on. Every extra piece of software you have installed increases the complexity of your system and the number of bugs you have sloshing around. All other things being equal, not installing software you don't need reduces your system's attack surface. (You'll run into a lot of Gentoo users who think this is important.) Having fewer layers in the way can also make problems easier to troubleshoot.

Secondly, most mainstream distros configure sudo to use user passwords, and *don't* place any other restrictions on what user accounts can do through sudo. This means that an attacker only has to break one password—the one on your user account—to obtain full root access. On an su-only system, the attacker has to break *two* passwords—your user's, and root's. It isn't a *lot* of added security, but every little bit helps.

It's the usual security vs. inconvenience tradeoff, and in this case, I admit the stakes are pretty small. My distro puts its thumb on the scales by requiring me to install sudo explicitly rather than having it present by default—less work to leave it off if there's no compelling argument for having it.

I admit that I usually leave a Konsole window that's su'ed to root lying around permanently, rather than su'ing every time I need to enter a command, but no one else with physical access to my computers has any idea of how to use a Linux system, so I'm not very worried. Your situation may be different there.

E. Liddell

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Monday 31 August 2020 09:48:09 Michael wrote:

On Monday 31 August 2020 08:44:06 am E. Liddell wrote:

...

I admit that I usually leave a Konsole window that's su'ed to root lying around permanently

For what it's worth, I also always have a root Konsole shell (tab) open at all times. 'New Root Shell' gives you (me) black text on white background instead of the user shell of white text on black background, so it's somewhat hard to type into the wrong shell...

I believe many of us (if not most) are guilty of this kind of cheat. Like everybody else, we want convenience, and it takes time to type in those commands, which aren't in ordinary language so they don't come naturally. And if the user is a 2-finger typist, then it takes even longer. (Fortunately, this is not the malady that afflicts me, but I have friends who are of this ilk.)

So as I said earlier, my more secure workaround is to keep a list of oft-used commands (I won't say where), ready to hand. When I boot up, I have a window with a number of terminals that load with other programs. Then I make the first several tabs of terminal root: sudo su or su, as you prefer, and enter my user password (to become root). Once these are all root@hostname, I enter exit (so that I still have root privileges for 15 minutes), then I enter whatever sudo commands I need at startup. Then, if you are among the uber-paranoid, sudo pkill su | sudo pkill sudo, and you are back to your normal environment.

Now when you want to run a sudo command, instead of leaving that root shell open, just hit your UP arrow key, there it is, sudo su, enter your password and your in. Whatever you want to kill right away, or whatever it was that gets your attention (which is the REASON that you would leave a root shell open, right?) you can sudo pkill with one of those ready commands from the list, then exit and sudo pkill su | pkill sudo.

There may be a better way, but this is how I try to keep my system secure, and still have the convenience. I just make it a habit, and it becomes part of my startup routine; I do it in the time that it takes my coffee to brew.

Bill

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On 2020-08-31 15:12:31 William Morder via trinity-users wrote:

On Monday 31 August 2020 06:44:06 E. Liddell wrote:

...

On Sun, 30 Aug 2020 15:46:58 -0700

"William Morder via trinity-users"

trinity-users@lists.pearsoncomputing.net wrote:

...

...

On Sunday 30 August 2020 11:19:03 Slávek Banko wrote:

...

On Saturday 29 of August 2020 13:11:01 William Morder via trinity-users

Sorry to take so long to respond. I was AFK and lost in the physical world, and dealing with the problems of living in meatspace.

...

wrote:

...

Okay, so I solved part of the sudoers list / root password problem. Turns out that I had not downloaded quite all the sudo packages, particularly some of the tde-trinity packages, or kde-trinity transition packages, or something in that lot.

If you do not set a root password and use sudo, then the tdesudo-trinity package is appropriate to ensure that all tdesu calls are actually tdesudo => instead of su and root passwords will use sudo and the user's password.

The mysterious E (for Enigmatic) raised the issue of su against sudo; and I've also heard Nik mention that su is better for the single home user, which is myself. Until now, sudo + tdesudo has always done the trick for me, but if it is less secure, and my system will work, then at least I ought to make myself aware of the distinctions. I've tried out su, but so far I don't see any benefit, and only hear about the perils of sudo.

It is possible that I can change my habits, so I will look into su. But if anybody can explain why su or why *not* sudo, I would be grateful, as the technical descriptions I can find online, or in my Linux guides, do not guide me toward any decisive points, and I see no reason to change what works. However, I will suppose that E knows something that I don't on this point, so I am considering how to implement such a change in my working habits.

