From: Ian Kelling <ian@iankelling.org>
Date: Sat, 4 Sep 2021 00:32:26 +0000 (-0400)
Subject: fixes/security
X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=a1308cb49d874e8510b86e59645e09cfe2c83602;p=distro-setup

fixes/security
---

diff --git a/.bashrc b/.bashrc
index 9c7d638..cb6324b 100644
--- a/.bashrc
+++ b/.bashrc
@@ -31,6 +31,14 @@ HISTCONTROL=ignoredups
 # but meh. dunno why, but just " *" does glob expansion, so use [ ] to avoid it.
 HISTIGNORE='pass *:[ ]*:otp *:oathtool *'
 
+case $EUID in
+  0)
+    if [[ ! -e /run/no_root_ssh_agent ]]; then
+      export SSH_AGENT_LAUNCHER=openssh SSH_AUTH_SOCK=/run/openssh_agent
+    fi
+    ;;
+esac
+
 #### begin section that works with sl() function to return from
 # noninteractive ssh shells, or tty. tty because often i
 # use it when something is going and io is slow and my bashrc
diff --git a/.reportbugrc b/.reportbugrc
new file mode 100644
index 0000000..44ce89d
--- /dev/null
+++ b/.reportbugrc
@@ -0,0 +1,23 @@
+#ian: seemingly sensible defaults from running reportbug
+
+# reportbug preferences file
+# character encoding: UTF-8
+# Version of reportbug this preferences file was written by
+reportbug_version "7.6.0ubuntu1"
+# default operating mode: one of: novice, standard, advanced, expert
+mode standard
+# default user interface
+ui text
+# offline setting - comment out to be online
+#offline
+# name and email setting (if non-default)
+realname "Ian Kelling"
+email "iank@fsf.org"
+# If nothing else works, remove the # at the beginning
+# of the following three lines:
+#no-cc
+#list-cc-me
+#smtphost reportbug.debian.org
+# You can add other settings after this line.  See
+# /etc/reportbug.conf for a full listing of options.
+bts debian
diff --git a/brc b/brc
index f768e9e..595699a 100644
--- a/brc
+++ b/brc
@@ -1409,6 +1409,8 @@ sk() {
 # files wont be deleted on rsync, you can add --delete-excluded
 # to the rsync command if that is desired.
 
+# SL_SSH_ARGS: Env var. Default arguments passed to ssh.
+
 # For when ~/.bashrc is already customized on the remote server, you
 # might find it problematic that ~/.bashrc is sourced for ALL ssh
 # commands, even in scripts. This paragraph is all about that. bash
@@ -1435,6 +1437,7 @@ sl() {
         sync_dirname testcmd extra_info testbool files_sec sl_test_cmd sl_test_hook
   declare -a args tmpa
 
+  args=($SL_SSH_ARGS)
 
   # ssh [-1246Antivivisectionist] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
   # [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L address]
diff --git a/brc2 b/brc2
index 06eb839..1048d4c 100644
--- a/brc2
+++ b/brc2
@@ -22,6 +22,12 @@ path-add --ifexists --end /a/opt/scancode-toolkit-3.10.
 export WCDHOME=/a
 
 
+case $EUID in
+  0)
+    SL_SSH_ARGS="-F $HOME/.ssh/confighome"
+    ;;
+esac
+
 
 # * include files
 
@@ -40,6 +46,21 @@ source /a/bin/log-quiet/logq-function
 
 # * functions
 
+hstest() {
+  install-my-scripts
+  d=$(mktemp -d)
+  sed '/^ *IdentityFile/d' ~/.ssh/config >$d/config
+  s command ssh -F $d/config -i /q/root/h "$@"
+}
+
+hrtest() {
+  install-my-scripts
+  d=$(mktemp -d)
+  sed '/^ *IdentityFile/d' ~/.ssh/config >$d/config
+  s rsync -e "ssh -F $d/config -i /q/root/h" "$@"
+}
+
+
 slemacs() {
   local arg rtime v
   arg="$1"
@@ -239,6 +260,10 @@ ngreset() {
   fi
 }
 
