linux – On a single user laptop does it make sense to have a separte password for root and the user?

It’s all about your own personal risk tolerance and your threat model. In short, you are worried about someone who is physically in possession of your laptop and has guessed your user password, and you want to keep them from having full admin rights. I’m having a hard time coming up with a scenario where that may actually happen, so I can’t help but think that you are overthinking this. Moreover, for most personal computers, the user account is typically more critical than admin access;

https://xkcd.com/1200/

Then again, remembering two passwords isn’t much harder than memorizing one, so go for it if you want. Just make sure you have a way to copy your data off the machine without needing admin credentials – you’ll want to do that if you ever forget your admin credentials and need to reinstall.

Still, I might suggest an alternate solution:

Use a strong password and don’t tell it to anyone

Super Cheap Offshore Linux Vps Hosting In Netherlands

LibertyVPS.net
Fast Offshore Hosting

LibertyVPS is commited to protect your data, privacy and provide you with high quality hosting. We offer KVM VPS that have the option to run Linux and Windows, we only use high quality hardware and high speed gigabit connections. All our VPS come with secured storage, high bandwidth limits and dedicated RAM. We accept Bitcoin as one of our many payment methods for our bitcoin vps. Bitcoin is the best and easiest way to pay online and is fully anonymous to keep your privacy. All Bitcoin payments are processed automatically via BitPay and will be credited once the payment has been made.

LibertyVPS offshore VPS are great for running websites, game servers, bitcoin wallets, email servers, file servers, and much more. All our Linux servers come with a wide variety of OS templates you can choose from to install and all the resources are dedicated. The best choice for beginners or professionals, is LibertyVPS offshore VPS. Our offshore VPS are located in our NL datacenter. Our datacenter is secured and located offshore for the best privacy and security. You can use your server to host websites, download files and more! We use the Ecatel Datacenter, located in Amsterdam. Ecatel uses the best networking equipment, hardware and transit providers. All bandwidth is premium bandwidth that results in very low ping and very fast speeds.

Check out OUR OFFSHORE Linux VPS Hosting Packages:

Bronze VPS plan
CPU Cores – 1 Core
Dedicated RAM – 1 GB
Disk Space – 25 GB
Monthly Bandwidth – 2 TB
Virtualization – Linux KVM
ORDER NOW$19.99/month

Silver VPS plan
CPU Cores – 2 Cores
Dedicated RAM – 2 GB
Disk Space – 50 GB
Monthly Bandwidth – 4 TB
Virtualization – Linux KVM
ORDER NOW$39.99/month

Gold VPS plan
CPU Cores – 4 Cores
Dedicated RAM – 3 GB
Disk Space – 75 GB
Monthly Bandwidth – 8 TB
Virtualization – Linux KVM
ORDER NOW$59.99/month

Platinum VPS plan
CPU Cores – 8 Cores
Dedicated RAM – 4 GB
Disk Space – 100 GB
Monthly Bandwidth – 10 TB
Virtualization – Linux KVM
ORDER NOW$79.99/month

Payment Methods
You can order our VPS using the following payment methods: PayPal, Bitcoin (Anonymous Shared Wallet), Perfect Money, OKPAY. If you require other payment method, we are flexible! Feel free to contact us!

Support / Contact
You can contact us at our ticketing system, or click here to use our contact form!

Terms of Service
We do not allow: Illegal Pornography, DDoS / DoS, Malware, SPAM / Phishing, Terrorism.

linux – How do I get snort to detect traffic going to metasploitable docker container?

I have setup Snort and I have metasploitable 2 running in a docker container on Centos 7 host. I am trying to get snort to detect traffic traveling to the Metasploitable 2 container. I’ve tried pinging the metasploitable2 container from my host but snort doesn’t detect it. It doesn’t detect when i ping my host from my metasploitable container.

However Snort detects my pings whenever i ping google.com or other websites from my host. It

How do I get Snort to detect traffic traveling to a docker container?

[WTS] QHoster.com: Linux OpenVZ Budget VPS starting from $5.83 per month!

NEW! Budget Linux VPS as low as $5.83 per month:

Locations:
Germany, Switzerland, Netherlands, Bulgaria (100 Gbps DDoS Protection), USA – Miami (FL), USA – New York (NY), Canada (480 Gbps DDoS Protection).

