Setuid Binary Options

Proxmox containers not running after apt upgrade

I recently performed an apt upgrade and my lxc containers stopped working. When starting a container, no error message appears and the web UI responds with "Task OK" but the container doesn't actually start
I tried pct start 100 also, and no error message was displayed, but trying to pct enter 100 returns Error: container '100' not running!
Not entirely sure which package caused it, bu this this is the apt/history.log
# tail /valog/apt/history.log Start-Date: 2020-07-11 10:24:37 Commandline: apt upgrade Install: pve-headers-5.4.44-2-pve:amd64 (5.4.44-2, automatic), proxmox-backup-client:amd64 (0.8.6-1, automatic), pve-kernel-5.4.44-2-pve:amd64 (5.4.44-2, automatic) Upgrade: proxmox-widget-toolkit:amd64 (2.2-8, 2.2-9), pve-kernel-5.4:amd64 (6.2-3, 6.2-4), corosync:amd64 (3.0.3-pve1, 3.0.4-pve1), libavformat58:amd64 (7:4.1.4-1~deb10u1, 7:4.1.6-1~deb10u1), libcmap4:amd64 (3.0.3-pve1, 3.0.4-pve1), libavfilter7:amd64 (7:4.1.4-1~deb10u1, 7:4.1.6-1~deb10u1), libpve-access-control:amd64 (6.1-1, 6.1-2), libpve-storage-perl:amd64 (6.1-8, 6.2-3), libswresample3:amd64 (7:4.1.4-1~deb10u1, 7:4.1.6-1~deb10u1), libquorum5:amd64 (3.0.3-pve1, 3.0.4-pve1), pve-qemu-kvm:amd64 (5.0.0-4, 5.0.0-9), libmagickwand-6.q16-6:amd64 (8:6.9.10.23+dfsg-2.1, 8:6.9.10.23+dfsg-2.1+deb10u1), pve-container:amd64 (3.1-8, 3.1-10), libpostproc55:amd64 (7:4.1.4-1~deb10u1, 7:4.1.6-1~deb10u1), pve-manager:amd64 (6.2-6, 6.2-9), libvotequorum8:amd64 (3.0.3-pve1, 3.0.4-pve1), libpve-guest-common-perl:amd64 (3.0-10, 3.0-11), libavcodec58:amd64 (7:4.1.4-1~deb10u1, 7:4.1.6-1~deb10u1), libpve-common-perl:amd64 (6.1-3, 6.1-5), libavutil56:amd64 (7:4.1.4-1~deb10u1, 7:4.1.6-1~deb10u1), qemu-server:amd64 (6.2-3, 6.2-8), libcfg7:amd64 (3.0.3-pve1, 3.0.4-pve1), libproxmox-backup-qemu0:amd64 (0.1.6-1, 0.6.1-1), libswscale5:amd64 (7:4.1.4-1~deb10u1, 7:4.1.6-1~deb10u1), libknet1:amd64 (1.15-pve1, 1.16-pve1), libmagickcore-6.q16-6:amd64 (8:6.9.10.23+dfsg-2.1, 8:6.9.10.23+dfsg-2.1+deb10u1), pve-headers-5.4:amd64 (6.2-3, 6.2-4), pve-kernel-helper:amd64 (6.2-3, 6.2-4), libpve-http-server-perl:amd64 (3.0-5, 3.0-6), libcpg4:amd64 (3.0.3-pve1, 3.0.4-pve1), libcorosync-common4:amd64 (3.0.3-pve1, 3.0.4-pve1), imagemagick-6-common:amd64 (8:6.9.10.23+dfsg-2.1, 8:6.9.10.23+dfsg-2.1+deb10u1) End-Date: 2020-07-11 10:26:03 
I tried lxc-start with logs instead, and got these messages:
# lxc-start -n 100 -F -l DEBUG -o /tmp/lxc-100.log lxc-start: 100: lsm/apparmor.c: run_apparmor_parser: 892 Failed to run apparmor_parser on "/valib/lxc/100/apparmolxc-100_<-var-lib-lxc>": apparmor_parser: Unable to replace "lxc-100_". Profile doesn't conform to protocol lxc-start: 100: lsm/apparmor.c: apparmor_prepare: 1064 Failed to load generated AppArmor profile lxc-start: 100: start.c: lxc_init: 845 Failed to initialize LSM lxc-start: 100: start.c: __lxc_start: 1903 Failed to initialize container "100" lxc-start: 100: tools/lxc_start.c: main: 308 The container failed to start lxc-start: 100: tools/lxc_start.c: main: 314 Additional information can be obtained by setting the --logfile and --logpriority options # tail /tmp/lxc-100.log lxc-start 100 20200712012140.203 ERROR start - start.c:lxc_init:845 - Failed to initialize LSM lxc-start 100 20200712012140.203 ERROR start - start.c:__lxc_start:1903 - Failed to initialize container "100" lxc-start 100 20200712012140.203 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2642 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start 100 20200712012140.203 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2642 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start 100 20200712012140.203 DEBUG conf - conf.c:lxc_map_ids:2710 - Functional newuidmap and newgidmap binary found lxc-start 100 20200712012140.208 NOTICE utils - utils.c:lxc_setgroups:1366 - Dropped additional groups lxc-start 100 20200712012140.208 INFO conf - conf.c:run_script_argv:340 - Executing script "/usshare/lxc/hooks/lxc-pve-poststop-hook" for container "100", config section "lxc" lxc-start 100 20200712012140.893 INFO conf - conf.c:run_script_argv:340 - Executing script "/usshare/lxcfs/lxc.reboot.hook" for container "100", config section "lxc" lxc-start 100 20200712012141.395 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start lxc-start 100 20200712012141.395 ERROR lxc_start - tools/lxc_start.c:main:314 - Additional information can be obtained by setting the --logfile and --logpriority options 
Trying to access the apparmor directory shows that it doesn't exist, could the upgrade have deleted the directory?
# ls /valib/lxc/100/apparmor ls: cannot access '/valib/lxc/100/apparmor': No such file or directory # ls -l /valib/lxc/100/ total 8 -rw-r--r-- 1 root root 977 Jul 12 09:21 config drwxr-xr-x 2 root root 4096 Jun 15 2019 rootfs 
My filesystem is ext4, many issues I found regarding upgrade failures involves zfs but I don't use zfs
I'm not familiar enough with apparmor to go any deeper and also not entirely sure how to use tools/lxc_start.c directly with the --logfile/--logpriority options either, not sure what other logs/config files would be helpful in finding the issue, but here are a few more:
# pct config 100 arch: amd64 cores: 2 hostname: apache memory: 512 nameserver: 1.1.1.1 net0: name=eth0,bridge=vmbr0,gw=192.168.0.1,hwaddr=82:B1:0D:3C:47:68,ip=192.168.0.42/16,ip6=dhcp,type=veth onboot: 1 ostype: ubuntu parent: upgrade rootfs: local-lvm:vm-100-disk-0,size=20G startup: order=1,up=30 swap: 1024 unprivileged: 1 # systemctl status [email protected][email protected] - PVE LXC Container: 100 Loaded: loaded (/lib/systemd/system/[email protected]; static; vendor preset: enabled) Active: failed (Result: exit-code) since Sun 2020-07-12 09:27:47 +08; 16min ago Docs: man:lxc-start man:lxc man:pct Process: 30827 ExecStart=/usbin/lxc-start -F -n 100 (code=exited, status=1/FAILURE) Main PID: 30827 (code=exited, status=1/FAILURE) Jul 12 09:27:44 alpha systemd[1]: Started PVE LXC Container: 100. Jul 12 09:27:47 alpha systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE Jul 12 09:27:47 alpha systemd[1]: [email protected]: Failed with result 'exit-code'. # journalctl -xe -- The job identifier is 100128. Jul 12 09:50:16 alpha systemd[1]: Started PVE LXC Container: 100. -- Subject: A start job for unit [email protected] has finished successfully -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- A start job for unit [email protected] has finished successfully. -- -- The job identifier is 100210. Jul 12 09:50:16 alpha kernel: EXT4-fs (dm-13): mounted filesystem with ordered data mode. Opts: (null) Jul 12 09:50:17 alpha audit[1534]: AVC apparmor="STATUS" info="failed to unpack end of profile" error=-71 profile="unconfined" name="lxc-100_" pid=1534 comm="apparmor_parser" name="lxc-100_" offset=151 Jul 12 09:50:17 alpha kernel: audit: type=1400 audit(1594518617.147:54): apparmor="STATUS" info="failed to unpack end of profile" error=-71 profile="unconfined" name="lxc-100_" pid=1534 comm="apparmor_parser" name="lxc-100_" offset=151 Jul 12 09:50:18 alpha systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE -- Subject: Unit process exited -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- An ExecStart= process belonging to unit [email protected] has exited. -- -- The process' exit code is 'exited' and its exit status is 1. Jul 12 09:50:18 alpha systemd[1]: [email protected]: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- The unit [email protected] has entered the 'failed' state with result 'exit-code'. 
submitted by NoOneLiv3 to Proxmox [link] [comments]

balena Etcher or Criptext Email Appimage File Both will not run if not -no-sandbox option.

balena Etcher or Criptext Email Appimage File Both will not run if not -no-sandbox option. Is a bug in the app, is a bug in the Appimage?

$ ./Criptext-latest.AppImage
[15309:0324/144359.357966:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_CripteJiZik1/chrome-sandbox is owned by root and has mode 4755.
추적/중단점 함정

$ ./balenaEtcher-1.5.69-x64.appimage
[17257:0324/151553.809899:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_balenag8GaQv/chrome-sandbox is owned by root and has mode 4755./tmp/.mount_balenag8GaQv/balena-etcher-electron: line 6: 17257 추적/중단점 함정 "${BASH_SOURCE%/*}"/balena-etcher-electron.bin "[email protected]"
submitted by rani3300 to AppImage [link] [comments]