+checkre() {
+  s checkrestart -b /a/bin/ds/checkrestart-blacklist -pv
+}
+
 cp-blocked-domains-to-brains() {
   cp /a/f/ans/roles/exim/files/mx/simple/etc/exim4/bad-sender_domains /a/f/brains/sysadmin/kb/blocked_email_domains.mdwn
 }
@@ -359,8 +384,8 @@ jrun() { # journal run. run args, log to journal, tail and grep the journal.
   fi
   journalctl -qn2 -f -u "$cmd_name" &
   # Guess of time needed to avoid missing initial lines.
-  # .5 was not reliable. 1 was not reliable
-  sleep 2
+  # .5 was not reliable. 1 was not reliable. 2 was not reliable
+  sleep 3
   # We kill this in prompt-command for the case that we ctrl-c the
   # systemd-cat. i dont know any way to trap ctrl-c and still run the
   # normal action for it. There might be a way, unsure.
@@ -394,7 +419,7 @@ sm() {
   c /
   # run latest
   install-my-scripts
-  jrun switch-mail-host "$@"
+  s jrun switch-mail-host "$@"
   return $ret
 }
 
@@ -1318,17 +1343,15 @@ testmail() {
 # sieve with output filter. arg is mailbox, like INBOX.
 # This depends on dovecot conf, notably mail_location in /etc/dovecot/conf.d/10-mail.conf
 
-_dosieve() {
-  sieve-filter "$@" 2> >(head; tail) >/tmp/testsieve.log  && sed -rn '/^Performed actions:/,/^[^ ]/{/^ /p}' /tmp/testsieve.log | sort | uniq -c
-}
-
 # always run this first, edit the test files, then run the following
 testsieve() {
-  _dosieve ~/sieve/maintest.sieve ${1:-INBOX} delete
+  sieve-filter ~/sieve/maintest.sieve ${1:-INBOX} delete 2> >(head; tail) >/tmp/testsieve.log  && sed -rn '/^Performed actions:/,/^[^ ]/{/^ /p}' /tmp/testsieve.log | sort | uniq -c
+  _dosieve
 }
 runsieve() {
   c ~/sieve; cp personal{test,}.sieve; cp lists{test,}.sieve; cp personalend{test,}.sieve
-  _dosieve ~/sieve/main.sieve -eWv ${1:-INBOX} delete
+  sieve-filter -eWv ~/sieve/maintest.sieve ${1:-INBOX} delete &> /tmp/testsieve.log
+  sed -r '/^info: filtering:/{h;d};/^info: msgid=$/N;/^info: msgid=.*left message in mailbox [^ ]+$/d;/^info: msgid=/{H;g};/^info: message kept in source mailbox.$/d' /tmp/testsieve.log
 }
 
 # mail related
@@ -1617,7 +1640,8 @@ path-add /usr/local/go/bin
 # I have both because I was trying to solve an issue that
 # turned out to be unrelated.
 # ARDUINO_PATH=/a/opt/Arduino/build/linux/work
-export ARDUINO_PATH=/a/opt/arduino-1.8.9
+export ARDUINO_PATH=/a/opt/arduino-1.8.15
+export KALEIDOSCOPE_DIR=/a/opt/Kaleidoscope
 
 # They want to be added to the start, but i think
 # that should be avoided unless we really need it.
diff --git a/btrbk-run b/btrbk-run
index fe9ffce..2bd7468 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -151,8 +151,7 @@ if [[ /a/opt/btrbk/btrbk -nt /usr/bin/btrbk ]]; then
     pi asciidoctor
   fi
   cd /a/opt/btrbk
-  m make
-  m sudo make install
+  m make install
 fi
 
 # TODO: i wonder if there should be an option to send to the default
@@ -221,7 +220,6 @@ if [[ $source ]]; then
   echo "source: $source"
 fi
 