************************************************** ********************************
Discounts for all Shared Hosting and all VPS Hosting plans!

Coupon: QHOSTERSHARED60OFF3Y for 60% OFF for all Shared Hosting with 3-year plans, including Resellers!

Click here to Apply coupon QHOSTERSHARED60OFF3Y automatically to your cart for all 3 year plans!

Coupon: QHOSTERBIGSAVE2YR for 40% OFF for all VPS Hosting with 2-year plans!

Click here to Apply coupon QHOSTERBIGSAVE2YR automatically to your cart!

Apply to OpenVZ – Discount for 2 years auto provisioning!
Apply to Linux KVM – Discount for 2 years auto provisioning!
Apply to Linux XEN – Discount for 2 years auto provisioning!
Apply to Windows RDP KVM – Discount for 2 years auto provisioning!
Apply to Windows RDP XEN Discount for 2 years activation in ~1 hour!

Please note the discount is visible on the Review & Checkout step.
And Comodo Positive SSL certificate!
************************************************** ********************************
Linux OpenVZ (Budget) VPS (LE)

OpenVZ Light Edition VPS
1 GB Dedicated memory
20 GB Disk space
500 GB Bandwidth
Full Root access
1 IP address
CentOS/Debian/Ubuntu
$5.83 PER MONTH
(applies to annual payment)
ORDER NOW

Need another Linux VPS? Check here: https://click.pstmrk.it/2ts/www.QHos…Awe/lF-7kUdPWS

Desiderate Instant Managed VPS? Here you are: http://www.qhoster.com/cpanel-managed-vps.html

Current promotions:

***********************************************
Discounts for all hosting and all VPS plans and Comodo Positive SSL certificate:

QHSPRING33
Recurring 33% OFF!
(applies to any billing cycle)

***********************************************
QHoster payment options:

WebMoney, Perfect Money, Bitcoin, NETELLER, Payza (formerly Alertpay), Skrill (formerly Moneybookers), Litecoin, Darkcoin (DRK), SolidTrust Pay, cashU, Ukash, Payeer, OKPAY, EgoPay, paysafecard, Alipay, MoneyGram, Western Union, SOFORT Banking, QIWI, Alfa Click, Sberbank Rossii, Promsvyazbank (PSB), Svyaznoy, Przelewy24, Interac, Boleto Bancario, MercadoPago, PagSeguro, OneCard, DaoPay, Fortumo.

Learn More about Payment options here:
http://www.qhoster.com/payment-methods.html

Windows 7 & 2003/2008 Server in Minutes
Choose your payment option, choose your server location and get your best Windows VPS!

Instant Setup! Ready in 20 minutes!

Visit QHoster now.

cPanel Shared Webhosting
CR2QS5B85D30% OFF!
Applies to all shared and VPS plans, 3+ month period of order!

VPS and Dedicated Server
Personal voucher for $50
GHR8WY5P4P
(applies to annual billing cycles)

Windows RDP VPS
– Managed & Scalable – Instant RDP VPS Upgrades – CPU, RAM etc.
– Full Adminstrator Access to Your Windows RDP VPS
– Use Windows Server & 7 Remotely Like Your Desktop Computer
– Choice: UK,USA,Canada,France,Germany,Netherlands,Switzerla nd

Windows VPS RDP (1)
2 CPU Cores (Intel Xeon)
1.5 GB Dedicated Memory
60 GB Disk Space
1 TB Monthly Bandwidth
1 GBit/s Internet Port
1 IP (additional 64 IPs)
Price $19.96/mo
ORDER HERE

Windows VPS RDP (2)
3 CPU Cores (Intel Xeon)
3 GB Dedicated Memory
120 GB Disk Space
2 TB Monthly Bandwidth
1 GBit/s Internet Port
1 IP (additional 64 IPs)
Price $39.92/mo
ORDER HERE

Windows VPS RDP (3)
4 CPU Cores (Intel Xeon)
4.5 GB Dedicated Memory
180 GB Disk Space
3 TB Monthly Bandwidth
1 GBit/s Internet Port
1 IP (additional 64 IPs)
Price $59.88/mo
ORDER HERE

