|
relevant: CVE-2016-7545 -- SELinux sandbox escape http://seclists.org/oss-sec/2016/q3/606
|
# ? Sep 27, 2016 00:14 |
|
|
# ? Apr 18, 2024 22:06 |
|
NAT-T Ice posted:so whats uac a system that prompts the user for system changes because they are running applications with a mix of privilege levels. access to items can be set for multiple users and groups each with separate privileges and auditing settings. vs sudo which is a thing you have to type in before every command on your Linux server because Linux permissions are all or nothing so sudo creates a fake access control system where you basically have a text file of things a user can access when they do sudo. its the exact wrong way to do it.
|
# ? Sep 27, 2016 00:28 |
|
NAT-T Ice posted:so whats uac a thing you turn off because it's hella annoying and useless
|
# ? Sep 27, 2016 00:29 |
|
the posix permissions model only makes sense when you realize it was designed in the 60s for machines where 2 people can do everything and everyone else can only do the same things. the windows permissions model was designed for the real world where different people need different access to the same and different items. when posix users realized their mistake instead of fixing it they decided to do the most posix thing possible: create a text file whitelist with arcane syntax to handle complex access control
|
# ? Sep 27, 2016 00:36 |
|
NAT-T Ice posted:so whats uac uac'n nothin yet.
|
# ? Sep 27, 2016 00:45 |
|
Lol if you setup a server that requires root permissions to do everything.
|
# ? Sep 27, 2016 01:01 |
|
ratbert90 posted:Lol if you setup a server that requires root permissions to do everything. This incident will be reported.
|
# ? Sep 27, 2016 01:08 |
|
invision posted:but nopasswd is better? yes nopasswd means nobody imagines a layer of security that doesn't exist, and you don't leak passwords in the process table.
|
# ? Sep 27, 2016 01:09 |
|
Shaggar posted:a system that prompts the user for system changes because they are running applications with a mix of privilege levels. access to items can be set for multiple users and groups each with separate privileges and auditing settings. the real solution is selinux, but only a few people use that still, better than windows MIC, their equivalent to selinux i have literally never seen MIC enabled in the wild, ever, not once
|
# ? Sep 27, 2016 01:12 |
|
Winkle-Daddy posted:i am stupid and I should just use the -s to send the output of honggfuzz to stdin of netcat. whelp! quoting for reference, also post more stuff like this please, thank you
|
# ? Sep 27, 2016 01:25 |
|
Shaggar posted:Linux permissions are all or nothing Powercrazy posted:A permission model of everything or nothing is trash. even linux DAC isn't all or nothing, it supports ACLs and then youve got capabilities and whatever MAC you want to use (selinux, grsec rbac, apparmor) people have a really antiquated view of linux
|
# ? Sep 27, 2016 03:12 |
|
plz join trumps 400 lb nerd sitting on the bed cyber gestapo tia
|
# ? Sep 27, 2016 03:15 |
YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough
|
|
# ? Sep 27, 2016 03:41 |
|
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough
|
# ? Sep 27, 2016 04:03 |
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough
|
|
# ? Sep 27, 2016 04:20 |
|
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough also something 400lb goon related
|
# ? Sep 27, 2016 04:24 |
|
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough
|
# ? Sep 27, 2016 04:24 |
|
JewKiller 3000 posted:a thing you turn off because it's hella annoying and useless lol are you still using xp
|
# ? Sep 27, 2016 04:47 |
|
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough
|
# ? Sep 27, 2016 05:19 |
|
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough
|
# ? Sep 27, 2016 05:20 |
|
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of the cyber is very, very tough fixed
|
# ? Sep 27, 2016 05:19 |
|
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough
|
# ? Sep 27, 2016 05:26 |
|
Rufus Ping posted:even linux DAC isn't all or nothing, it supports ACLs again, this is a false equivalence. not just the false choice (selinux is the only one anyone uses) but the actual usage. selinux is a thing mere mortals can actually deploy on internet-facing services nobody, nobody, uses microsoft's MAC framework. it is a purely theoretical construct. even their own educational material doesn't assume basic understanding of MAC on windows
|
# ? Sep 27, 2016 05:27 |
|
CrazyLittle posted:uac'n nothin yet.
|
# ? Sep 27, 2016 05:45 |
|
opinions on this piece? by this person, seems like it might be useful to non-lawyers as well also, has anybody used encryptr, which is spideroak's password manager?
|
# ? Sep 27, 2016 05:49 |
|
Notorious b.s.d. posted:i have literally never seen MIC enabled in the wild, ever, not once doesn't chrome use it a lot?