-
 if [[ ${mountpoints[0]} ]]; then
   for mp in ${mountpoints[@]}; do
     if [[ -e /nocow/btrfs-stale/$mp ]]; then
@@ -382,7 +380,9 @@ fi
 
 
 cat >/etc/btrbk.conf <<EOF
-ssh_identity /root/.ssh/home
+ssh_identity /q/root/h
+#ssh_identity /root/.ssh/home
+
 # Just a guess that local7 is a good facility to pick.
 # It's a bit odd that the transaction log has to be logged to
 # a file or syslog, while other output is sent to std out.
diff --git a/checkrestart-blacklist b/checkrestart-blacklist
new file mode 100644
index 0000000..85d9399
--- /dev/null
+++ b/checkrestart-blacklist
@@ -0,0 +1 @@
+^/var/lib/nfs/etab \(deleted\)$
diff --git a/distro-begin b/distro-begin
index e84c883..9534e82 100755
--- a/distro-begin
+++ b/distro-begin
@@ -266,27 +266,8 @@ source ~/.bashrc
 err-catch
 $interactive || set -x
 
-
-#### setup passwordless sudo
-
-
-tu /etc/sudoers <<EOF
-$USER  ALL=(ALL)  NOPASSWD: ALL
-Defaults  env_keep += SUDOD
-# always_set_home
-# makes ubuntu be like debian
-# https://unix.stackexchange.com/a/91572
-Defaults always_set_home
-# umask: default setting is to have  minimum umask of 0022
-# This lets us have user-specific umasks which are more permissive.
-# I did this for transmission and set it's umask gecos on install,
-# see there for more info.
-Defaults !umask
-# i use sudo in cronjobs, it spams the logs rather uselessly
-# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands
-Defaults:root,iank !log_allowed, !pam_session
-EOF
-
+# remove old lines, todo: remove this when all systems are updated. 2021-09-03
+tu /etc/sudoers
 
 ##### use systemd-resolved for glibc resolutions
 
diff --git a/distro-end b/distro-end
index f4afcb7..b4304b1 100755
--- a/distro-end
+++ b/distro-end
@@ -1726,10 +1726,6 @@ sgo btrfsmaintstop.timer
 sgo systemstatus.timer
 
 
-# aren't autoupdating this, but I do check on it somewhat regularly.
-m cd /a/opt/btrbk
-sudo make install
-
 if grep -xFq $HOSTNAME /a/bin/ds/machine_specific/btrbk.hosts; then
   sgo btrbk.timer
 fi
diff --git a/filesystem/etc/cron.d/ian b/filesystem/etc/cron.d/ian
index d1851b6..5d29b59 100644
--- a/filesystem/etc/cron.d/ian
+++ b/filesystem/etc/cron.d/ian
@@ -6,4 +6,4 @@ MAILTO=root
 # so report if we did
 4 9  * * 5   root /a/bin/ds/check-stale-alerts
 4 15 * * 5   iank /a/bin/ds/mailclean
-14 * * * *   iank /a/bin/ds/bk-backup |& log-once -24 bk-backup
+14 * * * *   root /a/bin/ds/bk-backup |& log-once -24 bk-backup
diff --git a/filesystem/etc/rootsudoenv b/filesystem/etc/rootsudoenv
new file mode 100644
index 0000000..4f04257
--- /dev/null
+++ b/filesystem/etc/rootsudoenv
@@ -0,0 +1,2 @@
+export SSH_AGENT_LAUNCHER=openssh
+export SSH_AUTH_SOCK=/run/openssh_agent
diff --git a/filesystem/etc/systemd/system/ssh-agent-root.service b/filesystem/etc/systemd/system/ssh-agent-root.service
new file mode 100644
index 0000000..1070cf6
--- /dev/null
+++ b/filesystem/etc/systemd/system/ssh-agent-root.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenSSH Agent for root
+Documentation=man:ssh-agent(1)
+
+[Service]
+# using -d for debug info as i try this out
+#ExecStart=/usr/bin/ssh-agent -D -a /run/openssh_agent
+ExecStart=/usr/bin/ssh-agent -d -a /run/openssh_agent
+
+[Install]
+WantedBy=multi-user.target
diff --git a/filesystem/usr/local/bin/mycheckrestart b/filesystem/usr/local/bin/mycheckrestart
deleted file mode 100755
index e5cf601..0000000
--- a/filesystem/usr/local/bin/mycheckrestart
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/bash
-# Copyright (C) 2019 Ian Kelling
-# SPDX-License-Identifier: AGPL-3.0-or-later
-if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-hn=$(hostname -f)
-source /a/bin/bash_unpublished/source-state
-if [[ $HOSTNAME != "$MAIL_HOST" && $hn != li.b8.nz && ! $DISPLAY ]]; then
-  exit 0
-fi
-
-# note this is duplicated in /a/bin/ds/filesystem/usr/local/bin/myupgrade
-ignore_lines=(
-  "Found 0 processes using old versions of upgraded files"
-  "lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs"
-  "Output information may be incomplete."
-  "Found 0 processes using old versions of upgraded files"
-)
-out=
-while read -r line; do
-  ignore=false
-  for l in "${ignore_lines[@]}"; do
-    if [[ $line == "$l" ]]; then
-      ignore=true
-      break
-    fi
-  done
-  if $ignore; then continue; fi
-  out+="$line"$'\n'
-done < <(sudo /usr/sbin/checkrestart -p 2>&1)
-if (( ${#out} )); then
-  printf "%s" "$out" | pee cat wall
-fi
diff --git a/filesystem/usr/local/bin/myupgrade b/filesystem/usr/local/bin/myupgrade
index 1e68c1e..c3e19f4 100755
--- a/filesystem/usr/local/bin/myupgrade
+++ b/filesystem/usr/local/bin/myupgrade
@@ -20,30 +20,30 @@ l() {
 }
 