Windows KVM Servers

Windows RDP VPS – KVM 1
1.5 GB Dedicated memory
60 GB Disk space
1000 GB Bandwidth
Administrator RDP access
1 IP address
Windows Server 2008/2012/2016
$24.95/m
ORDER HERE

Windows RDP VPS – KVM 2
3 GB Dedicated memory
120 GB Disk space
2000 GB Bandwidth
Administrator RDP access
1 IP address
Windows Server 2008/2012/2016
$49.90/m
ORDER HERE

Have questions?
Feel free to contact us:
https://www.qhoster.com/clients/subm…tep=2&deptid=1

.(tagsToTranslate)webmaster forum(t)internet marketing(t)search engine optimization(t)web designing(t)seo(t)ppc(t)affiliate marketing(t)search engine marketing(t)web hosting(t)domain name(t)social media

linux – Can a file descriptor ready for IO become unready before any IO operation is performed on it?

In The Linux Programming Interface, on p1327 in 63.1 Overview of 63 Alternative Models

In effect, I/O multiplexing, signal-driven I/O, and epoll are all methods of achiev-
ing the same result—monitoring one or, commonly, several file descriptors simulta-
neously to see if they are ready to perform I/O (to be precise, to see whether an I/O
system call could be performed without blocking). The transition of a file descrip-
tor into a ready state is triggered by some type of I/O event, such as the arrival of
input, the completion of a socket connection, or the availability of space in a previ-
ously full socket send buffer after TCP transmits queued data to the socket peer.

and in 63.3 Signal-Driven I/O, one of the methods mentioned above,

63.3.1 When Is “I/O Possible” Signaled?

We now consider the details of when “I/O possible” is signaled for
various file types. Terminals and pseudoterminals For terminals and
pseudoterminals, a signal is generated whenever new input becomes
available, even if previous input has not yet been read. “Input
possible” is also sig- naled if an end-of-file condition occurs on a
terminal (but not on a pseudoterminal). There is no “output possible”
signaling for terminals. A terminal disconnect is also not signaled.
Starting with kernel 2.4.19, Linux provides “output possible”
signaling for the slave side of a pseudoterminal. This signal is
generated whenever input is consumed on the master side of the
pseudoterminal.

For the read end of a pipe or FIFO, a signal is generated in these
circumstances:

  • Data is written to the pipe (even if there was already unread input available).

  • The write end of the pipe is closed. For the write end of a pipe or FIFO, a signal is generated in these circumstances:

  • A read from the pipe increases the amount of free space in the pipe so that it is now possible to write PIPE_BUF bytes without blocking.

  • The read end of the pipe is closed.

Signal-driven I/O works for datagram sockets in both the UNIX and the
Internet domains. A signal is generated in the following
circumstances:

  • An input datagram arrives on the socket (even if there were already unread datagrams waiting to be read).

  • An asynchronous error occurs on the socket.

Signal-driven I/O works for stream sockets in both the UNIX
and the Internet domains. A signal is generated in the following
circumstances:

  • A new connection is received on a listening socket.

  • A TCP connect() request completes; that is, the active end of a TCP connection entered the ESTABLISHED state, as shown in Figure 61-5
    (page 1272). The analogous condition is not signaled for UNIX domain
    sockets.

  • New input is received on the socket (even if there was already unread input available).

  • The peer closes its writing half of the connection using shutdown(), or closes its socket altogether using close().

  • Output is possible on the socket (e.g., space has become available in the socket send buffer).

  • An asynchronous error occurs on the socket.

A signal is generated when the inotify file descriptor
becomes readable—that is, when an event occurs for one of the files
monitored by the inotify file descriptor.

Do the two quotes talk about the same regarding when a file descriptor becomes ready for IO?

Is the definition of when a fd becomes ready for IO the same, in all the methods mentioned: I/O multiplexing, signal-driven I/O, and epoll? (even though they are different in when the notification is available: edge triggered or level triggered.)

Given the above definition(s) of IO readiness of a fd, when a file descriptor becomes ready for IO,

  • will it remains ready as long as there is no IO operation performed on it? (So the program won’t miss any chance of readiness of the fd.)

  • or can it become unready before any IO operation is performed on it? (So the program may miss the readiness of the fd?)

