Conversation

Notices

1. Embed this notice
   Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 24-Nov-2024 16:38:14 JST Wolf480pl

   Just found out about a few Local Privilege Escalations in needrestart(8) that were announced last tuesday:

   https://www.openwall.com/lists/oss-security/2024/11/19/1

   I gotta say they're quite hilarious,.

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 24-Nov-2024 16:42:38 JST Haelwenn /элвэн/ :triskell:

     in reply to
     @wolf480pl First two of them I'm like "What? Why the fuck would you do this? Just restart when /proc/$pid/maps says (deleted)" pretty glad gentoo's restart-services does just that.
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 24-Nov-2024 16:54:41 JST Wolf480pl

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @lanodan I think it's neat that it tries to find non-compiled / bytecode libraries that were updated.

     But when reading how it goes about this in case of Python:
     - read processe's PYTHONPATH - ok so far so good
     - put it in your own env - uh, are you sure you know what you're...
     - fork+exec /proc/$pid/exe - YOU WHAT MATE?

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 24-Nov-2024 17:11:10 JST Haelwenn /элвэн/ :triskell:

     in reply to

     @wolf480pl Oh… interesting kind of behavior, I guess that's due to the large amount of files libraries have due to not packing into something like a .a file.

     Although feels pretty weird to me to not at least keep them mmap'ed (which doesn't prevents a close), specially in Python where import is done at runtime.

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 24-Nov-2024 17:23:00 JST Haelwenn /элвэн/ :triskell:

     in reply to

     @wolf480pl I mean that for Python/Perl their installation is a bunch of files which aren't packed into an archive, typical Unix way being .a (from the ar utility).

   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 24-Nov-2024 17:23:01 JST Wolf480pl

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @lanodan
     > I guess that's due to the large amount of files libraries have due to not packing into something like a .a file.

     This sentence does not parse to me.

     Anyway, the point is to `print(sys.path)` and then figure out which .py files are^W might be being used. And I guess python interpreter never mmaps them, just opens the file, reads while parsing, and then closes the FD.

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 24-Nov-2024 17:27:22 JST Haelwenn /элвэн/ :triskell:

     in reply to

     @wolf480pl > Also, it's not about python/perl interpreter itself, it's about the libraries written in those languages.

     Yeah I know, that's the part I'm talking about, the bunch of *.py/*.pyc files. ar(1) isn't just for binaries (and well *.pyc is a binary blob, just not native).

   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 24-Nov-2024 17:27:23 JST Wolf480pl

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @lanodan why would they be packed into an archive in their installed form?

     The only way I've seen those used is a) extracting them with ar, and b) passing them to a linker

     Also, it's not about python/perl interpreter itself, it's about the libraries written in those languages.

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 24-Nov-2024 17:32:58 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @wolf480pl And avoiding nasty runtime errors is one of the reasons why I'd pack them and hold an fd.

     This way if the library gets updated and library/program import a subset of it that it didn't previously load, it doesn't means it suddenly crashes because either file got missing, or worse gives you some form of API mismatch or corruption.

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 24-Nov-2024 17:33:11 JST 翠星石

     in reply to
     @wolf480pl Most LiGNUx installs probably don't even have needrestart installed, considering that mine don't.
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 24-Nov-2024 17:35:37 JST Wolf480pl

     in reply to

     • 翠星石

     @Suiseiseki do you use Debian?

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 24-Nov-2024 17:35:37 JST 翠星石

     in reply to
     @wolf480pl I don't use that proprietary distro on my computers, considering the installer is now proprietary.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 24-Nov-2024 17:52:19 JST 翠星石

     in reply to
     @wolf480pl They removed the image that was free of proprietary peripheral software and now only supply one chock full of proprietary software that doesn't respect the freedom of the users; https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms
     
     Most proprietary peripheral software is under terms that deny all 4 freedoms (some may allow unmodified redistribution, but with restrictions that effectively deny freedom 2).
     
     The installer also installs proprietary software *without asking the user*, even if it *isn't even usable*.
     
     For example, if you install Debian in a VM on an intel CPU, it will go install intel's proprietary software microcode updates, even though VMs can't load those.
     
     Hidden in the documentation, there is a note to pass the flag "firmware=never" to the boot args to disable such antifeature, but an opt-out is not acceptable and it also makes the claim that proprietary peripheral software isn't software, rather it's "firmware" (the only reasonable definition of firmware I've found is socketed ROM chips with microprocessor instructions on them - as you cannot reprogram a ROM chip, but you can physically swap the chips without hardware modification - while software that gets loaded onto a peripheral devices RAM lacks any sort of firmness).
     
     Debian compromised and decided to take the faster road, too bad that proprietary road goes to proprietary hell rather than to freedom; https://www.gnu.org/philosophy/compromise.html
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 24-Nov-2024 17:52:20 JST Wolf480pl

     in reply to

     • 翠星石

     @Suiseiseki also, what's the deal with debian installer being proprietary?

   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 24-Nov-2024 17:52:21 JST Wolf480pl

     in reply to

     • 翠星石

     @Suiseiseki hate to break it to you, but a lot of people do.

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 24-Nov-2024 18:04:54 JST 翠星石

     in reply to
     @wolf480pl The decision was made in October 2022 during the preparation of the Debian 12 release; https://wiki.debian.org/Firmware
     
     Debian 11 (bullseye) and older was clean, but the main server no longer hosts that (finding a copy isn't too hard although).
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 24-Nov-2024 18:04:55 JST Wolf480pl

     in reply to

     • 翠星石

     @Suiseiseki you don't have to explain blobs to me, I know the general problem.

     I was just hoping you'd provide a link to an announcement or commit message so that I can figure out for myself which proproetary software they distribute and when they started to do so / when they stopped supplying the blob-free version of the installer.

   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 24-Nov-2024 18:04:55 JST Wolf480pl

     in reply to

     • 翠星石

     @Suiseiseki s/commit message/vcs commit/