Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:chroot is not for security. like change directo (Score 1) 728

Sounds to me like you are banking on kernel exploits being more rare than they actually are.

Well, from a chroot environment running as a non-root user: it is going to be a technical challenge to make calls to the kernel directly, and for all you know a syscall filtering mechanism is in place, And chroot is just one of the early lines of defense.

Comment Re:read the man page (Score 1) 728

Gonna be kind of tthough to have a ahell without a tty, aka /dev/*tty*So yeah, you need /dev.

False. In fact you're false on so many counts, that I'll just show with a session excerpt to a jailed shell.

[~]# uname -ir
2.6.32-573.1.1.el6.x86_64 x86_64 [~]# grep support1 /etc/passwd
[~]# grep support1 /var/jail/etc/passwd
[~]# cat /proc/uptime
246835.99 239072.52
[~]# su - support1
[~]$ cat /proc/uptime
cat: /proc/uptime: No such file or directory
[~]$ ls -la /dev
total 8
drwxr-xr-x. 2 root root 4096 Aug 19 10:01 .
drwxr-xr-x. 10 root root 4096 Aug 19 10:07 ..
[~]$ ls /proc
ls: cannot access /proc: No such file or directory
[~]$ find / | grep tty
find: `/home.a/lost+found': Permission denied
[~]$ whoami
[~]$ ld
bash: ld: command not found
[~]$ /lib64/ /bin/date
Mon Aug 31 01:35:54 CDT 2015
[~]$ cat /bin/date > date
[~]$ ./date
bash: ./date: Permission denied
[~]$ /lib64/ ./date
./date: error while loading shared libraries: ./date: failed to map segment from shared object: Operation not permitted
[~]$ /lib64/ /bin/date
Mon Aug 31 01:37:17 CDT 2015
[~]$ /lib64/ ./date
./date: error while loading shared libraries: ./date: failed to map segment from shared object: Operation not permitted
[/home.a/support1]$ find / | grep '/ld'

Comment Re:Bullshit (Score 1) 728

yet it has never been clear to me which variables get passed over to the root session ans which do not

All exported environment variables, just as if you started a spawned a shell binary with the same user.

Except on systems that implemented PAM su, on these systems, PAM modules might be used to change the values of ulimits or some other environment variables, or clear some.

They might do this because it is the desire of whoever configured the system to assign additional characteristics to certain interactive root or other-user shells.

Comment Re:The way this should end (Score 1) 728

In the long run, he's not going to be satisfied until he's created his own OS, kernel and all because he calls anything he didn't write a "broken concept," whatever that is

How about we get someone to fork the Systemd that distros have adopted and start working on fixing it, paring it down, and removing unneeded functionality into separate optional related projects?

Comment Re:chroot is not for security. like change directo (Score 3, Informative) 728

You can ALWAYS "break out" of chroot.

If you get a shell in one of my chroot's used for security, then.....

  • Your uid and gid are not going to be 0. Good luck telling the kernel to try and get you out.
  • There aren't going to be any /dev, /proc, or other special filesystems inside your chroot.
  • There aren't going to be any compilers or setuid binaries inside your chroot
  • If this is a FTP area, there won't be any binaries at all
  • Only the minimum files actually necessary for the program that uses that chroot are going to be found inside that chroot.
  • You won't have a chmod() command anywhere available inside that chroot.
  • All unnecessary POSIX capabilities will have been masked out from the process.
  • There won't be any writable locations in your chroot, the whole chroot will be mounted on a read-only file system, except if there is a place where writes are required by the legitimate software, And those mount points will have been marked as noexec.
  • The kernel will be running PaX or GRSecurity, such that most user data areas are non-executable, and memory pages expected to be executable of programs will get marked as read-only as they are launched, so only available binaries can be used to communicate with the kernel through syscalls.

In short: I think chroot is plenty good for security. There's no way in hell you are breaking out, without a straight up kernel arbitrary execution exploit.

Comment Bullshit (Score 5, Insightful) 728

Lennart Poettering's long story short: "`su` is really a broken concept

Declaring established concepts as broken so you can "fix" them.

Su is not a broken concept; it's a long well-established fundamental of BSD Unix/Linux. You need a shell with some commands to be run with additional privileges in the original user's context.

If you need a full login you invoke 'su -' or 'sudo bash -'

Deciding what a full login comprises is the shell's responsibility, not your init system's job.

Comment Re:That's gonna be a nope (Score 1) 133

I don't want a tracker device to give every advertiser every single piece of data the phone gets. I don't want a media device slinging ads, loaded with bloatware.

You can either have a smartphone, or you can avoid having those things, not all 3 things.

Nokia 3310 for no ads, bloatware, trackers for advertisers.

It's not a smartphone, but it is a smart phone.

Comment The driver already surrendered ultimate control (Score 1) 236

And what if the passenger doesn't want the car to stop—can she override the command, or does the police officer have ultimate control?

No... the driver already surrendered ultimate control to the car by choosing a self-driving vehicle, and I expect the vehicle to obey the law, Even over the driver's wishes, which says that citizens must follow a lawful official's orders, unless following the order clearly violates civil rights or creates an immediate safety hazard for themselves or another person.

Being required to stop your vehicle and pull over to be detained is a legal reasonable order, So long as the car can legitimate establish the authority of the person directing.

Your self-driving car should take some precautions, in case the person gesturing your car to stop is a crook in disguise.

I see a possibility of allowing the driver to override a gesture, if the driver has the autonomous vehicle place a 911 call and hold the horn down. The driver's picture identity and vehicle info will be automatically transmitted.

Comment Re: Nothing open to the sky (Score 2) 116

can you give me another example of where radio signals are scrambled by the government?

My understanding is that some US law enforcement SWAT, Bomb Squad teams and, other counter-terrorism forces might employ tactical jamming devices when conducting certain raids in order to suppress targets' access to cellular data networks and other wireless communications, until personal electronics have been secured with targets in custody, this also helps prevent video footage of raids from getting released or saved to the cloud.

Comment Re: Nothing open to the sky (Score 1) 116

Have fun getting the FCC to approve that idea.

The FCC is primarily a regulator over private use of spectrum. The FCC authority over government users is more limited, and is mostly through cooperative agreement, because gov't users should obey the law. In particular: the FCC is more restricted or unable to take any enforcement action against usage within military and executive branches of government that officials within those departments have authorized. If the military chose to jam all frequences for a period of time, the FCC would have no recourse other than to protest.

Private industry and prison officials have already worked with the FCC on ways of getting cell phones blocked, which is technology already being used ----- blocking cell phones through cell tower spoofing is already being done by prisons through a certain company's solution.

Comment Re:Nothing open to the sky (Score 1) 116

Then the Drones will deliver to where they are outside, instead of the yard.

The top of the line consumer drones can only fly for about 10 minutes tops.

So work out the maximum expected travel distance of the drones at full speed that bad guys are likely to have at their disposal, then mark out that radius, add 20% and make that entire area an "Official Drones Only" zone.

Build future prisons with at least twice that radius of buffer zone around them that nobody is allowed to enter.

Any drones found flying in the exclusion zone get shot down.

Comment Re:Nothing open to the sky (Score 1) 116

Okay... so... don't have those areas.

Sure.... but why not just build a fenced in area that drones cannot enter?

Low tech method would be to cover the yard with netting.

High tech method would be to have their own tethered drones or sensing devices conducting a continuous aerial patrol.

If a drone flies over, do an immediate lockdown and scramble guards to secure all the prisoners and take the drone down.

If I'd known computer science was going to be like this, I'd never have given up being a rock 'n' roll star. -- G. Hirst