For example:

  • when using select() on multiple fds inside a loop, if one fd becomes ready, the program continues to perform some IO operation on the fd and other task in the loop. At the same time another fd becomes ready, before the program reaches the next select() call. Can the other fd become unready again, before the program can perform IO on the other fd and therefore miss the readiness of the other fd?

  • when a (UDP or TCP) socket server receives or sends data on a socket fd in a loop, when the socket fd becomes unready, the server finishes receiving or sending data, and continues to perform other tasks in the loop. At the same time, the socket fd becomes ready, before the program reaches the statements for receiving/sending data on the socket fd. Can the socket fd become unready again, before the program can receive or send data on the socket fd and therefore miss the readiness of the socket fd?

Thanks.

Linux Firewall mark classifier (tc-fw) not working after upgrade to Debian 9 – kernel 4.19

i have traffic shape with TC and everything work as i expected on Debian 8 kernel 3.16 . When i upgrade with new kernel 4.19 and Debian 9 the TC-fw and u32 classifying didn`t work . I marked packets with iptables. Here a example of my script and loaded modules:

qdisc add dev eth0 root handle 1:0 htb default 1 r2q 2
class add dev eth0 parent 1:0 classid 1:1 htb rate 9728000kbit ceil 9728000kbit prio 3
qdisc add dev eth0 parent 1:1 handle 10:0 htb default ffff r2q 2
class add dev eth0 parent 10: classid 10:10 htb rate 9728000kbit ceil 9728000kbit prio 3
class add dev eth0 parent 10: classid 10:30 htb rate 9728000kbit ceil 9728000kbit prio 3
class add dev eth0 parent 10:0 classid 10:ffff htb rate 22040kbit ceil 50240kbit
filter add dev eth0 parent 10: prio 5 protocol ip u32
class add dev eth0 parent 1:0 classid 1:2 htb rate 9728000kbit ceil 9728000kbit prio 3
qdisc add dev eth0 parent 1:2 handle 20:0 htb default fffe r2q 2
class add dev eth0 parent 20:0 classid 20:20 htb rate 9728000kbit ceil 9728000kbit prio 3
class add dev eth0 parent 20:0 classid 20:30 htb rate 9728000kbit ceil 9728000kbit prio 3
class add dev eth0 parent 20:0 classid 20:fffe htb rate 22240kbit ceil 50240kbit
filter add dev eth0 parent 20: prio 5 protocol ip u32
qdisc add dev eth1 root handle 1:0 htb default 1 r2q 2
class add dev eth1 parent 1:0 classid 1:1 htb rate 9728000kbit ceil 9728000kbit prio 3
qdisc add dev eth1 parent 1:1 handle 10:0 htb default ffff r2q 2
class add dev eth1 parent 10: classid 10:10 htb rate 9728000kbit ceil 9728000kbit prio 3
class add dev eth1 parent 10: classid 10:30 htb rate 9728000kbit ceil 9728000kbit prio 3
class add dev eth1 parent 10:0 classid 10:ffff htb rate 22040kbit ceil 50240kbit
filter add dev eth1 parent 10: prio 5 protocol ip u32
class add dev eth1 parent 1:0 classid 1:2 htb rate 9728000kbit ceil 9728000kbit prio 3
qdisc add dev eth1 parent 1:2 handle 20:0 htb default fffe r2q 2
class add dev eth1 parent 20:0 classid 20:20 htb rate 9728000kbit ceil 9728000kbit prio 3
class add dev eth1 parent 20:0 classid 20:30 htb rate 9728000kbit ceil 9728000kbit prio 3
class add dev eth1 parent 20:0 classid 20:fffe htb rate 22240kbit ceil 50240kbit
