|
Finally took the plunge and switched to OpenSUSE Tumbleweed as my daily driver. It's been a bit of an adjustment from Debian-based distros like I'm used to, but it's good so far and the differences are pretty minor. The downside is that there isn't always a nicely packaged SUSE version of software x or y ready to go like there is with Ubuntu, but there's usually at least an ugly workaround. YaST is a nice breath of fresh air too.
|
#
?
Dec 14, 2016 07:17
|
|
|
|
| # ? Apr 18, 2024 04:09 |
|
|
HPL posted:Finally took the plunge and switched to OpenSUSE Tumbleweed as my daily driver. It's been a bit of an adjustment from Debian-based distros like I'm used to, but it's good so far and the differences are pretty minor. The downside is that there isn't always a nicely packaged SUSE version of software x or y ready to go like there is with Ubuntu, but there's usually at least an ugly workaround. YaST is a nice breath of fresh air too. Have you checked https://software.opensuse.org for what you are looking for? If you go to Downloads at the top and select Package Search from there you get a search page. I've found it pretty helpful in the past.
|
|
#
?
Dec 14, 2016 07:42
|
|
|
CaptainSarcastic posted:Have you checked https://software.opensuse.org for what you are looking for? If you go to Downloads at the top and select Package Search from there you get a search page. I've found it pretty helpful in the past. Yeah, that's the equivalent of Ubuntu's PPA's and there are a lot of not-quite-official well-maintained repos there for stuff not present in the core suse-oss and suse-non-oss repos.
|
|
#
?
Dec 14, 2016 17:26
|
|
|
Can anyone recommend a book that dives deep into the specifics of the modern Linux kernel, specifically on the x86-64 architecture? I've got a new work project that's going to involve some kernel hacking and I'm way behind on how Linux does memory management, multiprocessing, etc.
|
|
#
?
Dec 14, 2016 23:32
|
|
|
I feel like I'm about to ask a question that's way over my head, but here goes, after some background. I'm using inotifywatch on an NFS server to watch a directory tree that is specific to a single host. Every day files are going to be saved into a directory with the path <hostname>/dump/<date>/{file1},{file..n} The remote side is using rsync to copy these files from a local directory to a directory mounted over NFS. On the server side, when running inotifywait and looking for the close_write event, I can sometimes see files being closed more than once, or not even appearing at all, even after being successfully copied. This is after removing the <date> directory and re-running rsync, so there should be nothing saved on the NFS server side and copying fresh. Example, three rsyncs, after each I deleted the directory: There are three files in the remote folder I am rsyncing: globals.sql, testfile.dump.gz, db.dump.gz code:code: Is there some NFS client/server caching mechanism that is negating the need to create these files again? Regardless, even after I delete them there should still be some filesystem event when they are created, right?It might be a dumb question, but what really happens when you delete a file from an NFS share from a client? It seems like the file pointer still exists somewhere, and as long as the same file is being copied back in the same place with the same name, a close_write event never actually occurs, just the pointer is recreated/moved back to the original location.
|
|
#
?
Dec 16, 2016 04:30
|
|
|
You won't like this answer (I'll give details tomorrow, drinking right now), but you honestly need systemtap to track this. NFS is a "real" filesystem on the guest which exposes direct access through the kernel which can't be tracked by inotify
|
|
#
?
Dec 16, 2016 05:31
|
|
|
Oh boy.quote:Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them. 
|
|
#
?
Dec 16, 2016 11:02
|
|
|
I tried to get those exploits to work (he links to the "open calculator" file etc) on my ubuntu 16.04 lts installation, but couldn't get it to do so. Supposedly it should trigger just from browsing, but neither dolphin nor nautilus caused anything to happen, and opening the files just opened a music player that tried to play them. Fairly default install, non-gnome window manager. Maybe gnome is important to the exploit?
|
|
#
?
Dec 16, 2016 13:08
|
|
|
Phosphine posted:I tried to get those exploits to work (he links to the "open calculator" file etc) on my ubuntu 16.04 lts installation, but couldn't get it to do so. Supposedly it should trigger just from browsing, but neither dolphin nor nautilus caused anything to happen, and opening the files just opened a music player that tried to play them. Fairly default install, non-gnome window manager. Maybe gnome is important to the exploit? There is a video of it working on 16.04 in Unity so it's probably something else. From the writeup, it sounds like this exploit requires a very specific chain of software to work. Fedora 25 doesn't install game music players by default so it won't "just work" there either. It's also so nice that this guy follows responsible disclosure protocols instead of announcing 0-day exploits in a blog "for the lulz".
|
|
#
?