 
-if checkrestart -p -t &>/dev/null; then
+if checkrestart -b /a/bin/ds/checkrestart-blacklist -p -t &>/dev/null; then
   exit 0
 fi
 
 if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
   # no automatic reboot for this host, just make an alert
-  checkrestart -p 2>/dev/null ||:
+  checkrestart -b /a/bin/ds/checkrestart-blacklist -p 2>/dev/null ||:
   exit 0
 else
-  l checkrestart -p 2>/dev/null ||:
+  l checkrestart -b /a/bin/ds/checkrestart-blacklist -p 2>/dev/null ||:
 fi
 
 for x in {30..1}; do
-  echo "pid $PID. unattended upgrade, rebooting in $((x*10)) seconds" | wall -n
+  echo "pid $$. unattended upgrade, rebooting in $((x*10)) seconds" | wall -n
   sleep 10
 done
 for x in {30..1}; do
   if ! fuser /var/lib/dpkg/lock &> /dev/null; then
-    echo "pid $PID. unattended upgrade, rebooting now" | pee cat "wall -n"
+    echo "pid $$. unattended upgrade, rebooting now" | pee cat "wall -n"
     /a/bin/ds/keyscript-on
     /sbin/reboot
     exit 0
   fi
-  echo "pid $PID. unattended upgrade reboot waiting 10 seconds for dpkg lock" | wall -n
+  echo "pid $$. unattended upgrade reboot waiting 10 seconds for dpkg lock" | wall -n
   sleep 10
 done
-echo "pid $PID. dpkg locked for 5 minutes, automatic reboot failed" | pee cat "wall -n"
+echo "pid $$. dpkg locked for 5 minutes, automatic reboot failed" | pee cat "wall -n"
diff --git a/filesystem/usr/local/bin/myupgrade-iank b/filesystem/usr/local/bin/myupgrade-iank
old mode 100644
new mode 100755
diff --git a/hssh b/hssh
new file mode 100755
index 0000000..b325197
--- /dev/null
+++ b/hssh
@@ -0,0 +1,39 @@
+#!/bin/bash
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+# restricted ssh does not allow arguments, but they exist in $SSH_ORIGINAL_COMMAND
+# debug
+dfile=/tmp/hssh-debug-$(id -u)
+date >>$dfile
+echo SSH_ORIGINAL_COMMAND: $SSH_ORIGINAL_COMMAND >>$dfile
+
+
+mapfile -t cmds <<'EOF'
+# btrbk-run
+date +%z
+cat /a/bin/bash_unpublished/source-state
+cat /etc/hostname
+ps --no-headers -o comm 1
+systemctl is-active btrbk.service
+mkdir -p /mnt/root/btrbk && date +%z && df --output=size,pcent / | tail -n1
+DISPLAY=:0 xprintidle
+# mount-latest-remote
+timeout -s 9 600 /usr/local/bin/mount-latest-subvol
+rsync --server -OtpRe.LsfxC . /usr/local
+EOF
+
+allow=false
+for c in "${cmds[@]}"; do
+  # echo "c $c" # debug
+  if [[ $c == \#* ]]; then continue; fi
+  if [[ $SSH_ORIGINAL_COMMAND == "$c" ]]; then
+    allow=true
+    break
+  fi
+done
+if $allow; then
+  eval $SSH_ORIGINAL_COMMAND
+else
+  /a/opt/btrbk/ssh_filter_btrbk.sh --target --delete --source --info
+fi
diff --git a/install-my-scripts b/install-my-scripts
index 404cd83..d3e7019 100755
--- a/install-my-scripts
+++ b/install-my-scripts
@@ -37,7 +37,7 @@ x="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd ${x%/*} # directory of this file
 /a/bin/log-quiet/setup
 rsync -t --chmod=755 --chown=root:root switch-mail-host btrbk-run mount-latest-subvol \
       check-subvol-stale system-status myi3status mailtest-check \
-      /a/bin/log-quiet/sysd-mail-once \
+      /a/bin/log-quiet/sysd-mail-once hssh \
       btrfsmaint \
       dynamic-ip-update \
       /usr/local/bin
diff --git a/keyscript-on b/keyscript-on
index 36e37f7..f26861b 100755
--- a/keyscript-on
+++ b/keyscript-on
@@ -14,6 +14,11 @@ rootn=1
 