filter add dev eth1 parent 20: prio 5 protocol ip u32
filter add dev eth0 parent 10: prio 5 handle 101: protocol ip u32 divisor 256
filter add dev eth0 parent 10: protocol ip prio 5 u32 ht 800:: match ip src 185.108.0.0/16 hashkey mask 0xff00 at 12 link 101:
filter add dev eth0 parent 20: prio 5 handle 102: protocol ip u32 divisor 256
filter add dev eth0 parent 20: protocol ip prio 5 u32 ht 800:: match ip src 185.108.0.0/16 hashkey mask 0xff00 at 12 link 102:
  filter add dev eth0 parent 10: prio 6 handle 103: protocol ip u32 divisor 256
  filter add dev eth0 parent 20: prio 6 handle 104: protocol ip u32 divisor 256
  filter add dev eth0 parent 10: protocol ip prio 6 u32 ht 101:8f: match ip src 185.108.143.0/24 hashkey mask 0xff at 12 link 103:
  filter add dev eth0 parent 20: protocol ip prio 6 u32 ht 102:8f: match ip src 185.108.143.0/24 hashkey mask 0xff at 12 link 104:
class add dev eth0 parent 10:10 classid 10:a710 htb rate 2048kbit ceil 30720kbit prio 2
class add dev eth0 parent 20:20 classid 20:2711 htb rate 2048kbit ceil 30720kbit prio 2
    filter add dev eth0 protocol ip parent 10: prio 5 u32 ht 103:a4: match ip src 185.108.143.164 flowid 10:a710
    filter add dev eth0 protocol ip parent 20: prio 5 u32 ht 104:a4: match ip src 185.108.143.164 flowid 20:2711
class add dev eth0 parent 10:10 classid 10:a711 htb rate 2048kbit ceil 40960kbit prio 2
class add dev eth0 parent 20:20 classid 20:2712 htb rate 2048kbit ceil 40960kbit prio 2
    filter add dev eth0 protocol ip parent 10: prio 5 u32 ht 103:a5: match ip src 185.108.143.165 flowid 10:a711
    filter add dev eth0 protocol ip parent 20: prio 5 u32 ht 104:a5: match ip src 185.108.143.165 flowid 20:2712
filter add dev eth1 parent 10: prio 5 handle 103: protocol ip u32 divisor 256
filter add dev eth1 parent 10: protocol ip prio 5 u32 ht 800:: match ip dst 185.108.0.0/16 hashkey mask 0xff00 at 16 link 103:
filter add dev eth1 parent 20: prio 5 handle 104: protocol ip u32 divisor 256
filter add dev eth1 parent 20: protocol ip prio 5 u32 ht 800:: match ip dst 185.108.0.0/16 hashkey mask 0xff00 at 16 link 104:
  filter add dev eth1 parent 10: prio 6 handle 106: protocol ip u32 divisor 256
  filter add dev eth1 parent 20: prio 6 handle 107: protocol ip u32 divisor 256
  filter add dev eth1 parent 10: protocol ip prio 6 u32 ht 103:8f: match ip dst 185.108.143.0/24 hashkey mask 0xff at 16 link 106:
  filter add dev eth1 parent 20: protocol ip prio 6 u32 ht 104:8f: match ip dst 185.108.143.0/24 hashkey mask 0xff at 16 link 107:
class add dev eth1 parent 10:10 classid 10:a710 htb rate 2048kbit ceil 30720kbit prio 2
class add dev eth1 parent 20:20 classid 20:2711 htb rate 2048kbit ceil 30720kbit prio 2
    filter add dev eth1 protocol ip parent 10: prio 5 u32 ht 106:a4: match ip dst 185.108.143.164 flowid 10:a710
    filter add dev eth1 protocol ip parent 20: prio 5 u32 ht 107:a4: match ip dst 185.108.143.164 flowid 20:2711

filter add dev eth0 parent 1: protocol ip prio 1 handle 4 fw classid 1:2
filter add dev eth1 parent 1: protocol ip prio 1 handle 4 fw classid 1:2
filter add dev eth0 parent 1: protocol ip prio 1 handle 2 fw classid 1:1
filter add dev eth1 parent 1: protocol ip prio 1 handle 2 fw classid 1:1

And iptables config:

