* Posts by Ramazan

808 publicly visible posts • joined 1 Aug 2008

Don't panic, but Linux's Systemd can be pwned via an evil DNS query

Ramazan
Coat

Re: Debian LTS

Last week I switched another one of my computers from Debian to Hardened Gentoo.

Ramazan

Re: Getting rid of systemd won't stop buffer overruns.

Getting rid of systemd will certailny stop buffer overruns caused by systemd. That's a welcome improvement to overall system security.

Ramazan
Facepalm

Re: the real problem here is coding in a language that allows overruns to happen

The real problem is allowing people who thinks that a language should solve all their overrun problems to code in the language that allows overruns to happen.

Ramazan

Re: I refuse to set up non-systemd server

Let me fix it for ya, John:

"I use xpdf on all the computers I manage, out of choice. I refuse to set up non-xpdf setups any more, it is just so vastly more pleasant to work with than the alternatives."

(https://security.gentoo.org/glsa/201402-17)

Ramazan

Re: I think the appropriate response would be a gallic shrug

Let me provide an analogy. You know, xpdf frequently had code execution vulnerabilities found in it and ultimately was removed from Gentoo in 2014 when another one resurfaced and became the last straw:

https://security.gentoo.org/glsa/201402-17

"Description: Multiple vulnerabilities have been discovered in Xpdf. Please review the CVE identifiers referenced below for details.

Resolution: Gentoo has discontinued support for Xpdf. We recommend that users unmerge Xpdf: # emerge --unmerge "app-text/xpdf"

After that, there's no more xpdf in Gentoo. They use mupfd instead. I hope systemd meets the same fate, the sooner the better. Flushing toilet water icon, please.

Control-C! umount! Ctrl-Alt-Delete! Tintri forcibly ejects from today's IPO

Ramazan

alt-sysrq-u, alt-sysrq-o

US Senators want Kaspersky shut out of military contracts

Ramazan

Re: If their computers run fast enough to let them

Tha last time I saw Kaspersky Antivirus in action was more than 10 years ago, and it rendered computer slow, exactly like you described. Think it's the same nowadays, so I see no sense in exchanging one AV for another or vice versa.

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

Ramazan

Re: It's a bit harder if the partition table is screwed

Partition table is usually restored by looking for 55 AA at end of sectors. In good old days you would only look at cylinder boundaries and cylinder boundaries + 63 sectors, that was damn fast. Now that fdisk et al operate in non-DOS-compatible mode by default, the process takes much longer.

Huge ransomware outbreak spreads in Ukraine and beyond

Ramazan

Re: Ukraine ?

Well, if the virus is really named Petya, then it might be named so after Pyotr Poroshenko, the current president of Ukraine (Petya is diminutive form of Pyotr FYI). So, Putin or not, this one was probably targeted at Ukraine.

Intel's Skylake and Kaby Lake CPUs have nasty hyper-threading bug

Ramazan
Terminator

Re: when a bug/missing feature prevents the system from booting

"I've seen things you people wouldn't believe".

Ramazan

Re: would be compiler authors and related fields

Not necessarily. Guys who run performance benchmarks at Tom's Hardware Guide once noticed that newest Intel Pentium III 1333MHz (or was it 1133MHz?) consistently crashed at Linux kernel compilation test.

Found it on Wikipedia: "A 1.13 GHz version was released in mid-2000 but famously recalled after a collaboration between HardOCP and Tom's Hardware[3] discovered various instabilities with the operation of the new CPU speed grade."

http://www.tomshardware.com/reviews/intel-admits-problems-pentium-iii-1,235-3.html:

"When I was testing the Pentium III 1.13 GHz I was also using a GNU/Linux installation to run kernel compilation benchmarks. I had introduced this benchmark in our processor-benchmarking suite only recently and was therefore not too experienced with this operating system. What I knew for sure however was that my Pentium III 1.13 GHz hadn't been able to finish the compilation even once."

Linus Torvalds slams 'pure garbage' from 'clowns' at Grsecurity

Ramazan

If grsec are clowns, Torvalds is a director of a circus, surely.

Ramazan
Facepalm

Re: "grsecurity is garbage" is a true statement though.

You've misspelled something there: ""SELinux is garbage" is a true statement though". Here, fixed it for ya, Tom.

Queen's speech announces laws to protect personal data

Ramazan

Re: Saying that ... takes decades of practice.

God save the Queen,

it's world-class regime!