LXC trouble

Hi,
I have a few unprivledged LXC containter and i back them up using rsync.
I've had to restore a container, but now I am a getting trouble when trying to run the container.
Debug log is attached here:
sh lxc-start lxctestbox 20200108180320.364 ERROR dir - storage/dir.c:dir_mount:198 - Permission denied - Failed to mount "/home/use.local/share/lxc/lxctestbox/rootfs" on "/uslib/x86_64-linux-gnu/lxc" lxc-start lxctestbox 20200108180320.365 ERROR conf - conf.c:lxc_mount_rootfs:1326 - Failed to mount rootfs "/home/use.local/share/lxc/lxctestbox/rootfs" onto "/uslib/x86_64-linux-gnu/lxc" with options "(null)" lxc-start lxctestbox 20200108180320.365 ERROR conf - conf.c:lxc_setup_rootfs_prepare_root:3445 - Failed to setup rootfs for lxc-start lxctestbox 20200108180320.365 ERROR conf - conf.c:lxc_setup:3498 - Failed to setup rootfs lxc-start lxctestbox 20200108180320.365 ERROR start - start.c:do_start:1263 - Failed to setup container "lxctestbox" lxc-start lxctestbox 20200108180320.365 ERROR sync - sync.c:__sync_wait:62 - An error occurred in another process (expected sequence number 5) lxc-start lxctestbox 20200108180320.365 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:842 - Received container state "ABORTING" instead of "RUNNING" lxc-start lxctestbox 20200108180320.365 ERROR lxc_start - tools/lxc_start.c:main:330 - The container failed to start lxc-start lxctestbox 20200108180320.365 ERROR lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode lxc-start lxctestbox 20200108180320.366 ERROR lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options lxc-start lxctestbox 20200108180320.366 ERROR start - start.c:__lxc_start:1939 - Failed to spawn container "lxctestbox" lxc-start lxctestbox 20200109094004.310 ERROR dir - storage/dir.c:dir_mount:198 - Permission denied - Failed to mount "/home/use.local/share/lxc/lxctestbox/rootfs" on "/uslib/x86_64-linux-gnu/lxc" lxc-start lxctestbox 20200109094004.313 ERROR conf - conf.c:lxc_mount_rootfs:1326 - Failed to mount rootfs "/home/use.local/share/lxc/lxctestbox/rootfs" onto "/uslib/x86_64-linux-gnu/lxc" with options "(null)" lxc-start lxctestbox 20200109094004.314 ERROR conf - conf.c:lxc_setup_rootfs_prepare_root:3445 - Failed to setup rootfs for lxc-start lxctestbox 20200109094004.315 ERROR conf - conf.c:lxc_setup:3498 - Failed to setup rootfs lxc-start lxctestbox 20200109094004.315 ERROR start - start.c:do_start:1263 - Failed to setup container "lxctestbox" lxc-start lxctestbox 20200109094004.316 ERROR sync - sync.c:__sync_wait:62 - An error occurred in another process (expected sequence number 5) lxc-start lxctestbox 20200109094004.318 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:842 - Received container state "ABORTING" instead of "RUNNING" lxc-start lxctestbox 20200109094004.320 ERROR lxc_start - tools/lxc_start.c:main:330 - The container failed to start lxc-start lxctestbox 20200109094004.320 ERROR lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode lxc-start lxctestbox 20200109094004.320 ERROR lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options lxc-start lxctestbox 20200109094004.322 ERROR start - start.c:__lxc_start:1939 - Failed to spawn container "lxctestbox" lxc-start lxctestbox 20200111135750.870 INFO confile - confile.c:set_config_idmaps:1555 - Read uid map: type u nsid 0 hostid 100000 range 65536 lxc-start lxctestbox 20200111135750.870 INFO confile - confile.c:set_config_idmaps:1555 - Read uid map: type g nsid 0 hostid 100000 range 65536 lxc-start lxctestbox 20200111135750.870 INFO lxccontainer - lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor] /home/use.local/share/lxc lxctestbox lxc-start lxctestbox 20200111135750.870 INFO lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount # comment this to allow umount -f; not recommended" lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]" lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1" lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1" lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1" lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1" lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1" lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno) lxc-start lxctestbox 20200111135750.871 INFO seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context lxc-start lxctestbox 20200111135750.871 DEBUG terminal - terminal.c:lxc_terminal_peer_default:707 - No such device - The process does not have a controlling terminal lxc-start lxctestbox 20200111135750.871 DEBUG conf - conf.c:chown_mapped_root:3166 - trying to chown "/dev/pts/1" to 1000 lxc-start lxctestbox 20200111135750.876 INFO start - start.c:lxc_init:897 - Container "lxctestbox" is initialized lxc-start lxctestbox 20200111135750.876 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWUSER lxc-start lxctestbox 20200111135750.876 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWNS lxc-start lxctestbox 20200111135750.876 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWPID lxc-start lxctestbox 20200111135750.876 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWUTS lxc-start lxctestbox 20200111135750.876 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWIPC lxc-start lxctestbox 20200111135750.876 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14 lxc-start lxctestbox 20200111135750.876 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15 lxc-start lxctestbox 20200111135750.876 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16 lxc-start lxctestbox 20200111135750.876 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17 lxc-start lxctestbox 20200111135750.876 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18 lxc-start lxctestbox 20200111135750.876 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start lxctestbox 20200111135750.876 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start lxctestbox 20200111135750.876 DEBUG conf - conf.c:lxc_map_ids:2928 - Functional newuidmap and newgidmap binary found lxc-start lxctestbox 20200111135750.878 INFO start - start.c:do_start:1136 - Unshared CLONE_NEWNET lxc-start lxctestbox 20200111135750.879 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start lxctestbox 20200111135750.879 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start lxctestbox 20200111135750.879 DEBUG conf - conf.c:lxc_map_ids:2928 - Functional newuidmap and newgidmap binary found lxc-start lxctestbox 20200111135750.881 DEBUG start - start.c:lxc_spawn:1742 - Preserved net namespace via fd 10 lxc-start lxctestbox 20200111135750.881 WARN start - start.c:lxc_spawn:1746 - Operation not permitted - Failed to allocate new network namespace id lxc-start lxctestbox 20200111135750.881 INFO network - network.c:lxc_create_network_unpriv_exec:2150 - Execing lxc-user-nic create /home/use.local/share/lxc lxctestbox 10080 veth lxcbr0 (null) lxc-start lxctestbox 20200111135750.985 NOTICE utils - utils.c:lxc_switch_uid_gid:1378 - Switched to gid 0 lxc-start lxctestbox 20200111135750.985 NOTICE utils - utils.c:lxc_switch_uid_gid:1387 - Switched to uid 0 lxc-start lxctestbox 20200111135750.985 NOTICE utils - utils.c:lxc_setgroups:1400 - Dropped additional groups lxc-start lxctestbox 20200111135750.985 INFO start - start.c:do_start:1242 - Unshared CLONE_NEWCGROUP lxc-start lxctestbox 20200111135750.986 DEBUG storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir" lxc-start lxctestbox 20200111135750.986 ERROR dir - storage/dir.c:dir_mount:198 - Permission denied - Failed to mount "/home/use.local/share/lxc/lxctestbox/rootfs" on "/uslib/x86_64-linux-gnu/lxc" lxc-start lxctestbox 20200111135750.986 ERROR conf - conf.c:lxc_mount_rootfs:1326 - Failed to mount rootfs "/home/use.local/share/lxc/lxctestbox/rootfs" onto "/uslib/x86_64-linux-gnu/lxc" with options "(null)" lxc-start lxctestbox 20200111135750.986 ERROR conf - conf.c:lxc_setup_rootfs_prepare_root:3445 - Failed to setup rootfs for lxc-start lxctestbox 20200111135750.986 ERROR conf - conf.c:lxc_setup:3498 - Failed to setup rootfs lxc-start lxctestbox 20200111135750.986 ERROR start - start.c:do_start:1263 - Failed to setup container "lxctestbox" lxc-start lxctestbox 20200111135750.987 ERROR sync - sync.c:__sync_wait:62 - An error occurred in another process (expected sequence number 5) lxc-start lxctestbox 20200111135750.987 DEBUG network - network.c:lxc_delete_network:3180 - Deleted network devices lxc-start lxctestbox 20200111135750.987 DEBUG lxccontainer - lxccontainer.c:wait_on_daemonized_start:830 - First child 10072 exited lxc-start lxctestbox 20200111135750.987 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:842 - Received container state "ABORTING" instead of "RUNNING" lxc-start lxctestbox 20200111135750.987 ERROR lxc_start - tools/lxc_start.c:main:330 - The container failed to start lxc-start lxctestbox 20200111135750.987 ERROR lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode lxc-start lxctestbox 20200111135750.987 ERROR lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options lxc-start lxctestbox 20200111135750.987 ERROR start - start.c:__lxc_start:1939 - Failed to spawn container "lxctestbox" lxc-start lxctestbox 20200111135750.988 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start lxctestbox 20200111135750.988 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start lxctestbox 20200111135750.988 DEBUG conf - conf.c:lxc_map_ids:2928 - Functional newuidmap and newgidmap binary found lxc-start lxctestbox 20200111135750.993 INFO conf - conf.c:run_script_argv:356 - Executing script "/usshare/lxcfs/lxc.reboot.hook" for container "lxctestbox", config section "lxc"
submitted by unixbassen to linuxquestions [link] [comments]

[Discussion] Why Installer 5 deserves a chance and my thoughts on it

Recently read this post and want to give my own opinion on it. Before I start notice how immature the post is, clearly it's purpose is to bash Installer and not to maturely give its downsides. Some of the Installer devs have replied with pretty mature and good points. That's why I'll keep this post peaceful and will try to be as objective as possible.
Firstly, I'd like to start with some of the major criticisms multiple devs made.
Make a new file, add 7777 permissions to it and change ownership to root. zip that file and extract it somewhere else, did any of the permissions change? Did the ownership change? It didn't when I tried. CC: Daily1JB
EDIT: Looks like setuid permissions are only saved if I extract the archive using Filza. (I don't get why?) If I use Terminal they're not. As for ownership it takes the ownership of the user which extracts it, so not an issue for Installer. Thanks to josephwalden for pointing it outl
The biggest point of Installer is getting rid of the need for dependencies. Therefore everything must be concentrated in a single app. It is easy for a dev to say "here you got a vulnerability" but not easy for who's working on so much things at once to not miss anything.
This is where I'd like to reply to the post above.
Indeed it is, but was it meant to be used on iOS? Most Linux systems have it preinstalled, what about iOS? The only way to install it is by using a .tar bootstrap full of 20MB of files. Is that dangerous? Of course it is. Not much for end-users, it's been tested a lot of times, but when devs take their time and put efforts in a new jailbreak indeed it is. Putting random untested files all over the filesystem doesn't sound good right? iOS's filesystem can change with time. What if there's an important change which makes an older bootstrap not work anymore? What's the worst thing that can happen? I believe you can imagine that. Just to compare, take a look at this: https://github.com/KirovAidelectra/blob/masteunjailbreak.sh, that's what a Cydia jailbreak installs on your device. The simplest Installer jailbreak needs just two directories, one for Installer and one for binaries. Easy to get rid of, chance of it not working with future iOS almost 0, and the best part: it's easier to bypass jailbreak detections. EDIT: Forgot to mention, this way also makes sure we get new jailbreaks faster, there's no need to make and test a new bootstrap. Remember? That was the main reason electra 1.0 was delayed so much.
Literally there's no reason to waste 20 seconds of your time to run uicache, it's much easier to detect application installs. As for packages which use postinsts, I'm sure all of them run uicache manually, perfect example: Ext3nder Installer
As for other arguments used by Daily1Jb, they're mostly false and not based on evidence.
Examples:
their team has no idea what the setuid/setgid permissions are!
How did they ran Installer with root permissions then?
you cannot specify checksums for a package like you can with Cydia
After speaking with their team, there are checksum checks. Also, less chance to screw up (instead of "more") as by default you cannot install untested packages (unless you disable the option)
complicated
Making an Installer repo gives you a full package management tool, you visit the website, enter the key and you can upload packages, refresh the repo with a few clicks. Cydia repos need you to manually run perl scripts to scan packages one by one and then upload the new files manually by FTP or something (depending on your repo).
Yes there are some things I don't like, but I'm sure it'll get improved over time:
Those were my points. If you don't agree with something feel free to make a peaceful discussion with me. I'll try to answer everyone.
Note: was going to be a longer post, but my device crashed to Safe Mode while I was writing and I had to shorten some things.
submitted by LEL-LAL-LOL to jailbreak [link] [comments]

[Beta] SuperSUiOS - SuperSU for iOS

WARNING: This tweak is not complete and won't ever be completed by me. After thinking about how jailbreaks work, I don't think this project makes sense anymore.

SuperSUiOS is an incomplete tweak that asks for user permission before allowing apps to setuid(), seteuid() or setgid(). In its current state, everything works as intended. However, the tweak does not hook to anything other than binaries that are linked to UIKit. There is also no preference bundle where you can manage permissions, so unless you make one yourself, you should stay away from "Always" and "Never" options.
Source code: https://github.com/pixelomeSuperUser Repo: n/a
submitted by pxOMR to jailbreak [link] [comments]

Detached LUKS header full disk encryption with encrypted keyfile inside a passphrase-protected bootable keydisk using direct UEFI secure boot, encrypted swap, unbound with DNSCrypt and DNSSEC, and system hardening

EDIT: added parts to Arch Wiki

I.   Installation

General tips and notes:
 
I. Part I: Preparing the devices
Before you begin, go to your EFI settings (commonly referred to as BIOS settings although technically it's EFI now) at boot time using the designated function key. On my laptop that's F10 but you should google yours. Now go to Boot options and disable Secure Boot, then clear keys, this will leave the TPM in a receptive state for when we enroll our custom keys later. Note the clear keys option should be on the same page as the secure boot option, and it is not the separate TPM keys option which is something different. When you save changes and exit you may have to hit a key combination and press enter to verify.
Make sure to run 'lsblk' to find out what your block device mappings are, don't copy this blindly. We're overwriting all the data, so if there's files you need copy them or image them with Clonezilla to a different drive and leave that one unplugged.
dd if=/dev/urandom of=/dev/sda bs=4096 
#hard drive (just wait, a 500gb HDD took around 2.5 hours)
dd if=/dev/urandom of=/dev/sdb bs=4096 
#USB
 
I. Part II: Preparing the USB key
gdisk /dev/sdb 
n
1
2048
+512M
EF00
n is new partition, L shows all hex codes for filesystems (EF00, 8300), t allows you to change a filesystem after creating a partition
n
2
(Hit enter to accept the automatic start value here)
+250M
8300
Write changes with 'w', 'q' is quit.
cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --key-size=512 -i 30000 luksFormat /dev/sdb2 
 
Note: the -i is for iteration time in milliseconds for the key derivation function pbkdf, it should be at least 5000 (5 seconds), but preferably put it as high as you can stand. For me, that's about 30 seconds.
 
cryptsetup open /dev/sdb2 cryptboot 
 
mkfs.ext2 /dev/mappecryptboot 
 
Note: I picked ext2 for simplicity and to avoid journaling since it's just a usb drive
 
mount /dev/mappecryptboot /mnt 
 
cd /mnt 
 
dd if=/dev/urandom of=key.img bs=20M count=1 
 
cryptsetup --align-payload=1 --hash=sha512 --cipher=serpent-xts-plain64 --key-size=512 -i 30000 luksFormat key.img 
 
cryptsetup open key.img lukskey 
 
Note: You should make the file larger than 8192 bytes (the maximum keyfile size for cryptsetup) since the encrypted loop device will be a little smaller than the file's size.
20M might be a little too big for you, but 1) With a big file, we'll use --keyfile-offset=X and --keyfile-size=8192 to navigate to the correct position and 2) having too small of a file will get you a nasty 'Requested offset is beyond real size of device /dev/loop0' error.
Shoutout to the Gentoo Wiki for showing me how to do this easily and this thread from the Arch Linux forums for the inspiration. And the Gentoo Wiki again for explaining the size issue.
Now you should have 'lukskey' opened in a loop device (underneath /dev/loop1), mapped as /dev/mappelukskey
 
I. Part III: The main drive
truncate -s 2M header.img 
 
cryptsetup --hash=sha512 --cipher=serpent-xts-plain64 --key-size=512 --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 luksFormat /dev/sda --align-payload 4096 --header header.img 
 
Pick an offset, and a number of milliseconds you can wait for
 
cryptsetup open --header header.img --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 /dev/sda enc 
 
cd / 
 
cryptsetup close lukskey 
 
umount /mnt 
(if it complains about being busy make sure lukskey container is closed then "ps -efw" to find hanged processes and their PIDs to kill with "kill -9 "
 
pvcreate /dev/mappeenc 
 
vgcreate store /dev/mappeenc 
 
lvcreate -L 20G store -n root 
 
lvcreate -L 4G store -n swap 
 
lvcreate -l 100%FREE store -n home 
 
You can name "store" anything you want, the number of GB is up to you (note my root partition is currently using 3.9GB if you're looking for a rough minimum), swap space doesn't have to be twice your RAM unless you have a machine with very low RAM. Some people do the size of their RAM, some do half of their RAM, some do less. If you plan on suspending and hibernating, which I don't recommend (it's more proper to shutdown so the encryption keys are wiped from memory) then you would do at least the size of your RAM.
 
mkfs.ext4 /dev/store/root 
 
mkfs.ext4 /dev/store/home 
 
mount /dev/store/root /mnt 
 
mkdir /mnt/home 
 
mount /dev/store/home /mnt/home 
 
mkswap /dev/store/swap 
 
swapon /dev/store/swap 
 
mkdir /mnt/boot 
 
mount /dev/mappecryptboot /mnt/boot 
 
mkfs.fat -F32 /dev/sdb1 
 
mkdir /mnt/boot/efi 
 
mount /dev/sdb1 /mnt/boot/efi 
 
I. Part IV: The actual installation procedure and custom encrypt hook
After reading the "pacstrap" command and other tips below, follow the Installation Guide up to the "mkinitcpio" step but don't do it yet. You will skip "Partition the disks", "Format the partitions", and "Mount the file systems" as we've already done that. If you use a regular US keymap layout skip "Set the keyboard layout" as well. I skipped "Hostname" and "Network configuration" because I don't need a hostname and I prefer to start [email protected].service manually.
tl;dr quick network connection:
ip link set  up 
 
systemctl start [email protected].service 
This is my quick way to get https mirrors in order of speed (adjust for your country):
grep -i -A1 "United States" /etc/pacman.d/mirrorlist | grep -iP "^Server" | grep -vP "^--$" | sed 's/http/https/gi' > /etc/pacman.d/mirrorlist2 
#The accuracy of this grep statement could change depending on the format in the future, you may need to adjust.
 