It isn't really all that complex. There are two reasons (well, three, really, but the third is distro-specific) why none of my systems have sudo installed:

First of all, su is the older default piece of software that is installed on every Linux system. sudo is an add-on. Every extra piece of software you have installed increases the complexity of your system and the number of bugs you have sloshing around.

I quite agree with your philosophy here. This is why I went back to an init system in Devuan, rather than trying to make Debian work. And also, Debian has been involved an a series of scandals and misadventures, so to speak, which have caused me to lose some confidence. In my view, Devuan is now more Debian than Debian itself.

...

All other things being equal, not installing software you don't need reduces your system's attack surface. (You'll run into a lot of Gentoo users who think this is important.) Having fewer layers in the way can also make problems easier to troubleshoot.

Secondly, most mainstream distros configure sudo to use user passwords, and *don't* place any other restrictions on what user accounts can do through sudo. This means that an attacker only has to break one password—the one on your user account—to obtain full root access. On an su-only system, the attacker has to break *two* passwords—your user's, and root's. It isn't a *lot* of added security, but every little bit helps.

I need to make yet one more reinstallation of my system (because I am upgrading some internal hard drives, and moving the older ones into backup status. When I do this, I will attempt to set a root password, and see how this works out.

Whenever I do this, though, I end up being told that I don't have permission, that my root password is "wrong" even though I know it's right, and so on. In my experience, setting a root password only means getting locked out of my own system.

It could be that I'm doing it wrong. :-/

...

It's the usual security vs. inconvenience tradeoff, and in this case, I admit the stakes are pretty small. My distro puts its thumb on the scales by requiring me to install sudo explicitly rather than having it present by default—less work to leave it off if there's no compelling argument for having it.

I admit that I usually leave a Konsole window that's su'ed to root lying around permanently, rather than su'ing every time I need to enter a command, but no one else with physical access to my computers has any idea of how to use a Linux system, so I'm not very worried. Your situation may be different there.

In my situation, I only *wish* that there were somebody here who has the slightest clue about Linux; or somebody who actually read books. I consider myself fortunate that there is at least another musician for conversation, otherwise I should die of neglect.

It is not other people who are here that concern me, but rather just the creeping atmosphere of surveillance and paranoia everywhere in general.

Some years ago (when I was living in a place where it was illegal to seek invention in a "noted weed"), an old friend of mine used to say, more or less on a daily basis, that it was always good to be "ready for Freddy" ... although I never did encounter this character.

Still, you know the Man is coming to get you, sooner or later. Call it Big Brother, bad actors, corporate surveillance, or whatever you like. You are guilty of thought crimes. Confess! And you know that it's true, too. Therefore, it's good to keep a secure system.

Bill

Well, my viewpoint is that on a single-user home system, su and sudo are there really only to keep one from shooting oneself in the foot. Keeping a root Konsole session open isn't much of a danger as long as one makes it obvious when it's active. On my OpenSuSE system, local GUI login to root is enabled, but I've set the destop background colour there to Magenta, so it's really hard to forget where I'm working. When it comes to actual security (access to one's data), there's not much one can do beyond keeping it in encrypted partitions and encrypting /tmp, /var and swap, using strong passwords and shutting down when not in use. I suspect that few of us take ALL of those precautions All of the time. :-)

Leslie

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting

On Saturday 29 August 2020 04:19:02 phiebie@drei.at wrote:

...

What I want is not just a GUI, but instead, one that displays *active connections* as they appear and disappear, and allows changing rules on the fly. Is there such a thing?

Have a look at conky. It has a.o. these output-possibilities:

Inbound: ${tcp_portmon 1 32767 count} Outbound: ${tcp_portmon 32768 61000 count} ${alignr} ALL: ${tcp_portmon 1 65535 count}

Inbound Connection ${alignr} Local Service/Port

${tcp_portmon 1 32767 rhost 0} ${alignr} ${tcp_portmon 1 32767 lservice 0}

Outbound Connection ${alignr} Remote Service/Port

${tcp_portmon 32768 61000 rhost 0} ${alignr} ${tcp_portmon 32768 61000 rservice 0}

A thorough study of the documentation is necessary!

Peter.

Thanks, I don't mind reading, if it leads in me in the right places. I just need to be pointed in the general direction.

So far gufw still looks like the best option, but not quite what I want. I'll give conky a go, as well, downloading whatever I can find in the repositories, taking them for a test drive.

Bill

--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting