Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«733 »
  • Post
  • Reply
HPL
Aug 28, 2002

Worst case scenario.

Finally took the plunge and switched to OpenSUSE Tumbleweed as my daily driver. It's been a bit of an adjustment from Debian-based distros like I'm used to, but it's good so far and the differences are pretty minor. The downside is that there isn't always a nicely packaged SUSE version of software x or y ready to go like there is with Ubuntu, but there's usually at least an ugly workaround. YaST is a nice breath of fresh air too.

Adbot
ADBOT LOVES YOU

CaptainSarcastic
Jul 6, 2013

HAIL SATAN


HPL posted:

Finally took the plunge and switched to OpenSUSE Tumbleweed as my daily driver. It's been a bit of an adjustment from Debian-based distros like I'm used to, but it's good so far and the differences are pretty minor. The downside is that there isn't always a nicely packaged SUSE version of software x or y ready to go like there is with Ubuntu, but there's usually at least an ugly workaround. YaST is a nice breath of fresh air too.

Have you checked https://software.opensuse.org for what you are looking for? If you go to Downloads at the top and select Package Search from there you get a search page. I've found it pretty helpful in the past.

ToxicFrog
Apr 26, 2008



CaptainSarcastic posted:

Have you checked https://software.opensuse.org for what you are looking for? If you go to Downloads at the top and select Package Search from there you get a search page. I've found it pretty helpful in the past.

Yeah, that's the equivalent of Ubuntu's PPA's and there are a lot of not-quite-official well-maintained repos there for stuff not present in the core suse-oss and suse-non-oss repos.

Pham Nuwen
Oct 30, 2010



Can anyone recommend a book that dives deep into the specifics of the modern Linux kernel, specifically on the x86-64 architecture? I've got a new work project that's going to involve some kernel hacking and I'm way behind on how Linux does memory management, multiprocessing, etc.

Wicaeed
Feb 8, 2005


I feel like I'm about to ask a question that's way over my head, but here goes, after some background.

I'm using inotifywatch on an NFS server to watch a directory tree that is specific to a single host. Every day files are going to be saved into a directory with the path <hostname>/dump/<date>/{file1},{file..n}

The remote side is using rsync to copy these files from a local directory to a directory mounted over NFS.

On the server side, when running inotifywait and looking for the close_write event, I can sometimes see files being closed more than once, or not even appearing at all, even after being successfully copied.

This is after removing the <date> directory and re-running rsync, so there should be nothing saved on the NFS server side and copying fresh. Example, three rsyncs, after each I deleted the directory:

There are three files in the remote folder I am rsyncing: globals.sql, testfile.dump.gz, db.dump.gz

code:
rsync --progress -rlptD /archive/local/postgresql/<hostname>/dumps/20161215/* /archive/network/postgresql/<hostname>/dumps/20161215
sending incremental file list
created directory /archive/network/postgresql/<hostname>/dumps/20161215
globals.sql
        5191 100%    0.00kB/s    0:00:00 (xfer#1, to-check=2/3)
db.dump.gz
   312922015 100%   75.82MB/s    0:00:03 (xfer#2, to-check=1/3)
testfile.dump.gz
  1073741824 100%   77.75MB/s    0:00:13 (xfer#3, to-check=0/3)

sent 1386838514 bytes  received 69 bytes  84050823.21 bytes/sec
total size is 1386669030  speedup is 1.00
code:
Try #1:
inotifywait -m -r -s -e close_write --format '%w%f' --exclude '/\..+' /srv/db_backups/postgresql/<hostname>

/srv/db_backups/postgresql/<hostname>/dumps/20161215/globals.sql
#Missing two files

Try #2:
inotifywait -m -r -s -e close_write --format '%w%f' --exclude '/\..+' /srv/db_backups/postgresql/<hostname>

/srv/db_backups/postgresql/<hostname>/dumps/20161215/globals.sql
#Missing two files

Try #3:
inotifywait -m -r -s -e close_write --format '%w%f' --exclude '/\..+' /srv/db_backups/postgresql/<hostname>

/srv/db_backups/postgresql/<hostname>/dumps/20161215/testfile.dump.gz
#Missing two files, but now a different file?!?!?
Like, wtf is going on here Is there some NFS client/server caching mechanism that is negating the need to create these files again? Regardless, even after I delete them there should still be some filesystem event when they are created, right?