Debian 9 feels like home with security upgrades and a flaming vulpine warming your toes

Ramazan

Re: libsystemd0

"Are you sure that matters?"

I think you _can_ upgrade if you hadn't pinned libsystemd0 to -1. Having libsystemd0 on a system without the actual systemd daemon is not a big deal for most people, but it does matter to me, so I don't feel "like home" in Debian anymore.

Ramazan

I've set pin 1001 for jessie versions and rolling back my partially upgraded system back to jessie. After the downgrade is finished, I'm switching to Devuan by following the https://devuan.org/os/documentation/dev1fanboy/Upgrade-to-Devuan guide.

I used to be a co-maintainer of some Debian packages in the past (won't disclose which ones in order to remain anonymous), but now I'm done with this distro even as a user, what a shame. It was a good time, though...

Ramazan

openssh-server now depends on libsystemd0, the same do unix-utils, xserver-xorg and a lot of other tools. My dist upgrade attempts have failed thus.

Goodbye, Debian. It's very telling they dedicated this release to Ian. RIP

Ramazan

Re: and it only has cold water because hot has been deprecated

"Previous versions of the smartmontools package included a tool update-smart-drivedb which downloaded updated drive definitions from the smartmontools website and stored them at /var/lib/smartmontools/drivedb/drivedb.h"

"This tool did not download the definitions in a secure manner and so the feature has been removed in this version. Future drive DB updates will be propagated via normal Debian package updates, including backports."

Ha-ha-ha. The hot water pipe did not deliver hot water in a secure manner and has been disconnected. In the future water will be delivered pre-heated and packaged in 19 liter bottles via normal FedEx channels.

Ramazan

X.Org no longer needs root privileges

"Among the most significant, X.Org no longer needs root privileges to run the display server. That eliminates an entire class of attacks that work by going after privilege escalation via X.Org. However, to run X.Org as non-root you'll need to install logind and libpam-systemd and use GDM 3 for your login tool since only GDM 3 supports running it without root privileges."

This is interesting indeed and I'd like to see this in action. Unfortunately, all me Debian setups have systemd (and libpam-systemd and libsystemd0 and policykit* and libpolkit-* etc and so on) purged, so I doubt I'll ever witness this on real hardware, maybe on VM some other time.

BTW, running X without full root privileges should be possible if you remove suid/sgid from /usr/bin/X and use 'setcap' on it instead. Judging from my RBAC policy for /usr/bin/Xorg subject, CAP_IPC_OWNER, CAP_WAKE_ALARM and CAP_SYS_RAWIO should be sufficient for Xorg with "VESA" driver and CAP_IPC_OWNER, CAP_WAKE_ALARM and CAP_SYS_ADMIN should work for Xorg with "intel" one.

Ramazan

Re: I would like secure boot to harden my Debian-based appliances

If you want to harden your appliances, you should use hardened Gentoo instead (but it will take a pair of months or more to properly set up grsecurity RBAC).

By the way, enabling RBAC early in the boot process is _not_ recommended. If you read default /etc/grsec/learn_config file, you'll notice this:

# the below lines are for catching the occasional use of init.d scripts at runtime

# comment them out if you are starting learning before services are started by init

# (a highly non-recommended choice)

inherit-learn /etc/init.d

inherit-learn /etc/rc.d/init.d

Ramazan

Re: The new firefox "run in a container" security tech

firefox should be run in separate chroot on separate FS IMO.

I run it on hardened Gentoo under strict RBAC policy subject with all .so and other files it uses written explicitly in the subject and everything else hidden. On the first run it requires stat() access to /home/username directory, but it can and must be hidden from firefox afterwards (because firefox installs inotify() watch on it and you'd be surprised by grsec alerts like "grsec: (username:U:/usr/lib/firefox/firefox) denied access to hidden file /home/username/.viminfz.tmp by /usr/lib/firefox/firefox[gmain:1234]" each time you edit something or modify files in your home directory). What I do in my home directory and names of files I work with are none of firefox'es fucking business.

Ramazan

Re: It took me one whole f*** afternoon to win the fight last time when I got it from 7 to 8

In the past 10 years none of the Debian's dist upgrades worked without manual intervention on my systems. Upgrade from 8.8 to 9 hasn't suceeded for me yet, this one is the worst! YMMV

Stack Clash flaws blow local root holes in loads of top Linux programs

Ramazan

no info on whether their proof-of-concept works on grsec systems

Costa Rica complains of US govt harassment over Pirate Bay domain

Ramazan

Re: Try to make TOR illegal? Probably. Will it work? No.

