kernel.org · Domains · Slashdot Mirror

Same Exploit from July? by eldavojohn · 2009-11-04 02:00 · Score: 1, Redundant · on Bug In Most Linuxes Can Give Untrusted Users Root

The bug was found by Brad Spengler last month.

I thought we discussed this in July? Or is this a different exploit?

I think it's pretty clear that De Raadt and others have been discussing this vulnerability for quite sometime. On a list of affected systems, you can see it's been known on that site since August. Here's another fix discussed that involves setting PER_CLEAR_ON_SETID mask to MMAP_PAGE_ZERO and that's from July (unfortunately, as the Register article said, that might cause problems with applications). In fact I think Spengler has been talking about this for quite sometime as I believe you can find exploit code here and a video of it in use here against SELinux. If that's not the same exploit it sure seems to be very similar in nature.

Re:Any other file systems with that feature? by Junta · 2009-11-02 12:51 · Score: 1 · on ZFS Gets Built-In Deduplication

It is on their 'ideas' page:
http://btrfs.wiki.kernel.org/index.php/Project_ideas

(content based storage)

Re:DANGER! DO NOT Install 9.10 with ext4! (if at a by Concern · 2009-11-02 07:42 · Score: 1 · on Ubuntu 9.10 Officially Released

You amaze me, man.

How did you figure out how long the average newbie would go before hitting the bug? And how did you estimate the time to the fix? By saying "Remember, every file system has weird bugs", I'm sure you don't imply there aren't certain widely accepted standards for stability in a filesystem? Not zero bugs (an untestable condition), but on the other hand, not "we down to a dozen patches a release, and there are only a few open data loss bugs. Well, wait, there's another."... :)

Your ability to estimate dates and quality levels is no doubt fearsome. But there is an easier way: simply shipping with an ext3 default for another 6 months (or however long it takes until the code stabilizes to the appropriate degree for a filesystem). Most users will not even notice. This is the way you behave if you have any conscience - or if moral arguments don't appeal, if you care about your reputation, or want any repeat users of your products or services.

In case you are not keeping up, Linus Torvalds himself reported losing a filesystem to ext4 in a kernel bugreport last week.

This is just not a filesystem that is ready for primetime. And that is no slight on anyone - these things take time. For a filesystem, in particular, many years. Where I do have a problem is when some mean-spirited person is out there tricking people into using it before it's stabilized, without properly communicating the risks.

Risks which, if you can make the average Ubuntu user understand them, they would almost never choose to take.

The framebuffer is your friend! by akanouras · 2009-10-30 16:10 · Score: 1 · on Installing Linux On Old Hardware?

1. Attach disk to a more powerful machine
2. Install barebones Debian (no tasks, forget Xorg)
3. aptitude install fbset links2 fbterm
4. Modify the kernel's boot parameters (in your GRUB configuration) so that it loads a framebuffer driver.
Use:

find /lib/modules/`uname -r` -iname '*fb.ko' -print0 | xargs -0n1 basename | sed 's/\.ko$//g'

to get a list of available framebuffer drivers. Possible candidates are: uvesafb,vesafb,vga16fb or possibly a specialised driver for your VGA card, if you can see one.
The syntax (in Linux 2.6?) in most cases is video:DRIVER:XRESxYRES-BPP.
Here's what I'm using: video=uvesafb:1024x768-32,mtrr:3,ywrap
5. Attach the disk back to the POS.
6. Use links2 as your browser in VC1 (Alt+F1). It supports images, some JS and some CSS(?). You'll be able to read Slashdot in its familiar format with it (which I assume is the point of this exercise). It can use either a framebuffer or SVGAlib.
7. Use fbterm as your terminal emulator in VC2 (Alt+F2). It supports multiple buffers. This one requires a framebuffer to work or else you'll have to make do with the standard linux console (VC2-VC64).

Note: I'm not sure if the above will work with 28MB RAM. In that case, you can try the latest 2.4 kernel from kernel.org and links2 using SVGAlib.
Also: Don't try running aptitude on the POS, you're in for a world of misery. :-P

Good luck!