rankmirrors -n 0 /etc/pacman.d/mirrorlist2 > /etc/pacman.d/mirrorlist 
 
Refreshing the package keys and a basic pacstrap command for our guide (if you need any other packages add them to the end or do a "pacman -S package" anytime after the chroot step):
pacman-key --refresh-keys 
 
pacstrap /mnt base base-devel linux-hardened efibootmgr sudo 
 
Now you should be at the "mkinitcpio" step and chrooted into your system. In order to get our encrypted setup to work, we will need to build our own hook, which is thankfully easy to do and I have the code you need. You will have to run "ls -lth /dev/disk/by-id" to figure out your own ID values for usb and main hard drive (they're linked -> to sda or sdb) then to get them into the file: "ls -lth /dev/disk/by-id | grep -iP 'PATTERNYOUWANT' | awk '{print $9}' >> /etc/initcpio/hooks/customencrypthook". You should be using those ids instead of just sda or sdb because sdX can change and this ensures it's the correct device.
You can name "customencrypthook" anything you want, and note that /etc/initcpio is the folder for hooks you create. Keep a backup of both files ("cp" them over to the /home directory or your user's home directory after you make one). /usbin/ash is not a typo.
/etc/initcpio/initcpio/hooks/customencrypthook
#!/usbin/ash 
 
run_hook() { 
 
modprobe -a -q dm-crypt >/dev/null 2>&1 
 
modprobe loop 
 
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null" 
 
while [ ! -L '/dev/disk/by-id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-part2' ]; do 
#the Xs represent your USB drive id found by "ls -lth /dev/disk/by-id"
 
 echo 'Waiting for USB' 
 
 sleep 1 
 
done 
 
 cryptsetup open /dev/disk/by-id/XXXXXXXXXXXXXXXXXXXXXXXX-part2 cryptboot 
 
 mkdir -p /mnt 
 
 mount /dev/mappecryptboot /mnt 
 
 cd /mnt 
 
 cryptsetup open key.img lukskey 
 
 cryptsetup --header header.img --key-file=/dev/mappelukskey --keyfile-offset=N --keyfile-size=8192 open /dev/disk/by-id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY enc 
#the Ys represent your main hard drive found by "ls -lth /dev/disk/by-id", N is your offset
 
 cd / 
 
 cryptsetup close lukskey 
 
 umount /mnt 
 
} 
#Note: I could also close cryptboot, but I want it to be easier to mount for updating and signing the kernel (which happens automatically during kernel updates), and regenerating the initramfs with mkinitcpio. You can close it using "cryptsetup close cryptboot", but then you would have to reenter the password before you mount it after booting into the system.
 
/etc/initcpio/install/customencrypthook
#!/bin/bash 
 
build() { 
 
local mod 
 
add_module dm-crypt 
 
if [[ $CRYPTO_MODULES ]]; then 
 
 for mod in $CRYPTO_MODULES; do 
 
 add_module "$mod" 
 
 done 
 
else 
 
 add_all_modules '/crypto/' 
 
fi 
 
add_binary "cryptsetup" 
 
add_binary "dmsetup" 
 
add_file "/uslib/udev/rules.d/10-dm.rules" 
 
add_file "/uslib/udev/rules.d/13-dm-disk.rules" 
 
add_file "/uslib/udev/rules.d/95-dm-notify.rules" 
 
add_file "/uslib/initcpio/udev/11-dm-initramfs.rules" "/uslib/udev/rules.d/11-dm-initramfs.rules" 
 
add_runscript 
 
} 
 
/etc/mkinitcpio.conf (edit this only don't replace it, these are just excerpts of the necessary parts)
MODULES=(loop) 
 
HOOKS=(base udev autodetect modconf block customencrypthook lvm2 filesystems keyboard fsck) 
#Note: the files=() and binaries=() arrays are empty, and you shouldn't have to replace HOOKS=(...) array entirely just edit in "customencrypthook lvm2" after block and before filesystems, and make sure "systemd", "sd-lvm2", and "encrypt" are removed.
 
I. Part V: Setting up sudo and a user
First, we need to change the root password and then add a user.
passwd 
 
useradd -m -G wheel -s /bin/bash USERNAMEHERE 
 
passwd USERNAMEHERE 
 
EDITOR=nano 
 
 visudo 
and make these edits:
at the top:
## See the sudoers man page for the details on how to write a sudoers file.
##
Defaults env_reset
Defaults editor=/usbin/nano, !env_editor
Defaults timestamp_timeout=0
Note: env_reset resets environment variables to prevent somebody from selecting a different program as their "editor" using the EDITOR environment variable, your default in the second line can be vi or another editor instead of nano, and timestamp_timeout=0 disables the sudo cache because I want to type the password every time. I recommend following these because even in a single-user scenario, potential malware could take advantage if you have those vulnerabilities open. The first two lines are from Sudo - Arch Wiki.
 
and near the bottom:
## User privilege specification
root ALL=(ALL) ALL
USERNAMEHERE ALL=(ALL) ALL
The owner and group for the sudoers file must both be root. The file permissions must be set to 0440.
ls -lth /etc/sudoers and make sure it looks like this:
-r--r----- 1 root root
If it doesn't then:
chown -c root:root /etc/sudoers 
 
chmod -c 0440 /etc/sudoers 
Now "su -l USERNAMEHERE" and run "sudo -i" and see if you can login as sudo, it should change your terminal to "[email protected]" instead of your username. Once you see it works, disable the direct root login and then exit.
passwd -l root 
 
exit 
From now on, you will use "sudo -e file" to safely edit files that require you to be root to edit them as it uses temporary files and is considered to be the proper form.
Also, while you should always use sudo to become root, if you ever use "su" for any user, use "su -l". This changes home directory and environment variables for safety as discussed here
 
I. Part VI: Direct UEFI using secure boot
 
We need to get cryptboot and sbupdate git from the AUR, then untar, read the pkgbuild, and "makepkg -si" inside the folder, for each. Yes, the program "cryptboot" has the same name as what we named our encrypted usb drive, but know that there's no relation here besides the implied meaning of "encrypted boot" and you can use any name for your encrypted usb drive.
These are the AUR links: cryptboot and sbupdate for reference. However, we'll be downloading a snapshot .tar.gz directly.
As of December 2017, the snapshot links are:
https://aur.archlinux.org/cgit/aur.git/snapshot/cryptboot.tar.gz
https://aur.archlinux.org/cgit/aur.git/snapshot/sbupdate-git.tar.gz
 
Important note: Don't do this as root and don't use sudo, add a user first and do it as the user.
su -l USERNAMEHERE 
 
If you're not already in the user's home directory:
cd ~ 
 
curl -o cryptboot.tar.gz https://aur.archlinux.org/cgit/aur.git/snapshot/cryptboot.tar.gz 
At this point I used my phone to copy and paste the .tar.gz "Download Snapshot" link from https://aur.archlinux.org/packages/cryptboot/ into VirusTotal.com and then used "sha256sum cryptboot.tar.gz" on the computer to get a checksum and compared it with the value on my phone.
 
tar xvf cryptboot.tar.gz 
 
cd cryptboot 
 
less PKGBUILD 
Read the package build and make sure nothing malicious has been snuck in there, to the best of your ability.
 
makepkg -si 
 
According to the Arch Linux wiki, this will download the code, resolve the dependencies with pacman, compile it, package it, and ask you for your sudo password to install the package.
Now we make our keys:
First prepare crypttab temporarily to be compatible with cryptboot.
Use "sudo -i" to become root.
sudo -e /etc/crypttab 
cryptboot /dev/disk/by-uuid/ZZZZZZZZZZZZZZZZZZZZZZZZZZZ none luks
You will have to find Z by running "ls -lth /dev/disk/by-uuid" and see which one links to sdb2 or whichever is the encrypted boot partition of your usb drive. Then "ls -lth /dev/disk/by-uuid | grep -iP 'PATTERNYOUWANT' | awk '{print $9}' >> /etc/crypttab".
sudo -e /etc/cryptboot.conf 
BOOT_CRYPT_NAME="cryptboot"
BOOT_DIR="/boot"
EFI_DIR="/boot/efi"
EFI_KEYS_DIR="/boot/efikeys"
 
cryptboot-efikeys create 
 
cryptboot-efikeys enroll 
 
Hopefully if you cleared your secure boot keys beforehand and properly configured the cryptboot.conf and your /boot partition is mounted, it should be successful. Delete the temporary entry we created from your crypttab.
Remember that generating keys only has to be done once. I guess you could do it again if you're worried that your keys have been compromised (don't forget to rename DB.* files back to db.*, see efikeys below), but it only needs to be done once and sbupdate will use the same keys to sign your new images every time you update your kernel.
Now we must prepare the system for sbupdate. Use "sudo -i" to become root.
cd /boot/efikeys 
"ls" to get a list of files and change all the "db.*" files to "DB" like this: mv db.file DB.file
Switch back to regular user "su -l USERNAMEHERE". Repeat the curl, tar, less, makepkg procedure done above for cryptboot except this time do it for sbupdate.
sudo -e /etc/default/sbupdate 
KEY_DIR="/boot/efikeys"
ESP_DIR="/boot/efi"
CMDLINE_DEFAULT="/vmlinuz-linux-hardened root=/dev/mappestore-root rw quiet"
The CMDLINE_DEFAULT is really important here, without it your efi will not boot. If you're curious what these files are and where they come from, vmlinuz is the compressed kernel image which is part of the package for linux-hardened. It's installed to the mounted /boot directory. In the same directory, initramfs-*.img files are created by mkinitcpio when we run the command.
now "sudo -i" into root and run:
mkinitcpio -p linux && mkinitcpio -p linux-hardened && sbupdate 
It should generate the initramfs image, and generate a signed UEFI image of your kernel and initramfs that we will be able to boot from. There should be a few "missing firmware" errors which should be harmless
 
Note: I keep the linux kernel as a backup in case anything goes wrong with linux-hardened after an update and I need to boot
 
Now we need a boot option for the signed efi file.
First run "lsblk" and look for the usb device and the 512M EFI partition. Mine is sdb1.
The Gentoo Wiki gives us a good example:
efibootmgr -c -d /dev/sdb -p 1 -L "Arch Linux Hardened Signed" -l "EFI\Arch\linux-hardened-signed.efi" 
-c create, -d disk, -p partition, -L label, and -l loader
Make sure the boot order puts "Arch Linux Hardened Signed" first. If not change it with "efibootmgr -o XXXX,YYYY,ZZZZ"
Finally, exit the chroot (keep running exit until it says [email protected] without brackets [] and the "lsblk" shows boot as "/mnt/boot" and not "/boot") and umount devices, then reboot
exit 
 
cd / 
 
umount -R /mnt 
 
reboot 
 
Now you will have to press the button for your EFI settings (BIOS settings) and enable secure boot, disable legacy boot and cd boot, and set up an administrator or power on password to prevent access. You'll need the usb key to boot and you'll have to enter two passwords, one for the usb key and another for the keyfile. Then the keyfile unlocks the main hard drive. You should probably run 'pacman -Syu' to update the system.
I. Part VII: Graphics and audio
First check your graphics driver here. I'm using radeon. Newer AMD cards use amdgpu (xf86-video-amdgpu). Nvidia and Intel should check the wiki for info.
pacman -S xorg-server xf86-video-ati xfce4 mousepad 
Check your ~/.local/share/xorg/Xorg.0.log and make sure it got loaded properly. For example, radeon will have lines that say "RADEON(0):". If it didn't load your driver it may say "MODESETTING(0):" which is the fallback driver as explained here Xorg - ArchWiki.
Also check your driver's wiki page to find out about enabling "TearFree" which prevents the horizontal lines when playing video (you'll have to create a minimal Xorg Configuration first with a "Device" section containing "Driver" and "Identifier").
Ctrl + F this page for "Prevent Xorg" and do that now, plus "Run Xorg Rootless".
Now for the audio:
pacman -S pulseaudio pavucontrol xfce4-pulseaudio-plugin 
Controversial, but pulseaudio indeed "just works" and you need it to hear sound on Firefox.

