cultural reviewer and dabbler in stylistic premonitions

  • 4 Posts
  • 51 Comments
Joined 3 years ago
cake
Cake day: January 17th, 2022

help-circle


  • xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)

    Fun :)

    Btw, instead of installing individual vulnerable debs as those kali instructions I linked to earlier suggest, you could also point debootstrap at the snapshot service so that you get a complete system with everything as it would’ve been in late March and then run that in a VM… or in a container. You can find various instructions for creating containers and VMs using debootstrap (eg, this one which tells you how to run a container with systemd-nspawn; but you could also do it with podman or docker or lxc). When the instructions tell you to run debootstrap, you just want to specify a snapshot URL like https://snapshot.debian.org/archive/debian/20240325T212344Z/ in place of the usual Debian repository url (typically https://deb.debian.org/debian/).


  • A daily ISO of Debian testing or Ubuntu 24.04 (noble) beta from prior to the first week of April would be easiest, but those aren’t archived anywhere that I know of. It didn’t make it in to any stable releases of any Debian-based distros.

    But even when you have a vulnerable system running sshd in a vulnerable configuration, you can’t fully demo the backdoor because it requires the attacker to authenticate with their private key (which has not been revealed).

    But, if you just want to run it and observe the sshd slowness that caused the backdoor to be discovered, here are instructions for installing the vulnerable liblzma deb from snapshot.debian.org.




  • Arthur Besse@lemmy.mlMtoLinux@lemmy.mlHow the xz backdoor highlights a major flaw in Nix
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    edit-2
    3 months ago

    As of today, NixOS (like most distros) has reverted to a version slightly prior to the release with the Debian-or-Redhat-specific sshd backdoor which was inserted into xz just two months ago. However, the saboteur had hundreds of commits prior to the insertion of that backdoor, and it is very likely that some of those contain subtle intentional vulnerabilities (aka “bugdoors”) which have not yet been discovered.

    As (retired) Debian developer Joey Hess explains here, the safest course is probably to switch to something based on the last version (5.3.1) released prior to Jia Tan getting push access.

    Unfortunately, as explained in this debian issue, that is not entirely trivial because dependents of many recent pre-backdoor potentially-sabotaged versions require symbol(s) which are not present in older versions and also because those older versions contain at least two known vulnerabilities which were fixed during the multi-year period where the saboteur was contributing.

    After reading Xz format inadequate for long-term archiving (first published eight years ago…) I’m convinced that migrating the many projects which use XZ today (including DPKG, RPM, and Linux itself) to an entirely different compression format is probably the best long-term plan. (Though we’ll always still need tools to read XZ archives for historical purposes…)








  • Arthur Besse@lemmy.mlMtoLinux@lemmy.mlI feel like I'm taking crazy pills
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    5 months ago

    Can containers boot on their own? Then they are hosts, if not they are guests.

    It depends what you mean by “boot”. Linux containers are by definition not running their own kernel, so Linux is never booting. They typically (though not always) have their own namespace for process IDs (among other things) and in some cases process ID 1 inside the container is actually another systemd (or another init system).

    However, more often PID 1 is actually just the application being run in the container. In either case, people do sometimes refer to starting a container as “booting” it; I think this makes the most sense when PID 1 in the container is systemd as the word “boot” has more relevance in that scenario. However, even in that case, nobody (or at least almost nobody I’ve ever seen) calls containers “guests”.

    As to calling containers “hosts”, I’d say it depends on if the container is in its own network namespace. For example, if you run podman run --rm -it --network host debian:bookworm bash you will have a container that is in the same network namespace as your host system, and it will thus have the same hostname. But if you omit --network host from that command then it will be in its own network namespace, with a different IP address, behind NAT, and it will have a randomly generated hostname. I think it makes sense to refer to the latter kind of container as a separate host in some contexts.




  • What Linux distribution came before Ubuntu that was specifically designed to be user friendly for a non-technical user?

    There were a bunch of distros advertising ease of use; several were even sold in physical boxes (which was the style at the time) and marketed to consumers at retail stores like BestBuy years before Ubuntu started.

    Here are four pictures of the physical packaging for three of those pre-ubuntu desktop distros designed to be user friendly and marketed to the general public:

    Photo of the cardboard packaging for Caldera OpenLinux Another Caldera box Packaging of SuSE 8.1 Mandrake 7.2 packaging

    Ubuntu was better than what came before it in many ways, and it deserves credit for advancing desktop Linux adoption both then and now, but it was not “one of the first” by any stretch.