abr_stackoverflow's questions

There is on the linux mint 18.3 sshd (7.2p2) starts with two processes. But when I run service ssh stop only child process stops and parent process is still run. So when I restart ssh service it can't bind 22 port and became unable to receive connections.

I read about privilege separation and I think it's good despite other linuxes (for example Ubuntu) creates only one process. But why does parent process not stop when child process is stopped? And how to make systemd stop both processes?

ssh.service

[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify

[Install]
WantedBy=multi-user.target
Alias=sshd.service

multi-user.target

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Multi-User System
Documentation=man:systemd.special(7)
Requires=basic.target
Conflicts=rescue.service rescue.target
After=basic.target rescue.service rescue.target
AllowIsolate=yes

service ssh status

service ssh status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Чт 2019-05-16 16:53:10 MSK; 6 days ago
  Process: 4535 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 4538 (sshd)
    Tasks: 2
   Memory: 16.4M
      CPU: 3.143s
   CGroup: /system.slice/ssh.service
           ├─4538 /usr/sbin/sshd -D
           └─4539 /usr/sbin/sshd -D

I want to add one parameter to $query string. Now I have this config

server {
    server_name example.com;
    listen 80;

    return 301 http://test.example.com$request_uri;
}

But I want to add test=1 into query. There are use cases:

http://example.com =>
    http://test.example.com?test=1

http://example.com/example =>
    http://test.example.com/example?test=1

http://example.com/example/?var=1 =>
    http://test.example.com/example/?var=1&test=1

I tried to split $request_uri to $uri and $query_param and got

return 301 http://test.example.com$uri$query_string;

But I cannot just add test=1 into this string. If I add ?test=1 so in the third case I will get http://test.example.com/example/?var=1?test=1. If I add &test=1 there is in the first and second cases I will get http://test.example.com&test=1 and http://test.example.com/example&test=1.

Now I check my $query_string by this rules:

if ($query_string ~ ^$) {
    return 301 http://test.example.com$uri?test=test;
}

if ($query_string ~ ^.+$) {
    return 301 http://test.example.com$uri?$query_string&test=test;
}

But I think there is more tidy decision for this task.

I have two repositories with one package "libtidy-dev":

$ apt-cache policy libtidy-dev

libtidy-dev:
  Installed: 20091223cvs-1.2ubuntu1.1
  Candidate:   1:5.2.0-1+deb.sury.org~trusty+1
  Фиксатор пакета: 1:5.2.0-1+deb.sury.org~trusty+1
  Version table:
     1:5.2.0-1+deb.sury.org~trusty+1 400
        500 http://ppa.launchpad.net/ondrej/php/ubuntu/ trusty/main amd64 Packages
 *** 20091223cvs-1.2ubuntu1.1 400
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     20091223cvs-1.2ubuntu1 400
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

I want to set priority for package "libtidy-dev" of "ppa:ondrey/php" repository to 400. So I created /etc/apt/preferences.d/libtidy-dev.pref with this content:

Package: libtidy-dev
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: 400

But it doesn't work. If i replace first row

Package: *
Pin: release o=LP-PPA-ondrej-php
Pin-Priority: 400

it will works but for all packages from this repo. I dont't need to reduce priority for all packages, I want to do this only for "libtidy-dev". So I tried another way. I wrote to pref file this:

Package: libtidy-dev
Pin: origin archive.ubuntu.com
Pin-Priority: 990

Package: libtidy-dev
Pin: origin security.ubuntu.com
Pin-Priority: 990

This config does the same thing. If first row has package name it not works, but if I specify asterisk instead of package name, it works but for all packaes of these repos. What I'm doing wrong? How to set priority for one package of one repository?

