kbro's questions

I'm running a Rocky Linux 8.4 workstation with GNOME and MATE desktops, but I've seen the same problem on CentOS 7.9...

When I log into the machine on the local display, I can do things like administer users and set the system time using the Control Centre app (this on MATE, the tools are buried in the menu on GNOME). When I click on the tool I'll get a popup asking for my password, or there will be an "unlock" button to click before I get authenticated. This all works because my user is a member of the "wheel" administrative group.

However, when the same user logs in to the same desktop environment over xrdp, the ability to administer the system has gone. In some cases the "unlock" button is greyed out, in others when I click on the tool app icon I get a message "Error executing command as another user: Not authorized" in my .xsession-errors file.

As I understand it, the problem is down to polkit treating local and remote sessions differently, and basically blocking administrative actions from remote sessions such as xrdp, vnc etc. This is a pain, because the main reason for setting up the xrdp service was so that I could administer the machine remotely! I can work around this to some extent using sudo from a terminal, but really I want it to Just Work™.

So my question is - how do I configure polkit to treat a remote session for my admin user identically to a local session? (Always assuming that polkit is the source of my problem!)

I'm using the Visual Studio Code Remote - SSH extension on a Windows 10 laptop to access a bunch of Linux development servers. I followed these instructions to set up the Windows built-in ssh-agent service, which is basically a few lines in an Administrator PowerShell terminal...

Set-Service ssh-agent -StartupType Automatic
Start-Service ssh-agent
Get-Service ssh-agent

This allows me to run ssh-add from a Command Prompt to install a private key, after which ssh, scp, sftp etc can connect to the remote host without needing the key passphrase, as can VSCode itself.

I also have Cygwin installed on the laptop, so my question is: how do I configure it so that those instances of the OpenSSH programs can access the Windows ssh-agent service? I guess there's a magical setting for SSH_AUTH_SOCK but how do I find out what it is? Yes, I could use keychain to load keys into a Cygwin-hosted ssh-agent process, but that means I have to type all the passphrases twice.

For now I've simply uninstalled the OpenSSH package in Cygwin so that bash runs the Windows version of ssh etc from /cygdrive/c/Windows/System32/OpenSSH, but I'd like to do it properly instead. Thanks for your help!

I'm running DHCPD (isc-dhcp-4.2.4) on an Ubuntu 14.04 system. The var/lib/dhcp/dhcpd.leases file is getting pretty huge (350MB). Looking in it, there's historical data going back many months about leases that have long since expired. How do I purge the old info? Presumably stopping dhcpd and deleting the file is a bad idea because then it will forget recent leases that might still be relevant?

[edit] Apparently dhcpd is supposed to auto-purge the leases file once an hour, but this isn't happening for me. Apparently this is down to a permissions problem - the /var/lib/dhcp directory and contents are ownwd by root:root but the server runs as dhcpd:dhcpd. I tried changing the ownership as follows:-

sudo service isc-dhcp-server stop
sudo chown -R dhcpd:dhcpd /var/lib/dhcp/
sudo service isc-dhcp-server start

but after this the ownership of the directory, dhcpd.leases and dhcpd.leases~ reverted to root:root.

So how do I sort out directory ownership vs the user:group running the dhcpd process to get auto-purge to work?

As part of a content management system I'm developing I have a script which retrieves image files (JPEG, GIF, PNG etc) in response to the browser GETing a URL like http://myserver/getimage.cgi/virtual/path/to/image. On the server the image files are stored outside DOCUMENT_ROOT as randomly-named blobs and a database keeps track of the metadata, in particular the correspondence between virtual path, blob filename and the MIME type. The script looks like this:-

#!/usr/bin/perl

use CGI::Simple;
use File::Copy;
use MYSTUFF 'dblookup';

my $q = new CGI::Simple;
my ($mimetype, $filepath) = dblookup($q->path_info);

$| = 1; # enable autoflush so header is output before calling copy()
print $q->header(-type=>$mimetype);
copy($filepath, \*STDOUT);

The dblookup function is exported by MYSTUFF.pm and extracts the mimetype and filepath for the virtual path passed in via the standard CGI $PATH_INFO environment variable.

My concern is how the output of the CGI script is spooled by the Apache server before it starts sending it back to the browser. If it spools the entire output then potentially there's a need for a huge amount of spool space on the server because the image files can be 10's or 100's of MB, and when I start supporting video files they could get up to GB.

Is the Apache server sensible enough to spool the STDOUT stream from the CGI script only up to the point where it's got all the headers (i.e. the first "\n\n", which is generated by $q->header()), then start copying the data buffer-for-buffer from STDOUT to whatever socket is attached to the HTTP connection back to the browser? The documentation for File::Copy suggests that it will use a 1K buffer, so if Apache behaves in the way I've outlined then I don't really have a problem, do I, as the IPC sockets/pipes will enforce flow control on my CGI script, removing the need for any further spool space beyond the buffers that are already there??

I have PHP5 installed on an Ubuntu 14.04 server and it works fine. I create a file called foo.php anywhere in the document tree and it gets passed to the PHP interpreter just as you'd expect.

However... I don't want the .php extension to be visible in one particular case so I created a symbolic link using "ln -s foo.php foo". If I go to http://localhost/path/to/foo.php then PHP works just fine, but when I go to http://localhost/path/to/foo then I see the PHP source.

I'm guessing that this is because the SetHandler directives in /etc/apache2/mods-enabled/php5.conf are in a <FilesMatch> directive and my filename doesn't end with ".php", but I've got FollowSymlinks enabled, so I was expecting that not to matter. I guess it does.

I know I could use mod_rewrite to do an internal redirect, but that's a bit of a sledgehammer. I could also use Redirect, but that pushes the redirection back to the client, which I want to avoid.

So is there an easy way to tell Apache "follow the symlink, then do auto-type determination based on the found file"?

As I understand it, php-fpm makes PHP pages respond faster by managing a farm of pre-loaded PHP interpreter processes so the end user doesn't experience the overhead of initialising the PHP subsystem, but once a PHP page starts executing it takes just as long as it would under "regular" CGI. It's a bit like running a Perl script under mod_perl - the interpreter doesn't run any faster because its bound into the web server executable, it just start up faster.

Am I right, or is there something subtle going on under the hood that makes it run faster overall? The reason for asking is that I have a PHP application that I want to run periodically (I run a 'wget' for its URL every X seconds). I'm not bothered about the response time because its periodic, but I am bothered about the execution time.