Chain FORWARD (policy ACCEPT 4506K packets, 326M bytes)
 pkts bytes target     prot opt in     out     source               destination
44016   42M MARK       all  --  eth0.20 eth1+   0.0.0.0/0            0.0.0.0/0            MARK set 0x4
19130  970K MARK       all  --  eth0.102 eth1+   0.0.0.0/0            0.0.0.0/0            MARK set 0x2
  423 87102 MARK       all  --  eth1+  eth0.102  0.0.0.0/0            0.0.0.0/0            MARK set 0x2
35820   96M MARK       all  --  eth1+  eth0.20  0.0.0.0/0            0.0.0.0/0            MARK set 0x4
    0     0 MARK       all  --  eth1+  eth1+   0.0.0.0/0            0.0.0.0/0            MARK set 0x4

and loaded modules:

cls_fw                 16384  2
cls_u32                20480  12
sch_htb                24576  8

xt_mark                16384  5
x_tables               36864  9 xt_LOG,iptable_mangle,ip_tables,iptable_filter,xt_mark,xt_mac,xt_tcpudp,xt_TPROXY,xt_conntrack

cat /sys/module/sch_htb/parameters/htb_rate_est
1

Thank in advance for every advice

Br,
Nikolay

Fail2Ban iptables entries to reject HTTPS not stopping requests on Amazon Linux 2

I’ve set up Fail2Ban on Amazon Linux 2, enabling the built-in nginx-http-auth jail with this override config:

[nginx-http-auth]
enabled = true
action = iptables[name=HTTPS, port=https, protocol=tcp]
logpath = <snip>/logs/*error*.log
findtime = 15m
bantime = 15m
maxretry = 5

The action is triggering and I’m getting the following entry in iptables -S:

-A f2b-HTTPS -s 120.<snip>.122/32 -j REJECT --reject-with icmp-port-unreachable

However, I can continue making new HTTPS requests from the banned IP which are receiving 401 responses from Nginx. I’ve replicated from two IP addresses – my phone and another EC2 host.

Why isn’t the iptable rule stopping HTTPS requests?

Do I need to change my fail2ban config somehow to make it work?

linux – DNS: Unable to find specific GPG server

I would like to upgrade my system on Arch Linux distro by

yay -Syu

but unfortunately, when I try to import new GPG key, I’ve got DNS error

    :: PGP keys need importing:
 -> 8FD3D9A8D3800305A9FFF259D1742AD60D811D58, required by: spotify
==> Import? (Y/n) y
:: Importing keys with gpg...
dirmngr(1062283.5): handler for fd 5 started
dirmngr(1062283.5): DBG: chan_5 -> # Home: /home/pilec/.gnupg
dirmngr(1062283.5): DBG: chan_5 -> # Config: (none)
dirmngr(1062283.5): DBG: chan_5 -> OK Dirmngr 2.2.23 at your service
dirmngr(1062283.5): connection from process 1067439 (1000:1000)
dirmngr(1062283.5): DBG: chan_5 <- GETINFO version
dirmngr(1062283.5): DBG: chan_5 -> D 2.2.23
dirmngr(1062283.5): DBG: chan_5 -> OK
dirmngr(1062283.5): DBG: chan_5 <- KS_GET -- 0x8FD3D9A8D3800305A9FFF259D1742AD60D811D58
dirmngr(1062283.5): DBG: get_dns_cname(hkps.pool.sks-keyservers.net): No name
dirmngr(1062283.5): DBG: dns: resolve_dns_name(hkps.pool.sks-keyservers.net): No name
dirmngr(1062283.5): resolving 'hkps.pool.sks-keyservers.net' failed: No name
dirmngr(1062283.5): DBG: Using TLS library: GNUTLS 3.6.15
dirmngr(1062283.5): DBG: http.c:connect_server: trying name='hkps.pool.sks-keyservers.net' port=443
dirmngr(1062283.5): DBG: get_dns_cname(hkps.pool.sks-keyservers.net): No name
dirmngr(1062283.5): DBG: dns: resolve_dns_name(hkps.pool.sks-keyservers.net): No name
dirmngr(1062283.5): resolving 'hkps.pool.sks-keyservers.net' failed: No name
dirmngr(1062283.5): can't connect to 'hkps.pool.sks-keyservers.net': host not found
dirmngr(1062283.5): error connecting to 'https://hkps.pool.sks-keyservers.net:443': No name
dirmngr(1062283.5): command 'KS_GET' failed: No name
dirmngr(1062283.5): DBG: chan_5 -> ERR 167772380 No name <Dirmngr>
gpg: keyserver receive failed: No name
dirmngr(1062283.5): DBG: chan_5 <- BYE
dirmngr(1062283.5): DBG: chan_5 -> OK closing connection
dirmngr(1062283.5): handler for fd 5 terminated