Did you ever try doing google search via TOR? Did you ever try to setup a TOR exit node on a VPS?

Short answer, Yes, making TOR illegal will work.

'OK, everyone. Stop typing, this software is DONE,' said no one ever

Ramazan

In Gentoo Linux, there's a package named "vixie-cron". Go figure...

Debian devs dedicate new version 9 to the late Ian Murdock

Ramazan

Re: good thing about UEFI is support for GPT

Don't both GRUB and LILO support GPT? Even more, LILO doesn't give a shit about GPT/DOS/BSD/etc disklabels at all AFAIU...

Software dev bombshell: Programmers who use spaces earn MORE than those who use tabs

Ramazan

Re: :set tabstop=<n>

too long, too many lines. Most people use smth like "set ts=8 et sw=4" and put it in modeline.

Ramazan
Facepalm

Re: *cough* Makefiles *cough*

The most valid statement comes on the 3rd page of comments... "Devs", they say. +2.4 years to experience. +8.6% to salary, blah blah blah. When you join a dev project, you accept an already established indentation style, and for Makefiles there are no alternatives to tabs at all. So what? If you can't set et/noet, sw, ts and tw or their analogues for your favourite editor on a per-file basis, you have no place in this industry at all IMNSHO. Modelines have been there for tens of years, FFS.

Ramazan

Re: What about spaces *and* tabs?

"Most editors can't even support it for both viewing and typing"

Bullshit. All editors, I mean both of them do support that. Even more, this indentation style is the default IIRC.

Ramazan

Re: if only there was a way to, I dunno, Search and Replace

:help :retab

Don't touch that mail! London uni fears '0-day' used to cram network with ransomware

Ramazan
Pint

Re: log in to one of the servers and run pine

it's called alpine nowadays. Still works though. mutt also does.

Ramazan
Facepalm

Re: windows permissions model is much more flexible than UNIX

setfacl/getfacl -- obviously you never heard about them? grsec/gradm, no? apparmor/selinux, still no trace of recognizing anything?

Europe-wide BitTorrent indexer blockade looms after Pirate Bay blow

Ramazan

small hint: torrenting entirely via TOR works just fine with TCP trackers. If you use transparent TOR proxying, torrent client's traffic gets routed through TOR network too. This way you are completely anonymous, just don't forget to block outgoing non-TCP traffic.

Microsoft founder Paul Allen reveals world's biggest-ever plane

Ramazan
Facepalm

the world's biggest ever plane is An-224 "Mriya", it's longer _and_ heavier than this one although with a smaller wingspan indeed.

Init freedom declared as systemd-free Devuan hits stable 1.0.0 status

Ramazan

Re: firewall-cmd (firewalld) is more of the same, an effort to standardize configuration

Firewall is a separate task and it must be provided by a separate package thus. Tea at 5 o'clock is also part of standard routine, why don't you include it in systemd too? Take job from cron (and anacron) and reimplement their functions in a "more efficient way" with bells and whistles added? In an effort to standardize configuration, yeah?

Ramazan
Facepalm

Re: "hostname" only reads the current hostname.

https://manpages.debian.org/jessie/hostname/hostname.1.en.html

Ramazan

works fine on a few debian jessie vpses

Removing systemd from Debian VPS should be easy indeed, 'cause it doesn't run any DE. For GNOME users there's no way to remove it from Debian systems since Jessie.

Ramazan

Re: but are already running Devuan.

I'm already running Debian without systemd BTW (approx. for a year or even more), but I'll switch all my computers to either a hardened Gentoo or to Devuan if Debian doesn't root the fucking systemd out soon. And I'm already running the said Gentoo on one notebook, and while it was a fucking hell to install I'm starting to like it.

Fat-thumbed dev slashes Samba security

Ramazan

Re: an old commit connected the two subsystems together,

Jeremy, are you one of SAMBA devs? Loading plugins must be

1. restricted to a known list of "trusted" plugins

2. list of trusted plugins must be configurable by server admin

3. list of trusted plugins must be empty by default

4. libraries must only be loaded from trusted paths /usr/lib and /lib

5. user input must never get into parameters of dlopen() or into "trusted" plugins or paths lists

6. user input should never get into parameters of execve(), too long to explain in details here