cultural reviewer and dabbler in stylistic premonitions

  • 13 Posts
  • 121 Comments
Joined 3 years ago
cake
Cake day: January 17th, 2022

help-circle
  • Why memorize a different command? I assume sudoedit just looks up the system’s EDITOR environment variable and uses that. Is there any other benefit?

    I don’t use it, but, sudoedit is a little more complicated than that.

    details

    from man sudo:

    When invoked as sudoedit, the -e option (described below), is implied.
    
           -e, --edit
                   Edit one or more files instead of running a command.   In  lieu
                   of  a  path name, the string "sudoedit" is used when consulting
                   the security policy.  If the user is authorized by the  policy,
                   the following steps are taken:
    
                   1.   Temporary  copies  are made of the files to be edited with
                        the owner set to the invoking user.
    
                   2.   The editor specified by the policy is run to edit the tem‐
                        porary files.  The sudoers policy  uses  the  SUDO_EDITOR,
                        VISUAL  and  EDITOR environment variables (in that order).
                        If none of SUDO_EDITOR, VISUAL  or  EDITOR  are  set,  the
                        first  program  listed  in the editor sudoers(5) option is
                        used.
    
                   3.   If they have been modified, the temporary files are copied
                        back to their original location and the temporary versions
                        are removed.
    
                   To help prevent the editing of unauthorized files, the  follow‐
                   ing  restrictions are enforced unless explicitly allowed by the
                   security policy:
    
                    •  Symbolic links  may  not  be  edited  (version  1.8.15  and
                       higher).
    
                    •  Symbolic links along the path to be edited are not followed
                       when  the parent directory is writable by the invoking user
                       unless that user is root (version 1.8.16 and higher).
    
                    •  Files located in a directory that is writable by the invok‐
                       ing user may not be edited unless that user is  root  (ver‐
                       sion 1.8.16 and higher).
    
                   Users are never allowed to edit device special files.
    
                   If  the specified file does not exist, it will be created.  Un‐
                   like most commands run by sudo, the editor is run with the  in‐
                   voking  user's  environment  unmodified.  If the temporary file
                   becomes empty after editing, the user will be  prompted  before
                   it is installed.  If, for some reason, sudo is unable to update
                   a file with its edited version, the user will receive a warning
                   and the edited copy will remain in a temporary file.
    

    tldr: it makes a copy of the file-to-be-edited in a temp directory, owned by you, and then runs your $EDITOR as your normal user (so, with your normal editor config)

    note that sudo also includes a similar command which is specifically for editing /etc/sudoers, called visudo 🤪


  • Arthur Besse@lemmy.mltoAsklemmy@lemmy.ml*Permanently Deleted*
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    3 days ago

    The primary purpose of those buttons is of course to let those sites track everyone’s browsing activity across every site that uses them, which does not require that anyone ever click on them.

    Even if less than 0.0001% of people click them, anyone with an SEO/spammer “grindset” will assure site operators that the potential benefit of someone sharing a link they otherwise wouldn’t have is still at least theoretically non-zero. And, since there is absolutely no cost at all besides an acceptable number of extra milliseconds per pageload, really, it would be downright irresponsible not to have them there!



  • Arthur Besse@lemmy.mlMtoLinux@lemmy.mlWhat was Linux like in the 90s
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    6 days ago

    encryption would prevent the modem from seeing it when someone sends it, but such a short string will inevitably appear once in a while in ciphertext too. so, it would actually make it disconnect at random times instead :)

    (edit: actually at seven bytes i guess it would only occur once in every 72PB on average…)







  • Arthur Besse@lemmy.mlMtoLinux@lemmy.mlA good e-mail client for linux?
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    29 days ago

    still of Obi-wan Kenobi in Star Wars with subtitle "Now, that's a name I've not heard in a long time. A long time."

    At first i thought, wow, cool they’re still developing that? Doing a release or two a year, i see.

    I used to use it long ago, and was pretty happy with it.

    But looking closer now, what is going on with security there?! Sorry to be the bearer of probably bad news, but... 😬

    The only three CVEs in their changelog are from 2007, 2010, and 2014, and none are specific to claws.

    Does that mean they haven’t had any exploitable bugs? That seems extremely unlikely for a program written in C with the complexity that being an email client requires.

    All of the recent changelog entries which sound like possibly-security-relevant bugs have seven-digit numbers prefixed with “CID”, whereas the other bugs have four-digit bug numbers corresponding to entries in their bugzilla.