I move my sites from old PHP (php 5.4) and OS (Ubuntu 12.04) to new server with PHP 7 and Ubuntu 16.04. I cought bug with creating FPM pools. Here's my common pool config:

[zabbix.example.com]
include = /etc/php/7.0/fpm/default-config.conf

user = www-data
group = www-data
listen = /data/www/zabbix/tmp/php-fpm.sock

request_terminate_timeout = 60s ; 30 sec for work
request_slowlog_timeout = 5s ; add to slowlog after 5 sec

slowlog = /data/www/zabbix/logs/slow.log
chroot =  /data/www/zabbix
chdir =   /public_html

php_admin_flag[display_errors] = off
php_admin_flag[display_startup_errors] = off

php_admin_value[memory_limit] = 256M
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t [email protected]

php_admin_value[post_max_size] = 16M
php_admin_value[max_execution_time] = 300
php_admin_value[max_input_time] = 300

Here's default-config.conf:

pm = dynamic
pm.max_children = 100
pm.start_servers = 12
pm.min_spare_servers = 5
pm.max_spare_servers = 50
pm.max_requests = 1000
pm.status_path = /status

listen.backlog = -1
listen.owner = www-data
listen.group = www-data
listen.mode = 0666

ping.path = /ping
ping.response = pong

request_terminate_timeout = 90
request_slowlog_timeout = 20
catch_workers_output = yes
php_flag[display_errors] = off
php_flag[display_startup_errors] = off
php_value[disable_functions] = show_source,system,shell_exec,passthru,exec,popen,proc_open

php_admin_value[upload_tmp_dir] = /tmp

security.limit_extensions = .php .php3 .php4 .php5 .htm

This config works at the old server. But at the new server I have problem with chrooting. Some sites use another site chroot directories. For example, I have these pools: site1.example.com, site2.example.com, site3.example.com, zabbix.example.com. So site1.example.com tries to look to site2.example.com directory. If I load site3.example.com it shows me zabbix.example.com.

How I can fix it?

I configured SSL by adding these strings to 01_exim4-config_listmacrosdefs. I use split configuration

MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTKEY = /etc/exim4/example.com.crt
MAIN_TLS_PRIVATEKEY = /etc/exim4/example.com.key

So after restarting, connecting to port 465, typing EHLO and STARTTLS I got this: 454 TLS currently unavailable

In the log I have this:

13:29:36 10872 SMTP<< STARTTLS
13:29:36 10872 initialising GnuTLS as a server
13:29:36 10872 GnuTLS global init required.
13:29:36 10872 initialising GnuTLS server session
13:29:36 10872 Expanding various TLS configuration options for session credentials.
13:29:36 10872 certificate file = /etc/exim4/example.com.crt
13:29:36 10872 key file = /etc/exim4/example.com.crt
13:29:36 10872 LOG: MAIN
13:29:36 10872   TLS error on connection from (192.168.1.111) [91.210.44.50] (cert/key setup: cert=/etc/exim4/example.com.crt key=/etc/exim4/example.com.crt): Error in parsing.

Why does exim use the same file both for certificate and key? How to fix?

I want to see value of condition in exim, for example "authenticated". I can use authenticated = *, but I don't know what really contains "authenticated".

If I add section warn with parameter logwrite = $authenticated I get error unknown variable name "authenticated".

Also I want to see what contains in the condition "spam". There's many manuals say just add spam = nobody:false, but I can't understand who is nobody and what is false.

I want exim to accept messages only from that user which authorized via SMTP. Now I have these lines in the config:

  accept
    authenticated = *
    sender_domains = +local_domains
    control = submission/sender_retain
    control = dkim_disable_verify

  deny
    message = Unauthorized
    sender_domains = +local_domains
    !authenticated = *

It makes that any authorized user can send messages from local domains. For example, I have two domains: local1.com and local2.com and users user1 and user2 (suggest that both of domains have these users). If I authenticate as [email protected] I can MAIL FROM: [email protected] and even [email protected]. But I want to deny any different users even if they are local. Only [email protected] must be accepted.

I want to migrate from Axigen to exim/dovecot. Axigen has section named "Groups". So I can create new group, add there few accounts. After when I send email to this group, all members get this message. I don't even know what to Google. I only find mailing lists. But Axigen has mailing lists too and it differ from groups.

So what I should to search for my purpose?