It might be a dumb question, but what really happens when you delete a file from an NFS share from a client? It seems like the file pointer still exists somewhere, and as long as the same file is being copied back in the same place with the same name, a close_write event never actually occurs, just the pointer is recreated/moved back to the original location.

evol262
Nov 30, 2010
#!/usr/bin/perl

You won't like this answer (I'll give details tomorrow, drinking right now), but you honestly need systemtap to track this. NFS is a "real" filesystem on the guest which exposes direct access through the kernel which can't be tracked by inotify

Kassad
Nov 11, 2005

It's about time.


Oh boy.

quote:

Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them.

The exploit ending in .flac works as a drive-by attack when a Fedora 25 user visits a booby-trapped webpage. With nothing more than a click required, the file will open the desktop calculator. With modification, it could load any code an attacker chooses and execute it with the same system privileges afforded to the user. While users typically don't have the same unfettered system privileges granted to root, the ones they do have are plenty powerful. Such an exploit can, for instance, read and steal all the user's most personal data, including documents, pictures, e-mail, and chat transcripts. It could also steal the user's browser cookies and sessions for Gmail, Facebook, Twitter, and other sites. It could additionally persist across reboots, although not as stealthily as a root exploit. And as is growing increasingly common, it could be combined with a local root privilege exploit to gain full system rights

Phosphine
May 30, 2011


I tried to get those exploits to work (he links to the "open calculator" file etc) on my ubuntu 16.04 lts installation, but couldn't get it to do so. Supposedly it should trigger just from browsing, but neither dolphin nor nautilus caused anything to happen, and opening the files just opened a music player that tried to play them. Fairly default install, non-gnome window manager. Maybe gnome is important to the exploit?

The_Franz
Aug 8, 2003

patton oswalt, aka:

- the bloodguzzler
- parton osmart
- the krustbuster
- bloodlard
- pat "the ton" owsdtwslalt
- the big patswald
- wifemurderer
- fentanyl prostate injection

Phosphine posted:

I tried to get those exploits to work (he links to the "open calculator" file etc) on my ubuntu 16.04 lts installation, but couldn't get it to do so. Supposedly it should trigger just from browsing, but neither dolphin nor nautilus caused anything to happen, and opening the files just opened a music player that tried to play them. Fairly default install, non-gnome window manager. Maybe gnome is important to the exploit?

There is a video of it working on 16.04 in Unity so it's probably something else. From the writeup, it sounds like this exploit requires a very specific chain of software to work. Fedora 25 doesn't install game music players by default so it won't "just work" there either.

It's also so nice that this guy follows responsible disclosure protocols instead of announcing 0-day exploits in a blog "for the lulz".

Suspicious Dish
Sep 24, 2011



Fun Shoe

"fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing"

lmao ars, linux has always had really, really lovely security. the fact that a security researcher, not a black hat, found this trivial security hole, just shows you how little people actually care about linux that's not android

Tigren
Oct 3, 2003


Suspicious Dish posted:

"fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing"

lmao ars, linux has always had really, really lovely security. the fact that a security researcher, not a black hat, found this trivial security hole, just shows you how little people actually care about linux that's not android

Seriously?

xzzy
Mar 5, 2009

wakey wakey to
this bowl of tasty


Yams Fan

Tigren posted:

Seriously?

Yes, seriously.

anthonypants
May 6, 2007

by Nyc_Tattoo


Dinosaur Gum

Phosphine posted:

I tried to get those exploits to work (he links to the "open calculator" file etc) on my ubuntu 16.04 lts installation, but couldn't get it to do so. Supposedly it should trigger just from browsing, but neither dolphin nor nautilus caused anything to happen, and opening the files just opened a music player that tried to play them. Fairly default install, non-gnome window manager. Maybe gnome is important to the exploit?
The actual exploit is in specific gstreamer packages.

The_Franz
Aug 8, 2003

patton oswalt, aka:

- the bloodguzzler
- parton osmart
- the krustbuster
- bloodlard
- pat "the ton" owsdtwslalt
- the big patswald
- wifemurderer
- fentanyl prostate injection

You also need to rename the .spc file to .flac so the browser will try to play it via gstreamer.

Suspicious Dish
Sep 24, 2011



Fun Shoe

Tigren posted:

Seriously?

it's an unmaintained pile of crud with no regard to security or security design at all, poor user knowledge and practices (linux means i never have to reboot, right?), and a poor community attitude towards fixing major design flaws (the antiquated 50-year-old unix permissions model should save us from exploits, right?)

Suspicious Dish fucked around with this message at Dec 16, 2016 around 16:42

anthonypants
May 6, 2007

by Nyc_Tattoo


Dinosaur Gum

Suspicious Dish posted:

it's an unmaintained pile of crud with no regard to security or security design at all, poor user knowledge and practices (linux means i never have to reboot, right?), and a poor community attitude towards fixing major design flaws (the antiquated 50-year-old unix permissions model should save us from exploits, right?)
I can help you fix it, but first you'll need to curl this script I wrote and pipe it into your interpreter.

xzzy
Mar 5, 2009

wakey wakey to
this bowl of tasty


Yams Fan

Suspicious Dish posted:

it's an unmaintained pile of crud with no regard to security or security design at all, poor user knowledge and practices (linux means i never have to reboot, right?), and a poor community attitude towards fixing major design flaws (the antiquated 50-year-old unix permissions model should save us from exploits, right?)

You forgot to mention selinux that promised to fix a lot of that.

"Goddamn setting up these contexts is hard, gently caress it, just set it to permissive."

Mao Zedong Thot
Oct 16, 2008



Taco Defender

Can someone explain SELinux to me like I'm a child? It sounds like unless you go out of your way to restrict your process, it will otherwise unmolested by SELinux, right? Are there general system contexts that make that not true? I've tried to read about it, but it just makes my eyes glaze over.

For context I work on an application that I want to make sure works on SELinux -- it seems that there are three approaches: just ignore SELinux and probably? everything will work fine, write a policy that gives sweeping permissions to my context, or write a fine grained policy that defines everything that I will ever do. Is that about right?

xzzy
Mar 5, 2009

wakey wakey to
this bowl of tasty


Yams Fan

Selinux is conceptually a system of tags. You assign tags to a process, and assign tags to your files, and if the tag of a process matches the tag of the file selinux allows the process to access the file. Obviously the real implementation is a lot more complex.. selinux has enough granularity to control all file operations, such as normal reads and writes. But it also controls other stuff (like execution, network access, and some other stuff I'm forgetting).

The problems come from the database that selinux uses to assign those context to everything.. it's a massive amount of pattern matching and it means if you happen to install some software that isn't in that database your job turns into fixing those contexts. Most people just pipe audit.log through audit2allow which auto-generates rules to allow denied requests to succeed, and that works fine, but it's the lazy way to do it. The "correct" method is to identify the context of the process and the file it's trying to work with and update the file context to allow the necessary access. Without breaking any other process' access.

Wicaeed
Feb 8, 2005


evol262 posted:

You won't like this answer (I'll give details tomorrow, drinking right now), but you honestly need systemtap to track this. NFS is a "real" filesystem on the guest which exposes direct access through the kernel which can't be tracked by inotify

Well that's a bummer. Would using something like sshfs or rsync via SSH help here?

RFC2324
Jun 7, 2012

Http 418


If you want to have fun, try making a button on a webpage that shuts down a server(not the server the button runs off of) when you have SELinux enabled on both machines.

I got it working, but it STILL throws a 500 error when you hit the button.

Forgall
Oct 16, 2012

What're you lookin' at?