Dec 16, 2016 13:53
|
|
|
"fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing" lmao ars, linux has always had really, really lovely security. the fact that a security researcher, not a black hat, found this trivial security hole, just shows you how little people actually care about linux
|
|
#
?
Dec 16, 2016 16:40
|
|
|
Suspicious Dish posted:"fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing" Seriously?
|
|
#
?
Dec 16, 2016 16:59
|
|
|
Tigren posted:Seriously? Yes, seriously.
|
|
#
?
Dec 16, 2016 17:06
|
|
|
Phosphine posted:I tried to get those exploits to work (he links to the "open calculator" file etc) on my ubuntu 16.04 lts installation, but couldn't get it to do so. Supposedly it should trigger just from browsing, but neither dolphin nor nautilus caused anything to happen, and opening the files just opened a music player that tried to play them. Fairly default install, non-gnome window manager. Maybe gnome is important to the exploit?
|
|
#
?
Dec 16, 2016 17:13
|
|
|
You also need to rename the .spc file to .flac so the browser will try to play it via gstreamer.
|
|
#
?
Dec 16, 2016 17:33
|
|
|
Tigren posted:Seriously? it's an unmaintained pile of crud with no regard to security or security design at all, poor user knowledge and practices (linux means i never have to reboot, right?), and a poor community attitude towards fixing major design flaws (the antiquated 50-year-old unix permissions model should save us from exploits, right?) Suspicious Dish fucked around with this message at 17:42 on Dec 16, 2016 |
|
#
?
Dec 16, 2016 17:39
|
|
|
Suspicious Dish posted:it's an unmaintained pile of crud with no regard to security or security design at all, poor user knowledge and practices (linux means i never have to reboot, right?), and a poor community attitude towards fixing major design flaws (the antiquated 50-year-old unix permissions model should save us from exploits, right?)
|
|
#
?
Dec 16, 2016 17:42
|
|
|
Suspicious Dish posted:it's an unmaintained pile of crud with no regard to security or security design at all, poor user knowledge and practices (linux means i never have to reboot, right?), and a poor community attitude towards fixing major design flaws (the antiquated 50-year-old unix permissions model should save us from exploits, right?) You forgot to mention selinux that promised to fix a lot of that. "Goddamn setting up these contexts is hard, gently caress it, just set it to permissive."
|
|
#
?
Dec 16, 2016 17:47
|
|
|
Can someone explain SELinux to me like I'm a child? It sounds like unless you go out of your way to restrict your process, it will otherwise unmolested by SELinux, right? Are there general system contexts that make that not true? I've tried to read about it, but it just makes my eyes glaze over. For context I work on an application that I want to make sure works on SELinux -- it seems that there are three approaches: just ignore SELinux and probably? everything will work fine, write a policy that gives sweeping permissions to my context, or write a fine grained policy that defines everything that I will ever do. Is that about right?
|
|
#
?
Dec 16, 2016 18:32
|
|
|
Selinux is conceptually a system of tags. You assign tags to a process, and assign tags to your files, and if the tag of a process matches the tag of the file selinux allows the process to access the file. Obviously the real implementation is a lot more complex.. selinux has enough granularity to control all file operations, such as normal reads and writes. But it also controls other stuff (like execution, network access, and some other stuff I'm forgetting). The problems come from the database that selinux uses to assign those context to everything.. it's a massive amount of pattern matching and it means if you happen to install some software that isn't in that database your job turns into fixing those contexts. Most people just pipe audit.log through audit2allow which auto-generates rules to allow denied requests to succeed, and that works fine, but it's the lazy way to do it. The "correct" method is to identify the context of the process and the file it's trying to work with and update the file context to allow the necessary access. Without breaking any other process' access.
|
|
#
?
Dec 16, 2016 18:46
|
|
|
evol262 posted:You won't like this answer (I'll give details tomorrow, drinking right now), but you honestly need systemtap to track this. NFS is a "real" filesystem on the guest which exposes direct access through the kernel which can't be tracked by inotify Well that's a bummer. Would using something like sshfs or rsync via SSH help here?
|
|
#
?