II.   Firewall

https://aur.archlinux.org/cgit/aur.git/snapshot/arno-iptables-firewall.tar.gz
You know the AUR drill we used for cryptboot and sbupdate by now, just curl -o the snapshot, verify the checksum matches the one online with VirusTotal, tar xvf, less pkgbuild, then makepkg -si. Remember to do it all as a regular user, not root so don't use sudo. Then:
 cd ~/arno-*/src/aif* sudo ./install.sh 
 
sudo -e /etc/arno-iptables-firewall/firewall.conf 
EXT_IF=""
EXT_IF_DHCP_IP=1
If you use a static ip you would leave the dhcp setting at 0.
sudo systemctl enable arno-iptables-firewall.service 
 
sudo systemctl start arno-iptables-firewall.service 

III.   System Hardening

Encrypted Swap
sudo -e /etc/crypttab 
swap /dev/mappestore-swap /dev/urandom swap,cipher=twofish-xts-plain64,hash=sha512,size=512,nofail
sudo -e /etc/fstab 
/dev/mappeswap none swap defaults 0 0
The entry for fstab replaces the old swap entry, you could just edit the old one to look like this.
Umask
sudo -e /etc/profile 
# Set our umask
umask 077
The way it was explained to me is that before the umask is applied, linux permissions for files you create start off as 0777. Umask 077 is the same as 0077. Thus, subtract 0777 - 0077 = 0700
The order is 0 (setuid, setgid, sticky bit), 7 (user), 0 (group), 0 (others)
This means that only the user who created or root will be able to read, write, and execute the file or directory (only directories create as exec). A umask of "177" would prevent the executable bit from being set so the default file permissions for directories you create would be "-rw-------".
The first 0 is for setuid, setgid, and sticky bit. Setuid and setgid allow a user to become other users or groups like root or wheel. Sticky bit allows your user to write or change a file, but prevent the change or deletion of your files by other users. This is useful for group or world-writable settings where people have the same permissions in a folder but you want to prevent destructive behavior.
Know that root can violate any permissions it wants unless you write a specific rule in SELinux which is a out of scope for this guide, unforunately. There are good books on it written by a guy named "Vermeulen".
Permissions
You may want to consider running: chmod -R g-rwx,o-rwx /boot
What this does is - (subtracts) all permissions (rwx) from group (g) and others (o). Leaving only root and the owner of the file with permissions.
chmod 000 /boot/key.img
chmod 000 /boot/header.img
#Note that obviously root will still be able to override this, but it means that no user can access it so the files can only be read or written to by root.
Pluggable Authentication Modules PAM rules
sudo -e /etc/pam.d/system-login 
#auth required pam_tally.so onerr=succeed file=/valog/faillog
auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/valog/faillog
Note you have to comment the first line so failed attempts are not counted twice, then the second line sets 2 denials (wrong passwords) and a 10 minute lockout. onerr=succeed counts the number of attempts. The file=* is a failure log.
sudo -e /etc/pam.d/su 
auth required pam_wheel.so use_uid
sudo -e /etc/pam.d/su-l 
auth required pam_wheel.so use_uid
TCP IP Hardening
sudo -e 50-dmesg-restrict.conf 
kernel.dmesg_restrict = 1
sudo -e 51-net.conf 
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
sudo -e 40-ipv6.conf 
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eno1.use_tempaddr = 2
net.ipv6.conf.lo.accept_redirects = 0
net.ipv6.conf.wlo1.use_tempaddr = 2
To apply changes,
sudo sysctl --system 
I've intentionally left out logging martian packets (people sending you packets with a spoofed or misconfigured addresses), but if you want you can log those to track down malicious activity.
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
Disabling Root login
We already ran "passwd -l root" after we set up sudo.
sudo -e /etc/securetty 
Comment out all the lines in this file, you'll still be able to use sudo.
Hardening fstab
For cryptboot and the usb EFI partition add this to the fourth field comma-separated values:
noauto,nodev,nosuid,noexec
For /dev/store/home or /dev/mappestore-home:
nodev,nosuid
Hidepid
sudo -e /etc/fstab 
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0
For Xorg to work, an exception needs to be added for systemd-logind:
sudo -e /etc/systemd/system/systemd-logind.service.d/hidepid.conf 
[Service]
SupplementaryGroups=proc
Prevent coredumps
sudo -i /etc/systemd/coredump.conf 
Storage=none
Check Pacman SigLevel and PGP keyring keys
grep -i siglevel /etc/pacman.conf 
SigLevel = Required DatabaseOptional
Update the keys manually:
pacman-key --refresh-keys 
Today is January 02, 2018. As of today, the "archlinux-keyring" was last updated on "2017-12-15 12:23 UTC". In a scenario where a key is no longer valid or goes rogue, it would be helpful to have the latest keys.
Safe mounting of external disks (sdc1 is an example)
sudo mount -o nodev,nosuid,noexec /dev/sdc1 /mnt 
This prevents executables, programs running with different user privileges than the user has, and nodev prevents character or block devices from being interpreted on the drive to prevent malicious exploits.
Browser cache permissions
edit: Updated to chromium
~/.config/chromium and ~/.cache/chromium files are "-rw-------" (chmod 600) and folders are "drwx------" (chmod 700). The point is to check permissions frequently and prevent executable files in the cache.
TTY Timeout
sudo -e /etc/profile.d/shell-timeout.sh 
TMOUT="$(( 60*10 ))";
[ -z "$DISPLAY" ] && export TMOUT;
case $( /usbin/tty ) in
/dev/tty[0-9]*) export TMOUT;;
esac
You can also block tty access all together but I prefer having it so I can switch over if I want or need to get away from Xorg.
Prevent Xorg from being run on a different terminal besides the one you logged in
sudo -e ~/.xserverrc 
#!/bin/sh
exec /usbin/Xorg -nolisten tcp -nolisten local "[email protected]" vt$XDG_VTNR
-nolisten local disables abstract sockets of X11. Which are supposed to be a risk if a keylogger or screenshotter attached itself to them. This blog gives some history on the subject.
Startx will execute this when you start up your desktop. You can autostart X at login but I prefer to do it manually. I use xfce so it's "exec startxfce4" after I login.
Run Xorg rootless
sudo -e /etc/X11/Xwrapper.config 
set needs_root_rights = no

IV.   Unbound + Dnscrypt + DNSSEC

edit: The new dnscrypt-proxy automatically updates the sources (servers list) so I've simplified this section.
 
sudo pacman -S unbound expat dnscrypt-proxy ldns 
 
sudo -e /etc/dhcpcd.conf 
Add anywhere:
static domain_name_servers=127.0.0.1
sudo systemctl edit dnscrypt-proxy.service 
edit: After the update on 5/18/2018 dnscrypt-proxy needs CAP_NET_BIND_SERVICE capability.
[Service]
DynamicUser=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
PrivateTmp=true
PrivateDevices=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET
SystemCallArchitectures=native
[email protected] @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io
Above is from DNSCrypt - ArchWiki
sudo -e /etc/dnscrypt-proxy/dnscrypt-proxy.toml 
listen_addresses = []
require_dnnssec = true
cache = false
Cache is disabled because we are using DNSCrypt as a forwarder for the unbound cache. I still use Unbound because it has a better way of actually testing and validating that DNSSEC is working.
sudo -e /etc/unbound/unbound.conf 
server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
port:53
do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: [email protected]
sudo -e /etc/resolv.conf 
nameserver 127.0.0.1
options edns0 single-request-reopen
systemctl edit dnscrypt-proxy.socket 
[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:5138
ListenDatagram=127.0.0.1:5138
The port number is larger than 1024 so dnscrypt-proxy is not required to be run by root. So pick a number from 1025-65535, or run this command "shuf -n 1 -i 1025-65535".
For DNSCrypt with Unbound, only unbound and dnscrypt-proxy.socket need to be started and enabled.
 systemctl enable dnscrypt-proxy.socket 
 
 systemctl enable unbound.service 
 
 systemctl start dnscrypt-proxy.socket 
 
 systemctl start unbound.service 
 
Now test it out
 drill -DT sigfail.verteiltesysteme.net 
 
 drill -DT sigok.verteiltesysteme.net 
 
 unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net 
 
 unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net 
Root Hints
sudo curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache 
 
sudo chmod 644 /etc/unbound/root.hints 
 
sudo -e /etc/unbound/unbound.conf 
Under "server:":
root-hints: "/etc/unbound/root.hints"
 
sudo systemctl restart unbound 
 
Root Hints script (Optional, probably unnecessary)
This optional script creates a service that updates root hints automatically. is your internet device from "ip link", usually eno1 or wlo1. If you don't use dhcpcd then change it to the service that gets your internet working. Once the timer goes off each month, the script will retry every 20 minutes until the internet is on then update the root hints. If a timer is missed it will keep trying. The 2 minute predelay is to give dnscrypt time to resolve fingerprints and the certificate.
sudo -e /etc/systemd/system/roothints.service 
 
[Unit]
Description=Update root hints for unbound
[email protected].service
[Service]
TimeoutStartSec=0
Restart=on-failure
RestartSec=1200
ExecStartPre=/bin/sleep 120
ExecStart=/usbin/bash -c 'isitalive=$(/usbin/systemctl is-active [email protected].service); if [ "$isitalive" == "active" ]; then /usbin/curl -v -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache; fi; if [ "$isitalive" == "inactive" ]; then exit 1; fi'
 
sudo -e /etc/systemd/system/roothints.timer 
[Unit]
Description=Run root.hints monthly
[Timer]
OnCalendar=monthly
Persistent=true
[Install]
WantedBy=timers.target
You can use a custom date like this: "OnCalendar=*-*-12 12:00:00". That would run the job on the 12th of every month at 12pm local time.
sudo systemctl enable roothints.timer 
 
sudo systemctl start roothints.timer 
 
sudo systemctl status roothints.timer 
Testing our script
From the wiki on Timers you can check the calendar time until the next run:
systemd-analyze calendar "*-*-12 12:00:00" 
 
systemd-analyze calendar monthly 
If you have other timers also, you may want to consider setting them to separate, specific times or using "RandomizedDelaySec" in the .timer file under [Timer]
 
systemctl daemon-reload 
To reload units after making changes on disk.
sudo systemctl start roothints 
Wait a little and then check the systemctl status.
 
Troubleshooting
If you can't resolve hosts try:
  • Setting "verbosity=5" under "server:" in /etc/unbound/unbound.conf and check "journalctl -u unbound.service". You should see some pretty detailed output that shows if it's working.
  • If you just want to get your internet working again, # comment out the forwardings section ("forward-zone:", "name:", "forward-addr:") and "trust-anchor-file" in unbound.conf, systemctl stop dnscrypt-proxy.socket and dnscrypt-proxy.service, then stop and start unbound to fix the internet.
  • If you're using unbound, make sure /etc/dnscrypt-proxy/dnscrypt-proxy.toml 'cache' is disabled.
Sometimes, fixing the internet is as simple as using "ip link set down", "ip link set up", then stop and start [email protected].service. Or restarting unbound.service. Also check "systemctl status dnscrypt*" to make sure the socket is running and that the proxy service received its certificate and fingerprints from the server.

V.   Firejail:

pacman -S firejail chromium xorg-server-xephyr openbox 
Edit: changed to Chromium
Xephyr and openbox will allow us to enable X11 sandboxing and resize the browser window, respectively.
sudo -e /etc/firejail/firejail.config 
xephyr-screen WIDTHxHEIGHT
Width and Height are in pixels.
To open the sandbox and browser:
firejail --x11 --profile=/etc/firejail/chromium.profile openbox --startup 'chromium' 
You should be able to adjust the window or maximize it, and the internet should work automatically since unbound is handling our dns.

VI.   Afternotes:

  • Be careful with your LUKS header and any backups of it, the proper disposal is to "shred", "wipe", or dd it with random data multiple times before deleting it Securely Wipe Disk - Arch Wiki.
    If an attacker gets a hold of your old LUKS header (after you changed the passphrase) and they figured out the old passphrase or keyfile, they can use the old header to get access to your system. Check out the cryptsetup FAQ for more details.
    A way to mitigate this is to use "cryptsetup-reencrypt" which will generate a new master key (volume key) and make the old header ineffective even when they have the compromised passphrase or keyfile, but read the man page first.
  • You can use dd to backup the whole usb drive as an image, or the partitions (assuming it's sdb):
    dd if=/dev/sdb1 of=backup.img bs=4M
    dd if=/dev/sdb2 of=backup2.img bs=4M
  • The LUKS keyfile can be changed like this:
    cryptsetup --header /boot/header.img --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 luksChangeKey /dev/mappeenc /dev/mappelukskey2 --new-keyfile-size=8192 --new-keyfile-offset=Y 
Afterwards, "cryptsetup close lukskey" and "shred" or "dd" the old keyfile with random data before deleting it, then make sure that the new keyfile is renamed to the same name of the old one "key.img" or other name.
  • For some reason sysctl doesn't seem to be loading my /etc/sysctl.d/51-net.conf file on boot so I have to run "sysctl --reload" to get it working.
  • Read General Recommendations on the Arch Wiki, mainly "System Administration" and "Package Management"
  • Consider blacklisting usb devices with USBGuard
  • Check permissions, ownership, and sticky bits everywhere you can.
    find / -path /proc -prune -o -type f \( -perm -4000 -o -perm -2000 \) | xargs ls
    #look for setuid or setgid bits
    chmod u-s /path/to/file
    #unset a setsuid bit for a file (user id)
    chmod g-s /path/to/file
    #unset a setguid bit for a file (group id)
    find / -nouser -o -nogroup | xargs ls
    #unowned abandoned orphaned files
    find / -path /proc -prune -o -perm -2 ! -type l | xargs ls
    #world-writable files
  • Anti virus or anti malware such as clamav and rkhunter
  • Intrusion detection, scanning, and security auditing tools such as lynis, nmap, aide, snort, yasat. You can find more recommendations here
  • Implementing access control security policies such as SELinux, Tomoyo, AppArmor, Smack, and I'm sure there's more.
submitted by wincraft71 to archlinux [link] [comments]

Weekly Dev Update 25/06/2019

Hey Y’all,

We’re all busy getting ready for the testnet release this week, which means we’re busy combing through lokid, Loki Messenger and the Loki Storage Server looking for bugs and testing our edge cases.
This week we also did a new release for the Loki Electron GUI wallet which adds a number of quality-of-life upgrades for users, including being able to see all of the nodes you’ve contributed to, having the ability to unstake from nodes with a single click, and transaction proofs and checking.
Loki Core
---------------------------
Loki Launcher
The Loki Launcher is a node js package that will allow for the independent management of all the components required to run a full Service Node. This includes managing Lokinet, lokid and the Loki Storage Server. When Loki Service Nodes begin to route data and store messages for Lokinet and Loki Messenger, the Loki Launcher will need to be run on every single Service Node.
Right now the Launcher is in a testing phase, so you should only use it on testnet and stagenet – though feedback/issues and pull requests would be greatly appreciated!
What’s going on this week with Loki Launcher:
We released the first version of the Launcher! and with everyone’s feedback have continued to roll out updates and bug fixes. We’ve learned a lot from this release, and we hope this will help everyone make the upgrade to version 4.0.0 of Loki seamlessly.
Changelog:
Github Pulse: Excluding merges, 2 authors have pushed 38 commits to master and 38 commits to all branches. On master, 15 files have changed and there have been 588 additions and 205 deletions.
---------------------------
Lokinet
If you’re on our Discord you might catch Jeff or Ryan, the developers of LLARP, live streaming as they code: https://www.twitch.tv/uguu25519, https://www.twitch.tv/neuroscr.
What’s going on this week with Lokinet:
Work continues on improving our metrics for internal testing and adjustments due to libuv refactor. We continue to improve the quality of the code and seek to remove any possibilities of bugs creeping in. path build status messages have been added as a pull-request, and we have high hopes this will lead to finding more stability bugs which we can squash.
Changelog:
Pull Requests:
--------------------------
Loki Wallets
Loki Electron GUI Wallet
We published a new release for the Loki Electron GUI wallet which can be found here: https://github.com/loki-project/loki-electron-gui-wallet/releases/tag/v1.2. This new release includes features such as:
--------------------------
Loki Messenger Desktop
Storage Server
Messenger Mobile (iOS and Android)
https://github.com/loki-project/loki-messenger-android/commits/master.
--------------------------
Thanks,
Kee
submitted by Keejef to LokiProject [link] [comments]

Linux containers in void?