 sed="sed --follow-symlinks"
 
+# for running under corn, we need this, else, if we call
+# /sbin/update-initramfs , it will fail with:
+# /sbin/update-initramfs: 157: mkinitramfs: not found
+PATH="/sbin:$PATH"
+
 if [[ ! -e /tmp/keyscript-off ]]; then
   if [[ $($sed -rn 's/^ID=(.*)/\1/p' /etc/os-release) == arch ]]; then
     if ! grep -q '^\s*FILES=' /etc/mkinitcpio.conf; then
diff --git a/machine_specific/kd/filesystem/etc/cron.d/kd b/machine_specific/kd/filesystem/etc/cron.d/kd
index fa2224b..76dad03 100644
--- a/machine_specific/kd/filesystem/etc/cron.d/kd
+++ b/machine_specific/kd/filesystem/etc/cron.d/kd
@@ -1,7 +1,7 @@
 SHELL=/bin/bash
 PATH=/usr/bin:/bin:/usr/local/bin:/a/exe:/a/bin/fai
 MAILTO=root
-0 7 * * 1,2,3,4,5 iank failmail wrt-setup -y
-45 7 * * 1,2,3,4,5 iank failmail wrt-setup -z
-0 7 * * 0,6 iank failmail wrt-setup -y
-0 11 * * 0,6 iank failmail wrt-setup -z
+0 7 * * 1,2,3,4,5 root failmail wrt-setup -y
+45 7 * * 1,2,3,4,5 root failmail wrt-setup -z
+0 7 * * 0,6 root failmail wrt-setup -y
+0 11 * * 0,6 root failmail wrt-setup -z
diff --git a/mount-latest-remote b/mount-latest-remote
index 41fd2fc..76c1bef 100755
--- a/mount-latest-remote
+++ b/mount-latest-remote
@@ -30,11 +30,8 @@ for tg; do
   if [[ $tg == *:* ]]; then
     rsynctg="[$tg]"
   fi
-  rsync -RtO bin/{mount-latest-subvol,check-subvol-stale} lib/err "root@$rsynctg:/usr/local"
-  ssh root@$tg bash <<'EOF'
-set -e
-chmod +x /usr/local/bin/{mount-latest-subvol,check-subvol-stale}
-# this can hang if we have an old nfs mount
-timeout -s 9 600 /usr/local/bin/mount-latest-subvol
-EOF
+  # R = relative, t = times, O = omit-dir-times, p = perms
+  rsync -RtOp bin/{mount-latest-subvol,check-subvol-stale} lib/err "root@$rsynctg:/usr/local"
+  # this can hang if we have an old nfs mount
+  ssh root@$tg timeout -s 9 600 /usr/local/bin/mount-latest-subvol
 done
diff --git a/rootsshsync b/rootsshsync
index 3d1ee28..f44cd6f 100755
--- a/rootsshsync
+++ b/rootsshsync
@@ -18,14 +18,12 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
 
