[SOLVED] Any guy able to exploit a Wordpress, Joomla, Drupal from a Slackware Server can get easily root access. How do you comment, Mr. Volkerding?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Mr Vader isn't in another country now are they? They're communicating over the internet. Aside from that, even between English speaking countries there are differences in etiquette. You would like to assume they are at fault, I'd like to give them the benefit at that. We obviously disagree on giving people the benefit of the doubt so I won't debate the point further, but since we're giving anecdotes, let me share one as I leave.
In my native language, a waiter may ask you "What do you want?" while in English the more polite way to say this would be "How may I help you?" (Plus a lot of other filler). In return the customer would reply with "Give me a coffee" while in English they would say "Could I please have a coffee? Thank you" (Side note: I notice Americans in this position use a lot less pleases and thank yous than Australians do, just to emphasise my earlier point. In fact they'll even just reply "mhm" when you say thank you which would be incredibly rude in Australia). One of my friends faced this exact situation when working in a coffee shop when her manager had to pull aside and say "Look, you can't just say to customers "What do you want?". It's rude". My friend was absolutely mortified because that wasn't her intention. She took for granted that the culture would be the same. Now you can look at that situation with an air of moral superiority and say "You should have learned the language and cultural values to a T before any attempt at communication with people from that language and culture", or you could think "Hey, these things happen. At least now you know!".
I have a question about Slackware development. Aren't there 3+ people who are core developers? So couldn't Eric or Robby or whoever else put out security patches like this when Pat is away?
I'm only an outsider, so I don't know the internal workings of the Slackware team, but I suspect the way it works is that the other team members do some work and then send Pat a note: saying "hey, I've done <this>... you can grab it <here>." and Pat takes a look, and if he likes it he incorporates it into the Slackware tree.
I suppose it's akin to how linus gets 'pull requests' from the subsystem maintainers, but without the aid of 'git'.
This is why I described Slackware as "one-man-centric" rather than a "one-man distro" in my post above.
I'm only an outsider, so I don't know the internal workings of the Slackware team, but I suspect the way it works is that the other team members do some work and then send Pat a note: saying "hey, I've done <this>... you can grab it <here>." and Pat takes a look, and if he likes it he incorporates it into the Slackware tree.
That's been my understanding of it as well. I always imagined that only Pat has access to the master FTP, so anything that Robby, Eric, Stuart, etc may have to further Slacwkare development just gets sent to Pat and he decides whether to add it to the official tree or not.
That makes sense, and I can see why it would be done that way. It seems to me like it would be a good idea to allow the other core developers to be able to push security patches when appropriate. Of course, it's Pat's baby and his choice, so he's free to maintain and develop it as he pleases. I actually enjoy rebuilding packages myself sometimes (and the freely available SlackBuilds on the mirrors make it really easy in most cases), but if I were not doing it as a hobby, I could see how delays like this could be a little concerning.
Last edited by montagdude; 10-29-2016 at 01:17 AM.
As long as the drivers are compiled, it doesn't matter whether you use an initrd or not. They can still get loaded.
The only difference is that with an initrd the initial root is a memory resident filesystem, and can then be used to load drivers for the real root.
Once the real root is mounted and in use, drivers for multi-media (or anything else) will come from the mounted root - not the initrd (which has already been discarded).
So initrd would be mandatory for any encrypted rootfs, and optional for any device preloading?
I can imagine an encrypted root that has edited init to check a thumbdrive is present; loads a key from it and uses it to unlock the root fs by it?
The initrd would not only be mandated but moreover customized for such a setup, where the mentioned key file could be an unsuspected arbitrary file with an GPG or whatever key appended and used throughout sed to filter out the rest of the Troyan horse?
of course, loose the key and the fs gets ultimately secure and thereby nearly infinitively unaccessible
Isn't that the reason why tiny ~50MB FAT/EXT2 "boot" partitions exist?
That is why some exist. FAT, unfortunately, is entirely insecure - and that allows anyone to corrupt the kernel being booted. Even ext2/3/4/xfs/... isn't entirely free from the problem.
You can still boot a fully encrypted disk IF you use an unencrypted read only flash type device.
That is why some exist. FAT, unfortunately, is entirely insecure - and that allows anyone to corrupt the kernel being booted. Even ext2/3/4/xfs/... isn't entirely free from the problem.
You can still boot a fully encrypted disk IF you use an unencrypted read only flash type device.
That You carry away (with You) while leaving the encrypted FS unattended?
Sounds about secure as practical to me.
Said thumbdrive could carry the boot-loading files and further keys used along by the system and/or user?
Well read it all. How many people can login as user 0. This is why I smile and wonder if anyone understands this.
and the answer is ?. please be kind and understand the real problem. if you are running as sudo then 0 has never logged in.
That user the kernel has a slot for.
??????????????????. Fix the software. Not the user.
That You carry away (with You) while leaving the encrypted FS unattended?
Sounds about secure as practical to me.
Said thumbdrive could carry the boot-loading files and further keys used along by the system and/or user?
Making it effectively a security dongle?
Exactly. If the system crashes, it cannot boot until that thumbdrive is brought back to boot it.
Makes it rather difficult to manage though. But then that is the purpose of an encrypted filesystem. You are assuming you don't have control over the physical device. Thus you don't want to leave anything there that could be corrupted while it is not in your control. Even if someone put in a different flash and booted the system from that - they don't get access to the data on the disk.
Wipe it out, yes.
Replace the data, yes.
But access the original data? no.
There are users coming from other distros.
And bring old (wrong?) habits along.
And customize their (local) Slackware install to lookalike the distro they just left (for good?)
Most commonly they seem to change sudo & su behavior and some even enable root to login vis ssh(!) or the like.
Then if something breaks, many come here and brag how Slackware is bad if customized how they like
No one ever brags about BMW doing a bad job if a bike gets stolen.
But this exactly happens here, only in software.
So, c'mon, give us a beak people.
You are welcome to come here.
You also are welcome share and provide or ask for help.
But please don't brag about Slackware's way:
It's free as in "free beer": give it a kiss, make a bow, and just leave silently if You happen not to like it. okay?
Last edited by SCerovec; 10-31-2016 at 07:22 AM.
Reason: re phrase (I'm non native English user)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.