Hello,
I've been trying to start a debian stretch container and searched the web for solutions but found none that helped.
It really dosn't matter which systemd container I have.
The problem seems to be that it refuses to start the systemd process and then freezes. Has any one experienced this before?
Steps to reproduce: ```txt

/etc/lxc/default.conf

lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536

/etc/subuid

root:100000:65536

/etc/subgid

root:100000:65536 ```
```bash
sudo lxc-create -n playtime -t download -- --dist debian --release stretch --arch amd64
sudo lxc-start -n playtime -o debug -l debug -F txt systemd 232 running in system mode. (+PAMSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECC Detected virtualization lxc. Detected architecture x86-64.
Welcome to Debian GNU/Linux 9 (stretch)!
Set hostname to . Failed to read AF_UNIX datagram queue len Failed to install release agent, ignoring Failed to create /init.scope control grou Failed to allocate manager object: Permis [!!!!!!] Failed to allocate manager objec Freezing execution. ```
```txt

Debug output

lxc-start playtime 20190712064740.457 ERROR lxcstart - tools/lxc_start.c:main:214 - You lack access to /home/lxc/.local/share/lxc lxc-start playtime 20190712064748.723 INFO confile - confile.c:set_config_idmaps:1673 - Read uid map: type u nsid 0 hostid 100000 range 65536 lxc-start playtime 20190712064748.723 INFO confile - confile.c:set_config_idmaps:1673 - Read uid map: type g nsid 0 hostid 100000 range 65536 lxc-start playtime 20190712064748.724 INFO lsm - lsm/lsm.c:lsm_init:50 - LSM security driver nop lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount # comment this to allow umount -f; not recommended" lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill) lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill) lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill) lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill) lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]" lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1" lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno) lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno) lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno) lxc-start playtime 20190712064748.724 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1" lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1" lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1" lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1" lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno) lxc-start playtime 20190712064748.725 INFO seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context lxc-start playtime 20190712064748.726 DEBUG terminal - terminal.c:lxc_terminal_peer_default:714 - Using terminal "/dev/tty" as proxy lxc-start playtime 20190712064748.727 DEBUG terminal - terminal.c:lxc_terminal_signal_init:192 - Created signal fd 9 lxc-start playtime 20190712064748.727 DEBUG terminal - terminal.c:lxc_terminal_winsz:90 - Set window size to 105 columns and 61 rows lxc-start playtime 20190712064748.727 INFO start - start.c:lxc_init:906 - Container "playtime" is initialized lxc-start playtime 20190712064748.728 DEBUG cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:619 - "cgroup.clone_children" was already set to "1" lxc-start playtime 20190712064748.730 INFO cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1419 - The monitor process uses "lxc.monitoplaytime" as cgroup lxc-start playtime 20190712064748.731 DEBUG storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir" lxc-start playtime 20190712064748.736 INFO network - network.c:instantiate_veth:147 - Retrieved mtu 1500 from brmgr0 lxc-start playtime 20190712064748.737 INFO network - network.c:instantiate_veth:175 - Attached "veth69WEWA" to bridge "brmgr0" lxc-start playtime 20190712064748.737 DEBUG network - network.c:instantiate_veth:201 - Instantiated veth "veth69WEWA/vethF3QTYN", index is "6" lxc-start playtime 20190712064748.738 DEBUG cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:619 - "cgroup.clone_children" was already set to "1" lxc-start playtime 20190712064748.741 INFO cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1497 - The container uses "lxc.payload/playtime" as cgroup lxc-start playtime 20190712064748.744 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWUSER lxc-start playtime 20190712064748.744 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWNS lxc-start playtime 20190712064748.744 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWPID lxc-start playtime 20190712064748.744 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWUTS lxc-start playtime 20190712064748.744 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWIPC lxc-start playtime 20190712064748.745 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14 lxc-start playtime 20190712064748.745 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15 lxc-start playtime 20190712064748.745 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16 lxc-start playtime 20190712064748.745 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17 lxc-start playtime 20190712064748.745 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18 lxc-start playtime 20190712064748.745 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start playtime 20190712064748.745 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start playtime 20190712064748.745 DEBUG conf - conf.c:lxc_map_ids:2981 - Functional newuidmap and newgidmap binary found lxc-start playtime 20190712064748.762 INFO start - start.c:do_start:1152 - Unshared CLONE_NEWNET lxc-start playtime 20190712064748.764 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start playtime 20190712064748.764 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start playtime 20190712064748.764 DEBUG conf - conf.c:lxc_map_ids:2981 - Functional newuidmap and newgidmap binary found lxc-start playtime 20190712064748.778 DEBUG start - start.c:lxc_spawn:1761 - Preserved net namespace via fd 10 lxc-start playtime 20190712064748.783 DEBUG network - network.c:lxc_network_move_created_netdev_priv:2500 - Moved network device "vethF3QTYN"/"eth0" to network namespace of 2678 lxc-start playtime 20190712064748.784 NOTICE utils - utils.c:lxc_switch_uid_gid:1386 - Switched to gid 0 lxc-start playtime 20190712064748.784 NOTICE utils - utils.c:lxc_switch_uid_gid:1395 - Switched to uid 0 lxc-start playtime 20190712064748.784 NOTICE utils - utils.c:lxc_setgroups:1408 - Dropped additional groups lxc-start playtime 20190712064748.784 INFO start - start.c:do_start:1258 - Unshared CLONE_NEWCGROUP lxc-start playtime 20190712064748.785 DEBUG storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir" lxc-start playtime 20190712064748.785 DEBUG conf - conf.c:lxc_mount_rootfs:1357 - Mounted rootfs "/valib/lxc/playtime/rootfs" onto "/valxc/containers" with options "(null)" lxc-start playtime 20190712064748.785 INFO conf - conf.c:setup_utsname:816 - Set hostname to "playtime" lxc-start playtime 20190712064748.789 DEBUG network - network.c:setup_hw_addr:2767 - Mac address "ee:ec:fa:c5:a4:30" on "eth0" has been setup lxc-start playtime 20190712064748.790 DEBUG network - network.c:lxc_setup_netdev_in_child_namespaces:3032 - Network device "eth0" has been setup lxc-start playtime 20190712064748.790 INFO network - network.c:lxc_setup_network_in_child_namespaces:3053 - network has been setup lxc-start playtime 20190712064748.790 INFO conf - conf.c:mount_autodev:1143 - Preparing "/dev" lxc-start playtime 20190712064748.791 INFO conf - conf.c:mount_autodev:1190 - Prepared "/dev" lxc-start playtime 20190712064748.792 INFO conf - conf.c:run_script_argv:356 - Executing script "/usshare/lxcfs/lxc.mount.hook" for container "playtime", config section "lxc" lxc-start playtime 20190712064748.801 INFO conf - conf.c:lxc_fill_autodev:1234 - Populating "/dev" lxc-start playtime 20190712064748.801 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/full" onto "/valxc/containers/dev/full" lxc-start playtime 20190712064748.801 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/null" onto "/valxc/containers/dev/null" lxc-start playtime 20190712064748.802 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/random" onto "/valxc/containers/dev/random" lxc-start playtime 20190712064748.802 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/tty" onto "/valxc/containers/dev/tty" lxc-start playtime 20190712064748.802 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/urandom" onto "/valxc/containers/dev/urandom" lxc-start playtime 20190712064748.802 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/zero" onto "/valxc/containers/dev/zero" lxc-start playtime 20190712064748.802 INFO conf - conf.c:lxc_fill_autodev:1311 - Populated "/dev" lxc-start playtime 20190712064748.802 DEBUG conf - conf.c:mount_entry:2052 - Remounting "/sys/fs/fuse/connections" on "/valxc/containers/sys/fs/fuse/connections" to respect bind or remount options lxc-start playtime 20190712064748.803 DEBUG conf - conf.c:mount_entry:2073 - Flags for "/sys/fs/fuse/connections" were 4110, required extra flags are 14 lxc-start playtime 20190712064748.803 DEBUG conf - conf.c:mount_entry:2127 - Mounted "/sys/fs/fuse/connections" on "/valxc/containers/sys/fs/fuse/connections" with filesystem type "none" lxc-start playtime 20190712064748.803 INFO conf - conf.c:mount_file_entries:2358 - Finished setting up mounts lxc-start playtime 20190712064748.803 DEBUG conf - conf.c:lxc_setup_dev_console:1796 - Mounted pts device "/dev/pts/1" onto "/valxc/containers/dev/console" lxc-start playtime 20190712064748.803 INFO utils - utils.c:lxc_mount_proc_if_needed:1239 - I am 1, /proc/self points to "1" lxc-start playtime 20190712064748.808 WARN conf - conf.c:lxc_setup_devpts:1641 - Invalid argument - Failed to unmount old devpts instance lxc-start playtime 20190712064748.809 DEBUG conf - conf.c:lxc_setup_devpts:1678 - Mount new devpts instance with options "gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024" lxc-start playtime 20190712064748.809 DEBUG conf - conf.c:lxc_setup_devpts:1697 - Created dummy "/dev/ptmx" file as bind mount target lxc-start playtime 20190712064748.809 DEBUG conf - conf.c:lxc_setup_devpts:1702 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx" lxc-start playtime 20190712064748.809 DEBUG conf - conf.c:lxc_allocate_ttys:1014 - Created tty "/dev/pts/0" with master fd 11 and slave fd 14 lxc-start playtime 20190712064748.809 DEBUG conf - conf.c:lxc_allocate_ttys:1014 - Created tty "/dev/pts/1" with master fd 15 and slave fd 16 lxc-start playtime 20190712064748.810 DEBUG conf - conf.c:lxc_allocate_ttys:1014 - Created tty "/dev/pts/2" with master fd 17 and slave fd 18 lxc-start playtime 20190712064748.810 DEBUG conf - conf.c:lxc_allocate_ttys:1014 - Created tty "/dev/pts/3" with master fd 19 and slave fd 20 lxc-start playtime 20190712064748.810 INFO conf - conf.c:lxc_allocate_ttys:1030 - Finished creating 4 tty devices lxc-start playtime 20190712064748.810 DEBUG conf - conf.c:lxc_setup_ttys:965 - Bind mounted "/dev/pts/0" onto "/dev/tty1" lxc-start playtime 20190712064748.810 DEBUG conf - conf.c:lxc_setup_ttys:965 - Bind mounted "/dev/pts/1" onto "/dev/tty2" lxc-start playtime 20190712064748.810 DEBUG conf - conf.c:lxc_setup_ttys:965 - Bind mounted "/dev/pts/2" onto "/dev/tty3" lxc-start playtime 20190712064748.810 DEBUG conf - conf.c:lxc_setup_ttys:965 - Bind mounted "/dev/pts/3" onto "/dev/tty4" lxc-start playtime 20190712064748.810 INFO conf - conf.c:lxc_setup_ttys:974 - Finished setting up 4 /dev/tty device(s) lxc-start playtime 20190712064748.810 INFO conf - conf.c:setup_personality:1741 - Set personality to "0x0" lxc-start playtime 20190712064748.810 DEBUG conf - conf.c:setup_caps:2553 - Capabilities have been setup lxc-start playtime 20190712064748.810 NOTICE conf - conf.c:lxc_setup:3745 - The container "playtime" is set up lxc-start playtime 20190712064748.811 DEBUG start - start.c:lxc_spawn:1836 - Preserved cgroup namespace via fd 19 lxc-start playtime 20190712064748.811 NOTICE start - start.c:start:2058 - Exec'ing "/sbin/init" lxc-start playtime 20190712064748.812 NOTICE start - start.c:post_start:2069 - Started "/sbin/init" with pid "2678" lxc-start playtime 20190712064748.813 NOTICE start - start.c:signal_handler:430 - Received 17 from pid 2679 instead of container init 2678 lxc-start playtime 20190712064751.508 DEBUG terminal - terminal.c:lxc_terminal_winsz:90 - Set window size to 70 columns and 61 rows lxc-start playtime 20190712064901.698 INFO confile - confile.c:set_config_idmaps:1673 - Read uid map: type u nsid 0 hostid 100000 range 65536 lxc-start playtime 20190712064901.698 INFO confile - confile.c:set_config_idmaps:1673 - Read uid map: type g nsid 0 hostid 100000 range 65536 lxc-start playtime 20190712064901.699 DEBUG commands - commands.c:lxc_cmd_rsp_recv:165 - Response data length for command "get_init_pid" is 0 lxc-start playtime 20190712064901.700 DEBUG commands - commands.c:lxc_cmd_rsp_recv:165 - Response data length for command "get_state" is 0 lxc-start playtime 20190712064901.700 DEBUG commands - commands.c:lxc_cmd_get_state:585 - Container "playtime" is in "RUNNING" state lxc-start playtime 20190712064901.700 ERROR lxc_start - tools/lxc_start.c:main:280 - Container is already running lxc-start playtime 20190712064949.695 DEBUG start - start.c:signal_handler:447 - Container init process 2678 exited lxc-start playtime 20190712064949.696 DEBUG start - start.c:lxc_start:2015 - Unknown exit status for container "playtime" init 9 lxc-start playtime 20190712064949.696 INFO error - error.c:lxc_error_set_and_log:54 - Child <2678> ended on signal (9) lxc-start playtime 20190712064949.696 WARN network - network.c:lxc_delete_network_priv:2589 - Operation not permitted - Failed to remove interface "eth0" with index 6 lxc-start playtime 20190712064949.696 DEBUG network - network.c:lxc_delete_network:3180 - Deleted network devices lxc-start playtime 20190712064949.698 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start playtime 20190712064949.698 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start playtime 20190712064949.698 DEBUG conf - conf.c:lxc_map_ids:2981 - Functional newuidmap and newgidmap binary found lxc-start playtime 20190712064949.720 DEBUG cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:619 - "cgroup.clone_children" was already set to "1" lxc-start playtime 20190712064949.727 INFO conf - conf.c:run_script_argv:356 - Executing script "/usshare/lxcfs/lxc.reboot.hook" for container "playtime", config section "lxc" lxc-start playtime 20190712065055.237 INFO confile - confile.c:set_config_idmaps:1673 - Read uid map: type u nsid 0 hostid 100000 range 65536 lxc-start playtime 20190712065055.238 INFO confile - confile.c:set_config_idmaps:1673 - Read uid map: type g nsid 0 hostid 100000 range 65536 lxc-start playtime 20190712065055.238 INFO lsm - lsm/lsm.c:lsm_init:50 - LSM security driver nop lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount # comment this to allow umount -f; not recommended" lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill) lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill) lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill) lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill) lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]" lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1" lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno) lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno) lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno) lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno) lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1" lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno) lxc-start playtime 20190712065055.238 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1" lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1" lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1" lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno) lxc-start playtime 20190712065055.239 INFO seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context lxc-start playtime 20190712065055.240 DEBUG terminal - terminal.c:lxc_terminal_peer_default:714 - Using terminal "/dev/tty" as proxy lxc-start playtime 20190712065055.240 DEBUG terminal - terminal.c:lxc_terminal_signal_init:192 - Created signal fd 9 lxc-start playtime 20190712065055.240 DEBUG terminal - terminal.c:lxc_terminal_winsz:90 - Set window size to 213 columns and 61 rows lxc-start playtime 20190712065055.241 INFO start - start.c:lxc_init:906 - Container "playtime" is initialized lxc-start playtime 20190712065055.241 DEBUG cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:619 - "cgroup.clone_children" was already set to "1" lxc-start playtime 20190712065055.243 INFO cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1419 - The monitor process uses "lxc.monitoplaytime" as cgroup lxc-start playtime 20190712065055.244 DEBUG storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir" lxc-start playtime 20190712065055.245 DEBUG cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:619 - "cgroup.clone_children" was already set to "1" lxc-start playtime 20190712065055.247 INFO cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1497 - The container uses "lxc.payload/playtime" as cgroup lxc-start playtime 20190712065055.248 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWUSER lxc-start playtime 20190712065055.249 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWNS lxc-start playtime 20190712065055.249 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWPID lxc-start playtime 20190712065055.249 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWUTS lxc-start playtime 20190712065055.249 INFO start - start.c:lxc_spawn:1707 - Cloned CLONE_NEWIPC lxc-start playtime 20190712065055.249 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14 lxc-start playtime 20190712065055.249 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15 lxc-start playtime 20190712065055.249 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16 lxc-start playtime 20190712065055.249 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17 lxc-start playtime 20190712065055.249 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18 lxc-start playtime 20190712065055.249 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start playtime 20190712065055.249 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start playtime 20190712065055.249 DEBUG conf - conf.c:lxc_map_ids:2981 - Functional newuidmap and newgidmap binary found lxc-start playtime 20190712065055.261 INFO start - start.c:do_start:1152 - Unshared CLONE_NEWNET lxc-start playtime 20190712065055.264 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start playtime 20190712065055.264 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start playtime 20190712065055.264 DEBUG conf - conf.c:lxc_map_ids:2981 - Functional newuidmap and newgidmap binary found lxc-start playtime 20190712065055.276 DEBUG start - start.c:lxc_spawn:1761 - Preserved net namespace via fd 10 lxc-start playtime 20190712065055.276 NOTICE utils - utils.c:lxc_switch_uid_gid:1386 - Switched to gid 0 lxc-start playtime 20190712065055.276 NOTICE utils - utils.c:lxc_switch_uid_gid:1395 - Switched to uid 0 lxc-start playtime 20190712065055.276 NOTICE utils - utils.c:lxc_setgroups:1408 - Dropped additional groups lxc-start playtime 20190712065055.276 INFO start - start.c:do_start:1258 - Unshared CLONE_NEWCGROUP lxc-start playtime 20190712065055.277 DEBUG storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir" lxc-start playtime 20190712065055.277 DEBUG conf - conf.c:lxc_mount_rootfs:1357 - Mounted rootfs "/valib/lxc/playtime/rootfs" onto "/valxc/containers" with options "(null)" lxc-start playtime 20190712065055.277 INFO conf - conf.c:setup_utsname:816 - Set hostname to "playtime" lxc-start playtime 20190712065055.277 INFO conf - conf.c:mount_autodev:1143 - Preparing "/dev" lxc-start playtime 20190712065055.278 INFO conf - conf.c:mount_autodev:1190 - Prepared "/dev" lxc-start playtime 20190712065055.278 INFO conf - conf.c:run_script_argv:356 - Executing script "/usshare/lxcfs/lxc.mount.hook" for container "playtime", config section "lxc" lxc-start playtime 20190712065055.287 INFO conf - conf.c:lxc_fill_autodev:1234 - Populating "/dev" lxc-start playtime 20190712065055.287 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/full" onto "/valxc/containers/dev/full" lxc-start playtime 20190712065055.287 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/null" onto "/valxc/containers/dev/null" lxc-start playtime 20190712065055.287 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/random" onto "/valxc/containers/dev/random" lxc-start playtime 20190712065055.287 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/tty" onto "/valxc/containers/dev/tty" lxc-start playtime 20190712065055.287 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/urandom" onto "/valxc/containers/dev/urandom" lxc-start playtime 20190712065055.287 DEBUG conf - conf.c:lxc_fill_autodev:1307 - Bind mounted host device node "/dev/zero" onto "/valxc/containers/dev/zero" lxc-start playtime 20190712065055.287 INFO conf - conf.c:lxc_fill_autodev:1311 - Populated "/dev" lxc-start playtime 20190712065055.288 DEBUG conf - conf.c:mount_entry:2052 - Remounting "/sys/fs/fuse/connections" on "/valxc/containers/sys/fs/fuse/connections" to respect bind or remount options lxc-start playtime 20190712065055.288 DEBUG conf - conf.c:mount_entry:2073 - Flags for "/sys/fs/fuse/connections" were 4110, required extra flags are 14 lxc-start playtime 20190712065055.288 DEBUG conf - conf.c:mount_entry:2127 - Mounted "/sys/fs/fuse/connections" on "/valxc/containers/sys/fs/fuse/connections" with filesystem type "none" lxc-start playtime 20190712065055.288 INFO conf - conf.c:mount_file_entries:2358 - Finished setting up mounts lxc-start playtime 20190712065055.288 DEBUG conf - conf.c:lxc_setup_dev_console:1796 - Mounted pts device "/dev/pts/1" onto "/valxc/containers/dev/console" lxc-start playtime 20190712065055.288 INFO utils - utils.c:lxc_mount_proc_if_needed:1239 - I am 1, /proc/self points to "1" lxc-start playtime 20190712065055.299 WARN conf - conf.c:lxc_setup_devpts:1641 - Invalid argument - Failed to unmount old devpts instance lxc-start playtime 20190712065055.299 DEBUG conf - conf.c:lxc_setup_devpts:1678 - Mount new devpts instance with options "gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024" lxc-start playtime 20190712065055.299 DEBUG conf - conf.c:lxc_setup_devpts:1697 - Created dummy "/dev/ptmx" file as bind mount target lxc-start playtime 20190712065055.300 DEBUG conf - conf.c:lxc_setup_devpts:1702 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx" lxc-start playtime 20190712065055.300 DEBUG conf - conf.c:lxc_allocate_ttys:1014 - Created tty "/dev/pts/0" with master fd 11 and slave fd 14 lxc-start playtime 20190712065055.300 DEBUG conf - conf.c:lxc_allocate_ttys:1014 - Created tty "/dev/pts/1" with master fd 15 and slave fd 16 lxc-start playtime 20190712065055.300 DEBUG conf - conf.c:lxc_allocate_ttys:1014 - Created tty "/dev/pts/2" with master fd 17 and slave fd 18 lxc-start playtime 20190712065055.300 DEBUG conf - conf.c:lxc_allocate_ttys:1014 - Created tty "/dev/pts/3" with master fd 19 and slave fd 20 lxc-start playtime 20190712065055.300 INFO conf - conf.c:lxc_allocate_ttys:1030 - Finished creating 4 tty devices lxc-start playtime 20190712065055.301 DEBUG conf - conf.c:lxc_setup_ttys:965 - Bind mounted "/dev/pts/0" onto "/dev/tty1" lxc-start playtime 20190712065055.301 DEBUG conf - conf.c:lxc_setup_ttys:965 - Bind mounted "/dev/pts/1" onto "/dev/tty2" lxc-start playtime 20190712065055.301 DEBUG conf - conf.c:lxc_setup_ttys:965 - Bind mounted "/dev/pts/2" onto "/dev/tty3" lxc-start playtime 20190712065055.301 DEBUG conf - conf.c:lxc_setup_ttys:965 - Bind mounted "/dev/pts/3" onto "/dev/tty4" lxc-start playtime 20190712065055.301 INFO conf - conf.c:lxc_setup_ttys:974 - Finished setting up 4 /dev/tty device(s) lxc-start playtime 20190712065055.301 INFO conf - conf.c:setup_personality:1741 - Set personality to "0x0" lxc-start playtime 20190712065055.301 DEBUG conf - conf.c:setup_caps:2553 - Capabilities have been setup lxc-start playtime 20190712065055.301 NOTICE conf - conf.c:lxc_setup:3745 - The container "playtime" is set up lxc-start playtime 20190712065055.302 DEBUG start - start.c:lxc_spawn:1836 - Preserved cgroup namespace via fd 19 lxc-start playtime 20190712065055.302 NOTICE start - start.c:start:2058 - Exec'ing "/sbin/init" lxc-start playtime 20190712065055.303 NOTICE start - start.c:post_start:2069 - Started "/sbin/init" with pid "3262" lxc-start playtime 20190712065055.303 NOTICE start - start.c:signal_handler:430 - Received 17 from pid 3263 instead of container init 3262 lxc-start playtime 20190712065129.723 DEBUG terminal - terminal.c:lxc_terminal_winsz:90 - Set window size to 41 columns and 6 rows lxc-start playtime 20190712065132.790 INFO terminal - terminal.c:lxc_terminal_io_cb:376 - Terminal client on fd 8 has exited lxc-start playtime 20190712065132.791 ERROR start - start.c:_lxc_start:1990 - Child process is not killed lxc-start playtime 20190712065132.793 DEBUG network - network.c:lxc_delete_network:3180 - Deleted network devices lxc-start playtime 20190712065132.795 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start playtime 20190712065132.795 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2889 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start playtime 20190712065132.795 DEBUG conf - conf.c:lxc_map_ids:2981 - Functional newuidmap and newgidmap binary found lxc-start playtime 20190712065132.830 DEBUG cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:619 - "cgroup.clone_children" was already set to "1" lxc-start playtime 20190712065132.841 INFO conf - conf.c:run_script_argv:356 - Executing script "/usshare/lxcfs/lxc.reboot.hook" for container "playtime", config section "lxc" ```
submitted by Mattemagikern to voidlinux [link] [comments]

Different rootfs per application

I'm designing my own Linux distro and I'm trying to emulate NixOS's capabilities without dealing with the nix store and the massive modifications required to many packages to get them to run in such an environment. I can distribute (efficiently) packages and all of their dependencies together using OSTree and certain manipulations, but I need some way to make the rootfs look different on a per-program basis. My plan is this: download the pkg+deps bundle, use overlayfs to layer the bundle on top of my rootfs, chroot into the unioned fs and run the app from the chroot.

Is there any better way to do this? If not, what is the best way to make chroot work without sudo/other privilege elevetion? I would probably have a special "launch-in-chroot" binary that would be setuid and would very simply do the unioning + chrooting. This, of course, can become a security risk if I don't do it perfectly. Maybe I can use fakechroot/fakeroot? What are my options?

Thank you
submitted by adrianvovk to linuxquestions [link] [comments]

Pwntools v3.0 Released

Hey guys, Pwntools developer here!
If you haven't used it before, Pwntools is a Python library/framework developing exploits for Capture The Flag (CTF) competitions, like DEFCON CTF, picoCTF, and wargames like pwnable.kr.
Pwntools makes the exploit developer's life easier by providing a suite of easy and quick tools that do exactly what an exploit developer would want them to -- without the hassle of writing template code or dealing with various minor gotchas.
If you're a new user to pwntools, you can check out the Getting Started page on the documentation, available at docs.pwntools.com.
The v3.0 release is a big one for us, and our first in over eighteen months!
Both existing and new users can install Pwntools with a simple pip install --upgrade pwntools.
For those who just want to see what's new, you can check out the CHANGELOG.md here.
In particular, all of the changes which were made on the Binjitsu fork of Pwntools have been merged back into upstream Pwntools.
Everything below here is the changelog, for ease of reference.

3.0.0 (August 20 2016)

This was a large release (1305 commits since 2.2.0) with a lot of bugfixes and changes. The Binjitsu project, a fork of Pwntools, was merged back into Pwntools. As such, its features are now available here.
As always, the best source of information on specific features is the comprehensive docs at https://pwntools.readthedocs.org.
This list of changes is non-complete, but covers all of the significant changes which were appropriately documented.