Yeah, this isn't very encouraging... Is Firejail actually useful to prevent stuff like this?

Roargasm
Oct 21, 2010

Hate to sound sleazy
But tease me
I don't want it if it's that easy



this is why I only listen to music in ogg vorbis

Double Punctuation
Dec 30, 2009

Ships were made for sinking;
Whiskey made for drinking;
If we were made of cellophane
We'd all get stinking drunk much faster!


Why is a distribution installing music playback libraries for the Super Nintendo by default? Why is that even a thing gstreamer supports?

jre
Sep 2, 2011

To the cloud ?





Double Punctuation posted:

Why is a distribution installing music playback libraries for the Super Nintendo by default? Why is that even a thing gstreamer supports?

The joy of open source

Harik
Sep 9, 2001

From the hard streets of Moscow
First dog to touch the stars



Plaster Town Cop

Double Punctuation posted:

Why is a distribution installing music playback libraries for the Super Nintendo by default? Why is that even a thing gstreamer supports?

Linux has, hands down, the most ability to play media files bar none. Even bizarro codecs from the late 90s that only ever had proprietary windows decoders that won't work in modern windows have wrappers around the DLL enough to play. I keep running into "why the gently caress can't windows play this, works fine on linux?" when I try to send someone a video clip in an ~~obscure~~ format like .webm or an x264 .mkv.

That's also a negative, since as people are discovering - the bar for a media decoder is "does it decode a standard file" and beyond that nobody checks to see what happens when you feed it malicious poo poo.

I bet you could rack up 100+ CVEs just by fuzzing all the gstreamer libraries, but you'd have to figure out dozens of undocumented formats well enough to trick the library into trying to decode them.

The other half of your question is answered pretty simply: Because they're small, they work, and everyone hates the "You need a new codec to play this file, let me search Windows Update to find one for you" popup that you get if you don't have everything already installed.

But yeah, the bitching about archaic permissions systems is justified. Linux protects the trivial-to-reinstall system from the single user, not the impossible-to-replace documents from a rogue process. The only reason there's been no linux port of cryptolocker is that it's way too much effort for the dozen people running linux desktops out there. (Shoutout to the other 11 of you).

jre
Sep 2, 2011

To the cloud ?





Harik posted:


I bet you could rack up 100+ CVEs just by fuzzing all the gstreamer libraries, but you'd have to figure out dozens of undocumented formats well enough to trick the library into trying to decode them.

You probably wouldn't need to know anything about the format at all, just what byte string the fuzzer found that caused an error.

xzzy
Mar 5, 2009

wakey wakey to
this bowl of tasty


Yams Fan

The fun part with the Super Nintendo feature is how they do it.. it's not a library parsing a file format in the way mp3 or something is handled. They literally fire up a super nintendo emulator and feed the file through that emulator to produce the audio stream.

You can play old amiga music files the same way. It's both crazy and awesome at the same time.

jre
Sep 2, 2011

To the cloud ?





It incredibly dumb from an attack surface point of view.

RFC2324
Jun 7, 2012

Http 418


But hilariously awesome from a make it work point of view.

Reminds me of writing a python script and just calling shel utilities to get things done

Harik
Sep 9, 2001

From the hard streets of Moscow
First dog to touch the stars



Plaster Town Cop

jre posted:

You probably wouldn't need to know anything about the format at all, just what byte string the fuzzer found that caused an error.

You need enough bytes in the right places to detect the format and pass it to the library to be tested, though. That's why the attack works by renaming it to .flac: it's a filetype opened by gstreamer, which then ignores the extension and figures out what type it is and gives to the right decoder.

Edit: Even if you just fuzz the library directly, they more than likely check some key locations and refuse to parse the file if they don't like what they see. That's what I meant about needing to work with dozens of obscure formats.

Harik fucked around with this message at Dec 16, 2016 around 21:51

jre
Sep 2, 2011

To the cloud ?