-dest=/root/.ssh
-
 # leftover
-if [[ -L $dest ]]; then
-  rm $dest
+if [[ -L /root/.ssh ]]; then
+  rm /root/.ssh
 fi
-mkdir -p $dest
-chmod 700 $dest
+mkdir -p /root/.ssh
+chmod 700 /root/.ssh
 
 user=$(id -un 1000)
 
@@ -39,9 +37,20 @@ fi
 find $user_ssh_dir -xtype l -exec rm '{}' \;
 # -t times, so it won't rewrite the file every time,
 # -L resolve links
-rsync -rtL --delete $user_ssh_dir/ $dest
+rsync --exclude=/h --exclude=/h.pub --exclude /config --exclude /confighome -rtL --delete $user_ssh_dir/ /root/.ssh
+rsync -tL $user_ssh_dir/config /root/.ssh/confighome
+cp -a /q/root/h{,.pub} /root/.ssh
+# The h key is like the home key, but only a whitelist of commands allowed, and
+# not encrypted, so cron and whatnot can use it.
+# For any interactive ssh command we want to run as root that is not in that
+# whitelist, we need to ssh -F $HOME/.ssh/confighome
+sed 's,^IdentityFile ~/\.ssh/home$,IdentityFile ~/\.ssh/h,;s,^AddKeysToAgent confirm,AddKeysToAgent yes,' /root/.ssh/confighome >/root/.ssh/config
 chown -R root:root /root/.ssh
 
+# notably: installs hssh
+/a/exe/install-my-scripts
+
+systemctl enable --now ssh-agent-root
 
 d=/etc/initramfs-tools
 if [[ -e $d ]] && ! diff -q /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys &>/dev/null; then
diff --git a/switch-mail-host b/switch-mail-host
index 98a2cdc..ba81d5f 100644
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -2,11 +2,6 @@
 
 source /usr/local/lib/err
 
-if [[ $EUID == 0 && ! $SUDO_USER ]]; then
-  err "requires running as nonroot or sudo"
-  exit 1
-fi
-
 usage() {
   cat <<EOF
 Usage: ${0##*/} [OPTIONS] push|pull HOST
@@ -46,6 +41,12 @@ m() { printf "$pre %s\n"  "$*"; "$@"; }
 e() { printf "$pre %s\n"  "$*"; }
 err() { echo "$pre ERROR: $*" >&2; }
 
+if [[ $EUID != 0 ]]; then
+  err "requires running as root"
+  exit 1
+fi
+
+
 ##### begin command line parsing ########
 
 force=false
@@ -78,7 +79,7 @@ case $1 in
     old_hostname=$HOSTNAME
     new_host=$2
     bbk_args="-t $new_host"
-    new_shell="ssh root@$new_host"
+    new_shell="ssh -F $HOME/.ssh/confighome root@$new_host"
     new_hostname=$($new_shell hostname)
     ;;
   pull)
@@ -86,7 +87,7 @@ case $1 in
     new_host=$HOSTNAME
     new_hostname=$HOSTNAME
     bbk_args="-s $old_host"
-    old_shell="ssh root@$old_host"
+    old_shell="ssh -F $HOME/.ssh/confighome root@$old_host"
     # tests ssh connection
     if ! old_hostname=$($old_shell hostname); then
       echo "retrying failed $old_shell with -v"
diff --git a/system-status b/system-status
index 2c88d10..72ed5b5 100644
--- a/system-status
+++ b/system-status
@@ -83,7 +83,7 @@ write-status() {
   fi
 
   # early in install process, we dont have permission yet for exiqgrep
-  qlen=$(/usr/sbin/exiqgrep -o 60 -c -b | awk '{print $1}') ||:
+  qlen=$(/usr/sbin/exiqgrep -o 600 -c -b | awk '{print $1}') ||:
   if ((qlen)); then
     qmsg="queue length $qlen"
     chars+=("q $qlen")
@@ -92,7 +92,7 @@ write-status() {
     # No point in emailing about the mailq on a host where we don't
     # check email.
     $MAIL_HOST|bk)
-      lo -1 qlen $qmsg
+      lo -10 qlen $qmsg
       ;;
   esac