Android

Android support via a new adb module, context.device, context.adb_host, and context.adb_port.

Assembly and Shellcode

Context Module

DynELF and MemLeak Module

Encoders Module

ELF Module

Format Strings

GDB Module

ROP Module

Tubes Process Module

Tubes SSH Module

Utilities

submitted by ebeip90 to netsec [link] [comments]

Nginx + uWSGI + Django - can't get app to run from subfolder

EDIT: Formatting!
Ubuntu 18.04
uWSGI 2.0.17.1 (installed via pip3 / Python3, globally)
Django 2.1 (installed via pip3 / Python3, locally in virtualenv)
Nginx 1.14.0 (installed via apt package manager)
Hello all,
First of all, I hope that I am in the right subreddit for this - apologies if you think it might fit better somewhere else!
I have a problem configuring uWSGI and Django in a way that allows me to host Django apps in subfolders on my domain. The app in question is actually a simple empty Django project created with 'django-admin startproject mytest .' I basically want the app to be accessible under mydomain.tld/test, but I always receive a Django-generated 404 message:
Page not found (404) Request Method: GET Request URL: https://mydomain.tld/test/ Using the URLconf defined in mytest.urls, Django tried these URL patterns, in this order: admin/ The empty path didn't match any of these. 
The following are my configuration files:
uWSGI:
# mytest_uwsgi.ini file [uwsgi] project = mytest uid = myuser base = /home/%(uid)/Projects # Django-related settings # the base directory (full path) chdir = %(base)/%(project) # Django's wsgi file ;module = %(project).wsgi:application mount = /test=%(project).wsgi:application manage-script-name = true # the virtualenv (full path) home = /home/myuse.virtualenvs/django-test # process-related settings # master master = true # maximum number of worker processes processes = 5 # the socket (use the full path to be safe socket = /run/uwsgi/%(project).sock chown-socket = %(uid):www-data chmod-socket = 660 # ... with appropriate permissions - may be needed # chmod-socket = 664 # clear environment on exit vacuum = true 
Nginx:
upstream django { server unix:///run/uwsgi/mytest.sock; # for a file socket } server { listen 80 default_server; # IPv6 listen [::]:80 default_server; server_name mydomain.tld; root /vawww/html; # Django media location ^~ /test/media { alias /home/myuseProjects/mytest/media; # your Django project's media files - amend as required } location ^~ /test/static { alias /home/myuseProjects/mytest/static; # your Django project's static files - amend as required } # Finally, send all non-media requests to the Django server. location ^~ /test { uwsgi_pass django; include uwsgi_params; # the uwsgi_params file you installed #uwsgi_param SCRIPT_NAME /test; #uwsgi_param UWSGI_SCRIPT mytest; } } 
The result is the same, whether or not I comment out the uwsgi_params SCRIPT_NAME and / or UWSGI_SCRIPT.
Also, when I run uWSGI and Nginx with the configuration as above, the following is the output of uWSGI:
*** Starting uWSGI 2.0.17.1 (64bit) on [Wed Aug 8 14:49:17 2018] *** compiled with version: 7.3.0 on 07 August 2018 12:50:39 os: Linux-4.15.0-30-generic #32-Ubuntu SMP Thu Jul 26 17:42:43 UTC 2018 nodename: myhostname machine: x86_64 clock source: unix pcre jit disabled detected number of CPU cores: 4 current working directory: /home/myuser detected binary path: /uslocal/bin/uwsgi uWSGI running as root, you can use --uid/--gid/--chroot options *** WARNING: you are running uWSGI as root !!! (use the --uid flag) *** *** WARNING: you are running uWSGI without its master process manager *** your processes number limit is 31126 your memory page size is 4096 bytes detected max file descriptor number: 1024 *** starting uWSGI Emperor *** *** has_emperor mode detected (fd: 6) *** [uWSGI] getting INI configuration from mytest_uwsgi.ini *** Starting uWSGI 2.0.17.1 (64bit) on [Wed Aug 8 14:49:17 2018] *** compiled with version: 7.3.0 on 07 August 2018 12:50:39 os: Linux-4.15.0-30-generic #32-Ubuntu SMP Thu Jul 26 17:42:43 UTC 2018 nodename: myhostname machine: x86_64 clock source: unix pcre jit disabled detected number of CPU cores: 4 current working directory: /etc/uwsgi/vassals detected binary path: /uslocal/bin/uwsgi chdir() to /home/myuseProjects/mytest your processes number limit is 31126 your memory page size is 4096 bytes detected max file descriptor number: 1024 lock engine: pthread robust mutexes thunder lock: disabled (you can enable it with --thunder-lock) uwsgi socket 0 bound to UNIX address /run/uwsgi/mytest.sock fd 3 setuid() to 1000 Python version: 3.6.5 (default, Apr 1 2018, 05:46:30) [GCC 7.3.0] Set PythonHome to /home/myuse.virtualenvs/django-test *** Python threads support is disabled. You can enable it with --enable-threads *** Python main interpreter initialized at 0x56157a214810 your server socket listen backlog is limited to 100 connections your mercy for graceful operations on workers is 60 seconds mapped 437520 bytes (427 KB) for 5 cores *** Operational MODE: preforking *** mounting mytest.wsgi:application on /test WSGI app 0 (mountpoint='/test') ready in 1 seconds on interpreter 0x56157a214810 pid: 3251 (default app) *** uWSGI is running in multiple interpreter mode *** spawned uWSGI master process (pid: 3251) Wed Aug 8 14:49:18 2018 - [emperor] vassal mytest_uwsgi.ini has been spawned spawned uWSGI worker 1 (pid: 3253, cores: 1) spawned uWSGI worker 2 (pid: 3254, cores: 1) spawned uWSGI worker 3 (pid: 3255, cores: 1) spawned uWSGI worker 4 (pid: 3256, cores: 1) Wed Aug 8 14:49:18 2018 - [emperor] vassal mytest_uwsgi.ini is ready to accept requests spawned uWSGI worker 5 (pid: 3257, cores: 1) Not Found: /test/ [pid: 3254|app: 0|req: 1/1] 88.207.194.215 () {52 vars in 1060 bytes} [Wed Aug 8 12:49:22 2018] GET /test => generated 1926 bytes in 41 msecs (HTTP/2.0 404) 3 headers in 102 bytes (2 switches on core 0) announcing my loyalty to the Emperor... Wed Aug 8 14:49:22 2018 - [emperor] vassal mytest_uwsgi.ini is now loyal 
So, as you can see, one striking message is the line "Not Found: /test/". I should also mention that when I configure everything to be run at the root of my webserver (i.e. removing the test/ part in Nginx's config), everything runs fine, meaning that I get the Django test page.
My understanding is that the most modern, common and flexible way to host multiple uWSGI apps (like Django) is to use mountpoints that correspond to the subfolder on the web server. And my understanding is also that uWSGI will handle all the necessary path translations itself, ie that no special variables should be necessary in Nginx's config. But somehow, I simply cannot get it to work.
Do you guys have any ideas? Thanks in advance for your help!
submitted by gentfede to nginx [link] [comments]

Error while running selenium webdriver on Heroku.

Hello guys!
I'm trying to deploy this part of code on heroku:
import os import time from selenium import webdriver from lxml.html import fromstring from multiprocessing import Pool, cpu_count def scrap_url(url): options = webdriver.ChromeOptions() options.add_argument('--headless') options.add_argument('--no-sandbox') options.add_argument('--disable-setuid-sandbox') options.binary_location = '/app/.apt/usbin/google-chrome' # get chromedriver from # https://sites.google.com/a/chromium.org/chromedrivedownloads browser = webdriver.Chrome(chrome_options=options, executable_path='/app/.chromedrivebin/chromedriver') browser.get(url) html_doc = browser.page_source tree = fromstring(html_doc) browser.close() return tree os.environ["LANG"] = "en_US.UTF-8" urls = ['https://google.com', 'https://google.com', ] start_time = time.time() pool = Pool(cpu_count()) pool.map(scrap_url, urls) pool.close() print(time.time() - start_time) 
I add buildpacks to my heroku app that contains google-chrome and webdriver
On my laptop it works fine, but on heroku it raises the following error:
Traceback (most recent call last): File "src/verify_games.py", line 35, in  pool.map(scrap_url, urls) File "/app/.heroku/python/lib/python3.6/multiprocessing/pool.py . ", line 266, in map return self._map_async(func, iterable, mapstar, chunksize).get() File "/app/.heroku/python/lib/python3.6/multiprocessing/pool.py", line 644, in get raise self._value selenium.common.exceptions.WebDriverException: Message: chrome not reachable (Session info: headless chrome=65.0.3325.181) (Driver info: chromedriver=2.37.544315 (730aa6a5fdba159ac9f4c1e8cbc59bf1b5ce12b7),platform=Linux 4.4.0-1014-aws x86_64) 
submitted by karambaq to learnpython [link] [comments]

Nginx + uWSGI + Django - can't get app to run from subfolder

Edit: Formatting
Ubuntu 18.04
uWSGI 2.0.17.1 (installed via pip3 / Python3, globally)
Django 2.1 (installed via pip3 / Python3, locally in virtualenv)
Nginx 1.14.0 (installed via apt package manager)
Hello all,
First of all, I hope that I am in the right subreddit for this - apologies if you think it might fit better somewhere else!
I have a problem configuring uWSGI and Django in a way that allows me to host Django apps in subfolders on my domain. The app in question is actually a simple empty Django project created with 'django-admin startproject mytest .' I basically want the app to be accessible under mydomain.tld/test, but I always receive a Django-generated 404 message:
Page not found (404) Request Method: GET Request URL: https://mydomain.tld/test/ Using the URLconf defined in mytest.urls, Django tried these URL patterns, in this order: admin/ The empty path didn't match any of these. 
The following are my configuration files:
uWSGI:
# mytest_uwsgi.ini file [uwsgi] project = mytest uid = myuser base = /home/%(uid)/Projects # Django-related settings # the base directory (full path) chdir = %(base)/%(project) # Django's wsgi file ;module = %(project).wsgi:application mount = /test=%(project).wsgi:application manage-script-name = true # the virtualenv (full path) home = /home/myuse.virtualenvs/django-test # process-related settings # master master = true # maximum number of worker processes processes = 5 # the socket (use the full path to be safe socket = /run/uwsgi/%(project).sock chown-socket = %(uid):www-data chmod-socket = 660 # ... with appropriate permissions - may be needed # chmod-socket = 664 # clear environment on exit vacuum = true 
Nginx:
upstream django { server unix:///run/uwsgi/mytest.sock; # for a file socket } server { listen 80 default_server; # IPv6 listen [::]:80 default_server; server_name mydomain.tld; root /vawww/html; # Django media location ^~ /test/media { alias /home/myuseProjects/mytest/media; # your Django project's media files - amend as required } location ^~ /test/static { alias /home/myuseProjects/mytest/static; # your Django project's static files - amend as required } # Finally, send all non-media requests to the Django server. location ^~ /test { uwsgi_pass django; include uwsgi_params; # the uwsgi_params file you installed #uwsgi_param SCRIPT_NAME /test; #uwsgi_param UWSGI_SCRIPT mytest; } } 
The result is the same, whether or not I comment out the uwsgi\_params SCRIPT\_NAME and / or UWSGI\_SCRIPT.
Also, when I run uWSGI and Nginx with the configuration as above, the following is the output of uWSGI:
*** Starting uWSGI 2.0.17.1 (64bit) on [Wed Aug 8 14:49:17 2018] *** compiled with version: 7.3.0 on 07 August 2018 12:50:39 os: Linux-4.15.0-30-generic #32-Ubuntu SMP Thu Jul 26 17:42:43 UTC 2018 nodename: myhostname machine: x86_64 clock source: unix pcre jit disabled detected number of CPU cores: 4 current working directory: /home/myuser detected binary path: /uslocal/bin/uwsgi uWSGI running as root, you can use --uid/--gid/--chroot options *** WARNING: you are running uWSGI as root !!! (use the --uid flag) *** *** WARNING: you are running uWSGI without its master process manager *** your processes number limit is 31126 your memory page size is 4096 bytes detected max file descriptor number: 1024 *** starting uWSGI Emperor *** *** has_emperor mode detected (fd: 6) *** [uWSGI] getting INI configuration from mytest_uwsgi.ini *** Starting uWSGI 2.0.17.1 (64bit) on [Wed Aug 8 14:49:17 2018] *** compiled with version: 7.3.0 on 07 August 2018 12:50:39 os: Linux-4.15.0-30-generic #32-Ubuntu SMP Thu Jul 26 17:42:43 UTC 2018 nodename: myhostname machine: x86_64 clock source: unix pcre jit disabled detected number of CPU cores: 4 current working directory: /etc/uwsgi/vassals detected binary path: /uslocal/bin/uwsgi chdir() to /home/myuseProjects/mytest your processes number limit is 31126 your memory page size is 4096 bytes detected max file descriptor number: 1024 lock engine: pthread robust mutexes thunder lock: disabled (you can enable it with --thunder-lock) uwsgi socket 0 bound to UNIX address /run/uwsgi/mytest.sock fd 3 setuid() to 1000 Python version: 3.6.5 (default, Apr 1 2018, 05:46:30) [GCC 7.3.0] Set PythonHome to /home/myuse.virtualenvs/django-test *** Python threads support is disabled. You can enable it with --enable-threads *** Python main interpreter initialized at 0x56157a214810 your server socket listen backlog is limited to 100 connections your mercy for graceful operations on workers is 60 seconds mapped 437520 bytes (427 KB) for 5 cores *** Operational MODE: preforking *** mounting mytest.wsgi:application on /test WSGI app 0 (mountpoint='/test') ready in 1 seconds on interpreter 0x56157a214810 pid: 3251 (default app) *** uWSGI is running in multiple interpreter mode *** spawned uWSGI master process (pid: 3251) Wed Aug 8 14:49:18 2018 - [emperor] vassal mytest_uwsgi.ini has been spawned spawned uWSGI worker 1 (pid: 3253, cores: 1) spawned uWSGI worker 2 (pid: 3254, cores: 1) spawned uWSGI worker 3 (pid: 3255, cores: 1) spawned uWSGI worker 4 (pid: 3256, cores: 1) Wed Aug 8 14:49:18 2018 - [emperor] vassal mytest_uwsgi.ini is ready to accept requests spawned uWSGI worker 5 (pid: 3257, cores: 1) Not Found: /test/ [pid: 3254|app: 0|req: 1/1] 88.207.194.215 () {52 vars in 1060 bytes} [Wed Aug 8 12:49:22 2018] GET /test => generated 1926 bytes in 41 msecs (HTTP/2.0 404) 3 headers in 102 bytes (2 switches on core 0) announcing my loyalty to the Emperor... Wed Aug 8 14:49:22 2018 - [emperor] vassal mytest_uwsgi.ini is now loyal 
So, as you can see, one striking message is the line "Not Found: /test/". I should also mention that when I configure everything to be run at the root of my webserver (i.e. removing the test/ part in Nginx's config), everything runs fine, meaning that I get the Django test page.
My understanding is that the most modern, common and flexible way to host multiple uWSGI apps (like Django) is to use mountpoints that correspond to the subfolder on the web server. And my understanding is also that uWSGI will handle all the necessary path translations itself, ie that no special variables should be necessary in Nginx's config. But somehow, I simply cannot get it to work.
Do you guys have any ideas? Thanks in advance for your help!
submitted by gentfede to django [link] [comments]

grsecurity Linux will make the Priv the most secure mobile device out there.