Harik posted:

You need enough bytes in the right places to detect the format and pass it to the library to be tested, though. That's why the attack works by renaming it to .flac: it's a filetype opened by gstreamer, which then ignores the extension and figures out what type it is and gives to the right decoder.
Yeah, I know that

quote:


Edit: Even if you just fuzz the library directly, they more than likely check some key locations and refuse to parse the file if they don't like what they see. That's what I meant about needing to work with dozens of obscure formats.

If the fuzzer is causing a crash, then you have all the inputs you need to try and exploit it. If the lib was doing sanity checking that required a specific checksums and structures in the input then you wouldn't get a result from the fuzzer.

evol262
Nov 30, 2010
#!/usr/bin/perl

Wicaeed posted:

Well that's a bummer. Would using something like sshfs or rsync via SSH help here?

Short answer is yes. The NFS stuff isn't hard to make work, though systemtap drags the kernel down a bit (and installing kernel-debug is obviously obnoxious).

politicorific
Sep 15, 2007


I am having trouble getting a PPPoE server working. I need to set up PPPoE for testing device <> ISP connectivity.

I've added a second USB NIC to a computer running debian 3.16.36-1 and assigned a static IP to the eth1 interface.

Static IP and isc-dhcp-server work fine, but I can't get PPPoE to work properly.

I've followed these guides and attempted to connect using a Tomato router, but had no luck...
http://www.howtodoityourself.org/pp...t-yourself.html
https://poundcomment.wordpress.com/...rver-on-ubuntu/

The only thing I didn't change was /etc/network/interfaces
My eth0 is a DHCP connection, while the eth1 will be static.

I suspect there is something wrong with pppd

/etc/network/interfaces
code:
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

allow-hotplug eth1
iface eth1 inet static
address 192.168.5.254
netmask 255.255.255.0
pppoe-server-options
code:
# PPP options for the PPPoE server
# LIC: GPL
require-chap
login
lcp-echo-interval 10
lcp-echo-failure 2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
netmask 255.255.255.0
defaultroute
noipdefault
usepeerdns
allip
code:
192.168.5.1-11
chap-secrets
code:
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses

"test"          *       "test"                  192.168.5.10
I'm running this:
pppoe-server -C isp -L 192.168.5.254 -p /etc/ppp/allip -I eth1

/var/log/messages
code:
Jan  7 02:57:45 Plug3 kernel: [   42.612533] PPP generic driver version 2.4.2
Jan  7 02:57:45 Plug3 pppd[668]: pppd 2.4.6 started by root, uid 0
Jan  7 02:57:45 Plug3 pppd[668]: Using interface ppp0
Jan  7 02:57:45 Plug3 pppd[668]: Connect: ppp0 <--> /dev/pts/0
Jan  7 02:57:50 Plug3 pppd[679]: pppd 2.4.6 started by root, uid 0
Jan  7 02:57:50 Plug3 pppd[679]: Using interface ppp1
Jan  7 02:57:50 Plug3 pppd[679]: Connect: ppp1 <--> /dev/pts/1
Jan  7 02:57:53 Plug3 pppd[679]: Peer test failed CHAP Session verification
Jan  7 02:57:53 Plug3 pppd[679]: Connection terminated.
Jan  7 02:57:53 Plug3 pppd[679]: Exit.
Jan  7 02:58:16 Plug3 pppd[668]: LCP: timeout sending Config-Requests
Jan  7 02:58:16 Plug3 pppd[668]: Connection terminated.
Jan  7 02:58:16 Plug3 pppd[668]: Modem hangup
Jan  7 02:58:16 Plug3 pppd[668]: Exit.
I think my pppd client is messed up, tomato
code:
#pppoe-status
pppoe-status: Link is down (can't read pppoe PID file /var/run/pppoe.conf-pppoe.pid.pppoe)
My tomato router log has instances of this:
code:
unknown daemon.err pppd[1945]: Timeout waiting for PAD0 packets

Ur Getting Fatter
Jun 9, 2007

Fast Food Fight



Grimey Drawer

I have remote box running Ubuntu 16.04 server, let's call it "RemoteBox".