But, I’m able to get proper DNS response from dig:

dig hkps.pool.sks-keyservers.net                                             

; <<>> DiG 9.16.8 <<>> hkps.pool.sks-keyservers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10985
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hkps.pool.sks-keyservers.net.  IN      A

;; ANSWER SECTION:
hkps.pool.sks-keyservers.net. 3555 IN   A       209.244.105.201

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Nov 25 23:58:01 CET 2020
;; MSG SIZE  rcvd: 73

Additional info:

# cat /etc/resolv.conf

search home
nameserver 8.8.8.8


# cat /etc/nsswitch.conf 
# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files systemd
group: files systemd
shadow: files

publickey: files

hosts: files mymachines myhostname resolve (!UNAVAIL=return) dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

What am I overlooking?

Thanks in advance

Linux workflow for browse images + raw edit?

I’m currently on a Mac using Capture One and have a very simple photos workflow. It is:

  • import images, usually raw
  • add folder to Capture One
  • browse new and existing photos
  • edit selected images
  • get out, and browse, repeat …
  • back up folder structure to NAS

I don’t spent a huge amount of time editing. It’s probably 50/50 browse/edit.

The nice thing about this single-app workflow is that the edits I make are visible in the browser. I don’t need to do anything in particular, and so the workflow is very fast.

But, I want to move to Linux. And it seems there are a bunch of different programs. They all do their jobs well, but they don’t interop with one another. An edit in one program doesn’t show up in another.

What’s the closest I can get to my desired workflow?

linux – CUPS – Network printer – Connection error: Permission denied, The printer is not responding

I’m trying to troubleshoot a printing issue, but first I need to describe my environment (it’s a bit non-standard).

I have a HP 1102 USB printer, connected to a Ubuntu 20.04 system which runs CUPS and shares the printer to other systems in the LAN. Printing from other systems (Ubuntu 18.04, Ubuntu 20.04, Windows 10) works fine via IPP.

I have a client which runs Android 10, and on top of it it runs Linux Deploy with Linux 18.04 in a chroot in the same LAN. The linux system has XFCE and CUPS, and I’ve configured the printer the same way as for other systems.

When I try to print (with local cups set to debug), this is what I get for my job:

D (25/Nov/2020:10:12:01 +0200) (Job 8) Connecting to 192.168.1.13:631
D (25/Nov/2020:10:12:01 +0200) (Job 8) Connecting to printer.
D (25/Nov/2020:10:12:01 +0200) (Job 8) Connection error: Permission denied
E (25/Nov/2020:10:12:01 +0200) (Job 8) The printer is not responding.
D (25/Nov/2020:10:12:31 +0200) (Job 8) Connecting to 192.168.1.13:631
D (25/Nov/2020:10:12:31 +0200) (Job 8) Connecting to printer.
D (25/Nov/2020:10:12:31 +0200) (Job 8) Connection error: Permission denied
E (25/Nov/2020:10:12:31 +0200) (Job 8) The printer is not responding.

I’m doing a packet capture on the cups server side and there are no packets when it says it’s trying to connect to the printer. Connecting manually (telnet 192.168.1.13 631 opens a socket and TCP communication works).

Something must be wrong inside the CUPS running on the Android linux chroot, but I can’t figure out what. The local print job looks fine, file permissions for the /var/spool/cups directory look fine, cups is running as root.

I’m not sure where to look further for troubleshooting…

I’m watching android logcat trying to see if there is a problem at the same time, and it’s this:

11-25 10:28:29.179  2980  3091 W Netd    : No subsystem found in netlink event
11-25 10:28:31.012 20789 20789 I printers.cgi: type=1400 audit(0.0:785): avc: denied { ioctl } for path="socket:(151451)" dev="sockfs" ino=151451 ioctlcmd=0x8933 scontext=u:r:magisk:s0 tcontext=u:r:magisk:s0 tclass=unix_dgram_socket permissive=1

So – I’m thinking cups is trying to create a socket and android is denying it? Any ideas if it’s a file-based socket, what it’s name would be and where it would be located in the filesystem?

Any suggestions?