Not much has been said about the use of grsecurity Linux by BlackBerry. But, it's a huge deal in terms of security and goes above and beyond what SELinux provides. Here's a list of the additional security enhancements grsecurity Linux brings to the table:
Industry-leading ASLR Grsecurity has led the way over the years in providing a proper ASLR implementation that deals with the many ways in which an attacker can influence ASLR or defeat it through system-provided information leaks and entropy reduction. In addition, the number of bits of entropy applied to randomization of each memory region is significantly higher in grsecurity compared to upstream's weaker ASLR implementation.
Bounds checks on kernel copies to/from userland This feature hardens the functions the Linux kernel uses to copy data to and from user applications. It ensures copies to/from a heap object don't exceed the object's size and that stack copies don't exceed the size of the stack frame. It further prevents modifying or leaking sensitive kernel objects via these functions.
Prevents direct userland access by kernel Through PaX's UDEREF and KERNEXEC features, grsecurity forces any userland data access to go through an approved accessor and rejects any attempt to execute userland code in kernel context. This prevents exploitation of an entire class of vulnerabilities of which null pointer dereferences are just a subset. Another member of that larger class, commonly exploited on other OSes, involves the various magic values used throughout the kernel. Many of these magic values, when interpreted as pointers especially on 32-bit platforms, will point into userland. On a system without grsecurity, an attacker can provide specially crafted data at these addresses in order to exploit the system. Most kernel exploits released for Linux require the ability to execute or directly access data in userland -- by preventing both of these things, grsecurity has rendered useless the majority of released Linux kernel exploits. In another sense, grsecurity provides functionality equivalent to the SMEP and (unreleased) SMAP features of modern Intel processors, on older x86 processors and even the ARM platform.
Prevents kernel stack overflows on 64-bit architectures While vulnerabilities arising through the improper use of variable-length-arrays (VLAs) and runtime stack allocation are handled automatically with a GCC plugin, grsecurity also provides a feature to prevent exploitation arising from other sources of kernel stack overflows: deep nesting and recursion. On a mainline Linux kernel, a kernel task is free to overflow its stack into adjacent heap objects in order to escalate privilege. Grsecurity places kernel stacks non-contiguously in a separate memory region on 64-bit architectures to avoid any such abuse.
Hardened userland memory permissions Though mainline Linux now supports NX and a weaker ASLR, by default it does nothing to prevent the introduction of malicious code into a process. While initial control flow hijacking may occur through ROP, the pattern consistently seen on Windows and other OSes is that the majority of the exploit's payload is performed within allocated RWX memory. Grsecurity eliminates this weakness by default, greatly driving up the costs of exploitation and raising the bar above the capabilities of most attackers.
Random padding between thread stacks Linux distros generally do not compile code with the -fstack-check flag to GCC, making it possible to exploit incorrectly-sized calls to alloca(). By taking advantage of pthread's behavior of allocating quickly-created thread stacks adjacent to each other, the stack of another thread can be reliably modified to achieve exploitation. Randomizing the offset between thread stacks removes the reliability of this technique, generally reducing the exploit to a crash.
Hardened BPF JIT against spray attacks The Linux kernel contains functionality that allows it to generate machine code at runtime to speed up packet filtering and SECCOMP rules. This functionality can be abused by attackers as they are able to both pre-determine the contents of the generated machine code and also fully control certain arbitrary values within that content that permit them to execute arbitrary code through an unintended instruction sequence. Grsecurity uses a technique called "constant blinding" to prevent an attacker from having enough control over the generated machine code to launch a successful attack. Unlike upstream's attempts at resolving this problem, our solution is resistent to leaks of the location and contents of the JIT-generated code. In the default, JIT-disabled mode, grsecurity also protects the execution environment against a corrupted interpreter buffer.
Automatically responds to exploit bruteforcing Even if all system-level infoleak sources and methods of entropy reduction are closed down, there remains the fact that a Linux system is generally unable to prevent bruteforcing of arbitrary network services and suid/sgid binaries. Grsecurity solves this issue by forcing a delay between forks of network services being bruteforced and bans users from executing suid/sgid apps for a period of time if they cause one to crash. Grsecurity takes a similar approach to preventing repeated attempts at exploiting kernel vulnerabilities. After the first detected attempt causing an OOPS message, grsecurity bans that unprivileged user from the system until restart.
Chroot hardening grsecurity's chroot hardening automatically converts all uses of chroot into real jails with confinement levels equivalent to containers. Processes inside a chroot will not be able to create suid/sgid binaries, see or attack processes outside the chroot jail, mount filesystems, use sensitive capabilities, or modify UNIX domain sockets or shared memory created outside the chroot jail.
Prevents users from tricking Apache into accessing other users' files If Apache is configured to allow following of symlinks, it is trivial in most webhosting configurations to force it to reveal sensitive data from other users' webroots. While Apache has a feature that aims to mitigate this risk, it suffers from an unsolvable Time-Of-Check/Time-Of-Use (TOCTOU) race condition. Grsecurity solves this problem by enforcing at the kernel-level that Apache can't follow symlinks owned by one user but pointing to the files of a different user.
Eliminates side-channel attacks against admin terminals Demonstrating our ability to swiftly respond to new threats, this feature was developed the same day as Vladz' report on a side-channel attack against the /dev/ptmx device. While we immediately handled a more generalized form of the attack, as of over a year later, upstream Linux has still failed to prevent one of the two attack vectors explicitly listed in the original report.
Provides Trusted Path Execution Trusted Path Execution (TPE) is an old and simple concept. It dates back to at least 1998 with route's Phrack 62 article linked below. The goal of TPE is to provide an easily-configurable and generally software compatible method of preventing unprivileged users from executing binaries they create. Grsecurity extends the idea of TPE a bit and resolves some vulnerabilities in the original design in the process (for instance, TPE is not bypassed via ld.so under grsecurity).
Hide other users' processes for unprivileged users While the upstream kernel now provides a mount option for /proc to hide other unprivileged users' processes, grsecurity goes beyond this by hiding such information by default, hiding additional sources of sensitive information provided by the kernel in /proc, and hiding private network-related information of all users. Not only is the networking information a violation of the privacy of other users on the system, but it has also been useful in the past for TCP hijacking attacks.
Prevents ptrace-based process snooping This feature was introduced to deal with ptrace-based userland rootkits and other malicious process hijacking. Importantly, it preserves the ability of a user to debug his/her own programs through a novel implementation that enforces a process can only attach to its children.
Prevents attackers from auto-loading vulnerable kernel modules Your webhosting server has no need for a protocol used only in cars, or one for HAM radios, but your distro's kernel configuration likely causes modules for these to be built -- useful only for exploiting your system. While Linux distros continue to take a reactive approach (via blacklisting) to vulnerable, rarely-legitimately used modules like these, grsecurity uses a proactive approach that prevents unprivileged users from auto-loading kernel modules. The below list of example exploits for vulnerable and rarely used kernel modules is far from exhaustive, but is provided to serve as demonstration.
Prevents dumping unreadable binaries On a normal distro kernel, it's not possible to allow a user to execute a program without also giving away the full contents of the program's binary image. While direct reads are denied, a user can ptrace themselves and then execute the binary, using ptrace to extract out the entire mapped contents of the binary image -- even if that binary is setuid root. This information leak can be useful in creating reliable exploits against custom-compiled binaries. This weakness was abused by Jason Donenfeld, for example, in his exploit for the /proc/pid/mem kernel vulnerability.
Enforces consistent multithreaded privileges Though glibc wraps calls to setuid() and setgid() with magic signals that cause other threads in a process to change their credentials as well, other libcs and multithreaded applications in other languages do not do this, leading to unexpected vulnerable results of a thread running as root that the developers believe is running unprivileged. Since it's also conceptually wrong for threads sharing the same address space to be running with radically different privilege, grsecurity enforces glibc's behavior at the kernel level despite what language or libc is involved in userland.
Denies access to overly-permissive IPC objects This feature was developed in response to research done by Portcullis Labs who surveyed use of shared memory in Linux software with surprising results -- many were unnecessarily granting all users on the system the ability to read and or write their created shared memory. Since in many cases this can result in security vulnerabilities, grsecurity locks down access to overly-permissive shared memory and other IPC objects in such a way that does not impact normal operations.
submitted by BlackBerryEngineer to blackberry [link] [comments]

HackTheBox - Ellingson Ignite TryHackMe Walkthrough Full Explaination 5.2 Special Permission in Linux : Set UID, GID and Sticky bit Digital Lock-picking - TryHackMe - Vulnversity Try Hack Me - MADNESS Linux Tutorial for Beginners - 8 - File Permissions - YouTube Red Hat Linux Administration & Advance level of Troubleshooting

Ahora Opciones Binarias puerto carreño en español Thursday, November 24, 2016. Setuid Binary Options Jul. 6. Setuid Binary Options The nosuid option provides additional security for NFS clients that access potentially untrusted servers. The mounting of remote file systems with this option reduces the chance of privilege escalation through importing untrusted devices or importing untrusted setuid binary files. All these options are available in all Solaris file systems. I am trying to use LD_PRELOAD to preload a library with an application that has setuid permissions. Tried LD_PRELOAD at first, and it seemed like it was being ignored with the setuid binary, though it was working when I tried it with others like ls, dir etc. . From the documentation of LD_PRELOAD: LD_PRELOAD A whitespace-separated list of additional, user-specified, ELF shared libraries to be ... Even though Slackware’s default options enhance its security, it might not necessarily be as secure in terms of suid/guid binaries. II. RELATED WORK The lack of documentation on the workings of the setuid and setgid mechanisms result with insufficient research done on the subject as well. Hao Chen, David Wagner and Drew Dean [2] researched the workings of setuid and setgid by analyzing the ... Most systems will reveal a few files with the setuid or setgid bit set. So having a few on your system is not an issue, but still room for improvement. Let’s have a look at the options: Remove the package. Sometimes we come across files which we simply don’t need on our system. Debian / Ubuntu: dpkg -s /path/to/binary or dpkg-query -S /path ... Tuesday, October 18, 2016. Find Setuid 0 Binary Options The setuid sandbox helper is suid to root, because it needs to perform functions that are only available to root. If it were possible to set the appropriate permissions without first gaining root privileges, that would be a very serious vulnerability in Linux. Fortunately for Linux, and unfortunately for us, that is not the case. We use the default setting in GCC without any options. By default, the compiled binary has the security feature Partial RELRO and NX enabled. Figure 1. Compiling the vulnerable program with the default setting Relocation Read-Only (or RELRO) is a security measure that makes some binary sections read-only. There are two RELRO "modes": partial and full. For Partial RELRO, some sections are ... A setuid/setgid Go program is reasonably safe, with one major caveat. Go setuid/setgid programs are in general no more, and no less, secure than C/C++ setuid/setgid programs. It's true that you can force a Go program to dump core by running it with the environment variable GOTRACEBACK=crash and then sending it a signal. However, this is OK for your purposes because the Go program will (try to ...

[index] [8790] [7030] [28796] [12871] [11800] [22283] [12454] [28288] [23063] [24655]

HackTheBox - Ellingson

Website - https://thenewboston.com/ GitHub - https://github.com/thenewboston-developers Reddit - https://www.reddit.com/r/thenewboston/ Twitter - https://twi... Do it yourself first : https://tryhackme.com/room/ignite FUEL CMS 1.4 Remote Code Execution Like , Share , Subscribe and Comment down below... This is hopefully the first of many videos on what I call, Digital Lock-picking. This is/was a lock-picking channel, so Im trying to keep with that theme lol. Ive recently gotten back into cyber ... Vulnerable SUID Binary Version. Loading... Autoplay When autoplay is enabled, a suggested video will automatically play next. Up next Hack The Box - RESOLUTE (Fast and Ez way Metasploit ... Special Linux File permissions and their Use (setuid, setgid, sticky bit) - Duration: 19:05. ... Best Binary Options Strategy 2020 - 2 Minute Strategy LIVE TRAINING! - Duration: 43:42. BLW Online ... Setuid, Setguid, Sticky bit, ACL etc Two Labs to demonstrate the permissions from real IT industry environment. Disk Partitions & File Systems Creations Creating the partitions in a simple disk ... 22:27 - Checking out the Garbage SetUID Binary as HAL to discover he cannot run it 24:20 - Using Ghidra to verify we are not missing any functionality 27:30 - Using find to discover what files the ...

https://arab-binary-option.giasubsducvia.tk