I also have a local box running Centos 7, let's call it "LocalBox".

I've used SSHFS to mount a directory on RemoteBox to a mountpoint on LocalBox and it works perfectly fine.

However, when I try to add the mountpoint to a Samba share, so that Windows users in my local network can browse it, on the Windows side either nobody can see the folder, or if they can, they cannot access it.

Any ideas if I'm doing something wrong or if it's simply not possible to do what I'm trying to do?

Powered Descent
Jul 13, 2008

We haven't had that spirit here since 1969.

Yam Slacker

Ur Getting Fatter posted:

I have remote box running Ubuntu 16.04 server, let's call it "RemoteBox".

I also have a local box running Centos 7, let's call it "LocalBox".

I've used SSHFS to mount a directory on RemoteBox to a mountpoint on LocalBox and it works perfectly fine.

However, when I try to add the mountpoint to a Samba share, so that Windows users in my local network can browse it, on the Windows side either nobody can see the folder, or if they can, they cannot access it.

Any ideas if I'm doing something wrong or if it's simply not possible to do what I'm trying to do?

Best guess, it's a user permissions thing, since sshfs runs entirely in user space. Try mounting the sshfs directory with the '-o allow_other' option and see what that does.

Suspicious Dish
Sep 24, 2011



Fun Shoe

VOTE YES ON 69 posted:

Can someone explain SELinux to me like I'm a child? It sounds like unless you go out of your way to restrict your process, it will otherwise unmolested by SELinux, right? Are there general system contexts that make that not true? I've tried to read about it, but it just makes my eyes glaze over.

For context I work on an application that I want to make sure works on SELinux -- it seems that there are three approaches: just ignore SELinux and probably? everything will work fine, write a policy that gives sweeping permissions to my context, or write a fine grained policy that defines everything that I will ever do. Is that about right?

there's a bunch of tags and those things do things but everything is handled by this giant rear end policy file which is basically the domain of one person at red hat who understands the drat thing. it's 50KLOC basically of policy special cases for every piece of software ever

https://github.com/fedora-selinux/s...y/tree/f25-base

it also wouldn't stop this case for multiple reasons

Thermopyle
Jul 1, 2003

...the stupid are cocksure while the intelligent are full of doubt. —Bertrand Russell


1. If Linux security sucks is there an OS that is better?
2. Is there a path from where Linux is now to where its security isn't poo poo?

RFC2324
Jun 7, 2012

Http 418


Thermopyle posted:

1. If Linux security sucks is there an OS that is better?
2. Is there a path from where Linux is now to where its security isn't poo poo?

Linux server security is still fairly solid afaik, but for desktop windows is probably your best bet.

This is just based on knowledge of attack surfaces, i may be wrong.

Adbot
ADBOT LOVES YOU

Ciaphas
Nov 20, 2005

> propitiate the dread god arengee




Pillbug

I decided on a more or less random whim to get a Digital Ocean account for loving around with Linux stuff--mainly because currently 'loving around' means learning Haskell, and Cygwin doesn't support it, and for some reason me and OS-hosted VMs don't see eye to eye. Anyway one of the first things I did was apt install gedit and reconnect over SSH with X tunneled. gedit ran like laggy rear end, though, despite being 20ms ping to the server, and didn't seem to matter whether I used PuTTY+Xming or MobaXTerm. Very lengthy redraw times and slow responses. My usual alternative, nedit, also ran like butt so I don't think it was gedit's toolkit (gtk?) that was causing the problem.

It's been a very long time since I've tried to administer a Linux system, so I don't really know what I'm doing anymore. What's the 'right' way to run GUI applications in linux land over an SSH connection? Or do I have the right idea and I have something misconfigured? (I know VNC is a thing, but I'm not a fan of that either. Something about the way it authenticated last time I tried it just bothered me.)

(ed) I'm not using goddamn vi or emacs except in emergencies it's not the 80s anymore

Ciaphas fucked around with this message at Dec 18, 2016 around 00:47

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«733 »