Dec 16, 2016 20:41
|
|
|
If you want to have fun, try making a button on a webpage that shuts down a server(not the server the button runs off of) when you have SELinux enabled on both machines. I got it working, but it STILL throws a 500 error when you hit the button.
|
|
#
?
Dec 16, 2016 20:59
|
|
|
Yeah, this isn't very encouraging... Is Firejail actually useful to prevent stuff like this?
|
|
#
?
Dec 16, 2016 21:08
|
|
|
this is why I only listen to music in ogg vorbis
|
|
#
?
Dec 16, 2016 21:22
|
|
|
Why is a distribution installing music playback libraries for the Super Nintendo by default? Why is that even a thing gstreamer supports?
|
|
#
?
Dec 16, 2016 21:44
|
|
|
Double Punctuation posted:Why is a distribution installing music playback libraries for the Super Nintendo by default? Why is that even a thing gstreamer supports? The joy of open source
|
|
#
?
Dec 16, 2016 22:18
|
|
|
Double Punctuation posted:Why is a distribution installing music playback libraries for the Super Nintendo by default? Why is that even a thing gstreamer supports? Linux has, hands down, the most ability to play media files bar none. Even bizarro codecs from the late 90s that only ever had proprietary windows decoders that won't work in modern windows have wrappers around the DLL enough to play. I keep running into "why the gently caress can't windows play this, works fine on linux?" when I try to send someone a video clip in an ~~obscure~~ format like .webm or an x264 .mkv. That's also a negative, since as people are discovering - the bar for a media decoder is "does it decode a standard file" and beyond that nobody checks to see what happens when you feed it malicious poo poo. I bet you could rack up 100+ CVEs just by fuzzing all the gstreamer libraries, but you'd have to figure out dozens of undocumented formats well enough to trick the library into trying to decode them. The other half of your question is answered pretty simply: Because they're small, they work, and everyone hates the "You need a new codec to play this file, let me search Windows Update to find one for you" popup that you get if you don't have everything already installed. But yeah, the bitching about archaic permissions systems is justified. Linux protects the trivial-to-reinstall system from the single user, not the impossible-to-replace documents from a rogue process. The only reason there's been no linux port of cryptolocker is that it's way too much effort for the dozen people running linux desktops out there. (Shoutout to the other 11 of you).
|
|
#
?
Dec 16, 2016 22:24
|
|
|
Harik posted:
You probably wouldn't need to know anything about the format at all, just what byte string the fuzzer found that caused an error.
|
|
#
?
Dec 16, 2016 22:32
|
|
|
The fun part with the Super Nintendo feature is how they do it.. it's not a library parsing a file format in the way mp3 or something is handled. They literally fire up a super nintendo emulator and feed the file through that emulator to produce the audio stream. You can play old amiga music files the same way. It's both crazy and awesome at the same time.
|
|
#
?
Dec 16, 2016 22:35
|
|
|
It incredibly dumb from an attack surface point of view.
|
|
#
?
Dec 16, 2016 22:39
|
|
|
But hilariously awesome from a make it work point of view. Reminds me of writing a python script and just calling shel utilities to get things done
|
|
#
?
Dec 16, 2016 22:45
|
|
|
jre posted:You probably wouldn't need to know anything about the format at all, just what byte string the fuzzer found that caused an error. You need enough bytes in the right places to detect the format and pass it to the library to be tested, though. That's why the attack works by renaming it to .flac: it's a filetype opened by gstreamer, which then ignores the extension and figures out what type it is and gives to the right decoder. Edit: Even if you just fuzz the library directly, they more than likely check some key locations and refuse to parse the file if they don't like what they see. That's what I meant about needing to work with dozens of obscure formats. Harik fucked around with this message at 22:51 on Dec 16, 2016 |
|
#
?
Dec 16, 2016 22:49
|
|
|
Harik posted:You need enough bytes in the right places to detect the format and pass it to the library to be tested, though. That's why the attack works by renaming it to .flac: it's a filetype opened by gstreamer, which then ignores the extension and figures out what type it is and gives to the right decoder. quote:
If the fuzzer is causing a crash, then you have all the inputs you need to try and exploit it. If the lib was doing sanity checking that required a specific checksums and structures in the input then you wouldn't get a result from the fuzzer.
|
|
#
?
Dec 16, 2016 23:44
|
|
|
Wicaeed posted:Well that's a bummer. Would using something like sshfs or rsync via SSH help here? Short answer is yes. The NFS stuff isn't hard to make work, though systemtap drags the kernel down a bit (and installing kernel-debug is obviously obnoxious).
|
|
#
?