    After a few minutes of searching, I have failed to figure out what “CID” means, or indeed to find any reference to these numbers outside of claws commit messages and release announcements. In any case, from the types of bugs which have these numbers instead of bugzilla entries, it seems to be the designation they are using for security bugs.

    The effect of failing to register CVEs and issue security advisories is that downstream distributors of claws (such as the Linux distributions which the project’s website recommends installing it from) do not patch these issues.

    For instance, claws is included in Debian stable and three currently-supported LTS releases of Ubuntu - which are places where users could be receiving security updates if the project registered CVEs, but are not since they don’t.

    Even if you get claws from a rolling release distro, or build the latest release yourself, it looks like you’d still be lagging substantially on likely-security-relevant updates: there have actually been numerous commits containing CID numbers in the month since the last release.

    If the claws developers happen to read this: thanks for writing free software, but: please update your FAQ to explain these CID numbers, and start issuing security advisories and/or registering CVEs when appropriate so that your distributors will ship security updates to your users!





  • Arthur Besse@lemmy.mlMtoLinux@lemmy.ml*Permanently Deleted*
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 month ago

    for example, on a linux distro, we could modify the desktop environment and make it waaaaay lighter by getting rid of jpg or png icons and just using pure svg on it.

    this has largely happened; if you’re on a dpkg-based distro try running this command:

    dpkg -S svg | grep svg$ | sort

    …and you’ll see that your distro includes thousands of SVG files :)

    explanation of that pipeline:
    • dpkg -S svg - this searches for files installed by the package manager which contain “svg” in their path
    • grep svg$ - this filters the output to only show paths which end with svg; that is, the actual svg files. the argument to grep is a regular expression, where $ means “end of line”. you can invert the match (to see the paths dpkg -S svg found which only contain “svg” in the middle of the path) by writing grep -v svg$ instead.
    • the sort command does what it says on the tin, and makes the output easier to read

    you can run man dpkg, man grep, and man sort to read more about each of these commands.


  • Arthur Besse@lemmy.ml
    shield
    MtoLinux@lemmy.ml*Permanently Deleted*
    link
    fedilink
    English
    arrow-up
    192
    ·
    edit-2
    1 month ago

    No, SVG files are not HTML.

    Please change this post title (currently “today i learned: svg files are literally just html code”), to avoid spreading this incorrect factoid!

    I suggest you change it to “today i learned: svg files are just text in an html-like language” or something like that. edit: thanks OP

    SVG is a dialect of XML.

    XML and HTML have many similarities, because they both are descendants of SGML. But, as others have noted in this thread, HTML is also not XML. (Except for when it’s XHTML…)

    Like HTML, SVG also can use CSS, and, in some environments (eg, in browsers, but not in Inkscape) also JavaScript. But, the styles you can specify with CSS in SVG are quite different than those you can specify with CSS in HTML.

    Lastly, you can embed SVG in HTML and it will work in (modern) browsers. You cannot embed HTML in SVG, however.



  • Note: for readers who aren’t aware, the notation ^X means hold down the ctrl key and type x (without shift).

    ctrl-a though ctrl-z will send ASCII characters 1 through 26, which are called control characters (because they’re for controling things, and also because you can type them by holding down the control key).

    ^D is the EOF character.

    $ stty -a | grep eof
    intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
    $ man stty |grep -A1 eof |head -n2
           eof CHAR
                  CHAR will send an end of file (terminate the input)
    

    Nope, Chuck Testa: there is no EOF character. Or, one could also say there is an EOF character, but which character it is can be configured on a per-tty basis, and by default it is configured to be ^D - which (since “D” is the fourth letter of the alphabet) is ASCII character 4, which (as you can see in man ascii) is called EOT or “end of transmission”.

    What that stty output means is that ^D is the character specified to trigger eof. That means this character is intercepted (by the kernel’s tty driver) and, instead of sending the character to the process reading standard input, the tty “will send an end of file (terminate the input)”.

    By default eof is ^D (EOT), a control character, but it can be set to any character.

    For instance: run stty eof x and now, in that terminal, “x” (by itself, without the control key) will be the EOF character and will behave exactly as ^D did before. (The rest of this comment assumes you are still in a normal default terminal where you have not done that.)