|
# ? Sep 27, 2016 08:06 |
|
CrazyLittle posted:uac'n nothin yet.
|
# ? Sep 27, 2016 08:33 |
|
i got an sms that told me that a package is waiting for me at a post office on the other side of the country. i went to the post's web page and they have a customer service chat there, so i opened it and asked about it, because i was worried that the actual recipient will not be getting a package delivery notification they wanted the tracking number (it was in the sms) and when i told it, they immediately told me the recipient's name and address. welp. at least i was able to get their phone number with that (it had 1 different digit from my number) and forwarded the sms to them.
|
# ? Sep 27, 2016 10:52 |
|
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough
|
# ? Sep 27, 2016 14:20 |
|
Notorious b.s.d. posted:again, this is a false equivalence. not just the false choice (selinux is the only one anyone uses) but the actual usage. selinux is a thing mere mortals can actually deploy on internet-facing services yea i wasnt comparing it to the windows equivalent, just saying it not true to claim linux only has a crude permissions system or that admin access is all or nothing
|
# ? Sep 27, 2016 15:43 |
|
selinux is not a permissions system, its sudo taken to an extreme. instead of setting permissions on the objects you want to secure, you set policy at the kernel level for what processes can do what. its dumb as poo poo and the reason nobody uses selinux.
|
# ? Sep 27, 2016 16:22 |
|
So, this is my "please help me prevent a sec fuckup" at work question...and unlike the last one I don't have preconceived bad opinions! We have a build automation process where we use Boxcutter + Packer + VMWare vSphere + VMWare VirtualBox to create Windows and Linux box files. The Windows box files are built to automatically be pointed at our internal MS KMS server. We also maintain boxes for each patch level of each OS as well as a rolling "latest" that is built weekly and re-imported into our cloud. This works great for all of our supported platforms (CentOS, Fedora, Ubuntu, Debian, Suse, Win* since XP) except for one: Red Hat. The way that we use the containers with Vagrant is that we just invoke Chef to cook up our node with recipes hosted on our internal Supermarket, some acceptance tests are run and the environment is destroyed to be run again the next day with a new build of our software. How in the actual gently caress do we license these RH servers in such a way we can use package management with them and then destroy them when we're done? We can't reliably "un-register" them because we have some jobs that do automated cleanup in the vagrant cloud if something happens and a Jenkins job failed to properly vagrant destroy something. AFAIK, the old satellite server methodology still required you to manually remove registration of the machine, same with executing rhn_register. What should I be looking at to help solve this problem??
|
# ? Sep 27, 2016 16:34 |
|
Shaggar posted:selinux is not a permissions system, its sudo taken to an extreme. instead of setting permissions on the objects you want to secure, you set policy at the kernel level for what processes can do what. its dumb as poo poo and the reason nobody uses selinux.
|
# ? Sep 27, 2016 16:36 |
|
call redhate and ask them. their support is the only reason you are paying for red hate. otherwise if it works in centos call it good.
|
# ? Sep 27, 2016 16:36 |
|
Winkle-Daddy posted:VMWare VirtualBox i assume you mean VMWare Workstation, or just VirtualBox, because they're two different products Shaggar posted:call redhate and ask them. their support is the only reason you are paying for red hate. this except their answer will probably be "you need to buy a $100,000 ~datacenter edition~ license" or something like that
|
# ? Sep 27, 2016 16:39 |
|
anthonypants posted:do you know if anyone's gotten selinux to work in windows 10 i just tried to install it but the install failed.
|
# ? Sep 27, 2016 16:40 |
|
I'm waiting on someone giving me an RHN account My old one was finally closed and I need a new one from my new company. I am hoping someone here has some suggestions in the meantime as I'd like to not have to include RHN credentials anywhere in our automation (even encrypted databags). This is like one thing Microsoft has super worked out. You win this round, Shaggar.
|
# ? Sep 27, 2016 16:41 |
|
linux is for hobbyists and not for the enterprise. this is reflected in its tools and support.
|
# ? Sep 27, 2016 16:43 |
|
Winkle-Daddy posted:I'm waiting on someone giving me an RHN account My old one was finally closed and I need a new one from my new company. I am hoping someone here has some suggestions in the meantime as I'd like to not have to include RHN credentials anywhere in our automation (even encrypted databags). This is like one thing Microsoft has super worked out. You win this round, Shaggar.
|
# ? Sep 27, 2016 16:52 |
|
|
# ? Apr 18, 2024 22:06 |
|
Winkle-Daddy posted:
Why bother with the registration if you are using Chef? Use a local repo and it ends up the same as CentOS.
|
# ? Sep 27, 2016 16:54 |