Dec 17, 2016 00:17
|
|
|
I am having trouble getting a PPPoE server working. I need to set up PPPoE for testing device <> ISP connectivity. I've added a second USB NIC to a computer running debian 3.16.36-1 and assigned a static IP to the eth1 interface. Static IP and isc-dhcp-server work fine, but I can't get PPPoE to work properly. I've followed these guides and attempted to connect using a Tomato router, but had no luck... http://www.howtodoityourself.org/pppoe-server-how-to-do-it-yourself.html https://poundcomment.wordpress.com/2011/03/30/pppoe-server-on-ubuntu/ The only thing I didn't change was /etc/network/interfaces My eth0 is a DHCP connection, while the eth1 will be static. I suspect there is something wrong with pppd /etc/network/interfaces code:code:code:code:pppoe-server -C isp -L 192.168.5.254 -p /etc/ppp/allip -I eth1 /var/log/messages code:code:code:
|
|
#
?
Dec 17, 2016 17:15
|
|
|
I have remote box running Ubuntu 16.04 server, let's call it "RemoteBox". I also have a local box running Centos 7, let's call it "LocalBox". I've used SSHFS to mount a directory on RemoteBox to a mountpoint on LocalBox and it works perfectly fine. However, when I try to add the mountpoint to a Samba share, so that Windows users in my local network can browse it, on the Windows side either nobody can see the folder, or if they can, they cannot access it. Any ideas if I'm doing something wrong or if it's simply not possible to do what I'm trying to do?
|
|
#
?
Dec 17, 2016 20:27
|
|
|
Ur Getting Fatter posted:I have remote box running Ubuntu 16.04 server, let's call it "RemoteBox". Best guess, it's a user permissions thing, since sshfs runs entirely in user space. Try mounting the sshfs directory with the '-o allow_other' option and see what that does.
|
|
#
?
Dec 17, 2016 20:35
|
|
|
VOTE YES ON 69 posted:Can someone explain SELinux to me like I'm a child? It sounds like unless you go out of your way to restrict your process, it will otherwise unmolested by SELinux, right? Are there general system contexts that make that not true? I've tried to read about it, but it just makes my eyes glaze over. there's a bunch of tags and those things do things but everything is handled by this giant rear end policy file which is basically the domain of one person at red hat who understands the drat thing. it's 50KLOC basically of policy special cases for every piece of software ever https://github.com/fedora-selinux/selinux-policy/tree/f25-base it also wouldn't stop this case for multiple reasons
|
|
#
?
Dec 17, 2016 22:54
|
|
|
1. If Linux security sucks is there an OS that is better? 2. Is there a path from where Linux is now to where its security isn't poo poo?
|
|
#
?
Dec 18, 2016 01:13
|
|
|
Thermopyle posted:1. If Linux security sucks is there an OS that is better? Linux server security is still fairly solid afaik, but for desktop windows is probably your best bet. This is just based on knowledge of attack surfaces, i may be wrong.
|
|
#
?
Dec 18, 2016 01:32
|
|
|
|
| # ? Apr 18, 2024 04:09 |
|
|
I decided on a more or less random whim to get a Digital Ocean account for loving around with Linux stuff--mainly because currently 'loving around' means learning Haskell, and Cygwin doesn't support it, and for some reason me and OS-hosted VMs don't see eye to eye. Anyway one of the first things I did was apt install gedit and reconnect over SSH with X tunneled. gedit ran like laggy rear end, though, despite being 20ms ping to the server, and didn't seem to matter whether I used PuTTY+Xming or MobaXTerm. Very lengthy redraw times and slow responses. My usual alternative, nedit, also ran like butt so I don't think it was gedit's toolkit (gtk?) that was causing the problem. It's been a very long time since I've tried to administer a Linux system, so I don't really know what I'm doing anymore. What's the 'right' way to run GUI applications in linux land over an SSH connection? Or do I have the right idea and I have something misconfigured? (I know VNC is a thing, but I'm not a fan of that either. Something about the way it authenticated last time I tried it just bothered me.) (ed) I'm not using goddamn vi or emacs except in emergencies it's not the 80s anymore 
Ciaphas fucked around with this message at 01:47 on Dec 18, 2016 |
|
#
?
Dec 18, 2016 01:41
|
|