    But “send an end of file” does not mean sending EOT or any other character to the reading process: as the blog post explains, it actually (counterintuitively) means flushing the buffer - meaning, causing the read syscall to return with whatever is in the buffer currently.

    It is confusing that this functionality is called eof, and the stty man page description of it is even more so, given that it (really!) does actually flush the contents of the buffer to read - even if the line buffer is not empty, in which case it is not actually indicating end-of-file!

    You can confirm this is happening by running cat and typing a few characters and then hitting ^D, and then typing more, and hitting ^D again. (Each time you flush the buffer, cat will immediately echo the latest characters that had been buffered, even though you have not hit enter yet.)

    Or, you can pipe cat into pv and see that ^D also causes pv to receive the buffer contents prior to hitting enter.

    I guess unix calls this eof because this function is most often used to flush an empty buffer, which is how you “send an end of file” to the reader.

    The empty-read-means-EOF semantics are documented, among other places, in the man page for the read() syscall (man read):

    RETURN VALUE
          On success, the number of bytes read is returned (zero indicates end of
          file), and the file position is advanced by this number.
    

    If you want to send an actual ^D (EOT) character through to the process reading standard input, you can escape it using the confusingly-named lnext function, which by default is bound to the ^V control character (aka SYN, “synchronous idle”, ASCII character 22):

    $ man stty|grep lnext -A1
           * lnext CHAR
                  CHAR will enter the next character quoted
    $ stty -a|grep lnext
    werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;
    

    Try it: you can type echo " and then ctrl-V and ctrl-D and then "|xxd (and then enter) and you will see that this is sending ascii character 4.

    You can also send it with echo -e '\x04'. Note that the EOT character does not terminate bash:

    $ echo -e '\x04\necho see?'|xxd
    00000000: 040a 6563 686f 2073 6565 3f0a            ..echo see?.
    $ echo -e '\x04\necho see?'|bash
    bash: line 1: $'\004': command not found
    see?
    

    As you can see, it instead interprets it as a command.

    (Control characters are perfectly cromulent filenames btw...)
    $ echo -e '#!/bin/bash\necho lmao' > ~/.local/bin/$(echo -en '\x04')
    $ chmod +x ~/.local/bin/$(echo -en '\x04')
    $ echo -e '\x04\necho see?'|bash
    lmao
    see?
    

  • Arthur Besse@lemmy.mlMtoLinux@lemmy.mlroot (or sudo) access delay instead of password
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    1
    ·
    edit-2
    1 month ago

    sure. first, configure sudo to be passwordless, or perhaps just to stay unlocked for longer (it’s easy to find instructions for how to do that).

    then, put this in your ~/.bashrc:

    alias sudo='echo -n "are you sure? "; for i in $(seq 5); do echo -n "$((6 - $i)) "; sleep 1; done && echo && /usr/bin/sudo '

    Now “sudo” will give you a 5 second countdown (during which you can hit ctrl-c if you change your mind) before running whatever command you ask it to.



  • Nice post, but your title is misleading: the blog post is actually titled “Supply Chain Attacks on Linux distributions - Overview” - the word “attacks” as used here is a synonym for “vulnerabilities”. It is not completely clear from their title if this is going to be a post about vulnerabilities being discovered, or about them actually being exploited maliciously, but the latter is at least not strongly implied.

    This lemmy post however is titled (currently, hopefully OP will retitle it after this comment) “Supply Chain Attack found in Fedora’s Pagure and openSUSE’s Open Build Service”. edit: @OP thanks for changing the title!

    Adding the word “found” (and making “Attack” singular) changes the meaning: this title strongly implies that a malicious party has actually been detected performing a supply chain attack for real - which is not what this post is saying at all. (It does actually discuss some previous real-world attacks first, but it is not about finding those; the new findings in this post are vulnerabilities which were never attacked for real.)

    I recommend using the original post title (minus its “Overview” suffix) or keeping your more verbose title but changing the word “Attack” to “Vulnerabilities” to make it clearer.

    TLDR: These security researchers went looking for supply chain vulnerabilities, and found several bugs in two different systems. After responsibly disclosing them, they did these (very nice and accessible, btw - i recommend reading them) writeups about two of the bugs. The two they wrote up are similar in that they both involve going from being able to inject command line arguments, to being able to write to a file, to being able to execute arbitrary code (in a context which would allow attackers to perform supply chain attacks on any software distributed via the targeted infrastructure).