Re:Give me a break by BlackCreek · 2009-10-29 04:39 · Score: 1 · on Ubuntu 9.10 Officially Released

If you actually read the whole thread, you will notice that there are 2 other users reporting it as well:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/453579/comments/80

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/453579/comments/86

There is also this (on a newer kernel). It is the sort of necessary debugging, but that at the same time doesn't quite encourage me to migrate my data systems to ext4 at this point. http://bugzilla.kernel.org/show_bug.cgi?id=14354#c90

Re:Not really an article by markkezner · 2009-10-27 04:13 · Score: 2, Interesting · on Comparing the Freedoms Offered By Maemo and Android

Light on facts, but also seems to have a viewpoint to push. TFA points out that the Android Java VM (Dalvik) is nonstandard, giving it all the associated stigma that a free software oriented audience would perceive. He also claims that this will somehow lock you in to Google's web apps:

... forced to use Java with non-standard bytecode. One might even suggest that Google has done this on purpose, in order to limit interoperability and push users towards its proprietary web services.

How Dalvik or its bytecode would accomplish this feat is left to the imagination. Anyone wanna clear this up for me?

I posted a response in TFA that points out that the Dalvik VM is also free software licensed under Apache 2.0

Source Code for Dalvik VM
Apache 2.0 License, embedded in Dalvik source repository.

Re:Not really an article by markkezner · 2009-10-27 04:13 · Score: 2, Interesting · on Comparing the Freedoms Offered By Maemo and Android

Light on facts, but also seems to have a viewpoint to push. TFA points out that the Android Java VM (Dalvik) is nonstandard, giving it all the associated stigma that a free software oriented audience would perceive. He also claims that this will somehow lock you in to Google's web apps:

... forced to use Java with non-standard bytecode. One might even suggest that Google has done this on purpose, in order to limit interoperability and push users towards its proprietary web services.

How Dalvik or its bytecode would accomplish this feat is left to the imagination. Anyone wanna clear this up for me?

I posted a response in TFA that points out that the Dalvik VM is also free software licensed under Apache 2.0

Source Code for Dalvik VM
Apache 2.0 License, embedded in Dalvik source repository.

Re:This is great ! by fluch · 2009-10-25 22:25 · Score: 4, Informative · on Tilera To Release 100-Core Processor

Sources are always appreciated when you tell us something.

Here is the source: http://www.kernel.org/

Allow ia64 to CONFIG_NR_CPUS up to 4096 by foobsr · 2009-10-25 21:51 · Score: 4, Informative · on Tilera To Release 100-Core Processor

http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.27-rc2-git1.log

CC.

Re:The straight dope by zdzichu · 2009-10-24 06:32 · Score: 1 · on Apple Discontinues ZFS Project

Uhm, are you feeling OK? Btrfs is in Linux kernel, it is constantly being ,,released'' -- repositiories are wide open for everyone at http://git.kernel.org/?p=linux/kernel/git/mason/btrfs-unstable.git;a=summary . Look into the mailinglist, contributions are comming from many companies (Red Hat included). Sun aquisition have exactly zero effect on btrfs development.

That said, as a ZFS fan, I'm dissapointed by Apple's move. Support in another high-profile operating system would be good for ZFS.

Re:Separate SVN deploys by garaged · 2009-10-20 07:18 · Score: 3, Informative · on How Do You Manage Dev/Test/Production Environments?

http://www.kernel.org/pub/software/scm/git/docs/howto/setup-git-server-over-http.txt
trac does have git support too, etcetera

Re:Is this a unique scheduler? by buchner.johannes · 2009-10-20 02:24 · Score: 1 · on Deadline Scheduling Proposed For the Linux Kernel

The Linux Kernel has 3 schedulers in the mainline:
- Anticipatory http://www.kernel.org/doc/Documentation/block/as-iosched.txt
- Deadline http://www.kernel.org/doc/Documentation/block/deadline-iosched.txt
- CFQ http://kerneltrap.org/node/8082

Re:Is this a unique scheduler? by buchner.johannes · 2009-10-20 02:24 · Score: 1 · on Deadline Scheduling Proposed For the Linux Kernel

The Linux Kernel has 3 schedulers in the mainline:
- Anticipatory http://www.kernel.org/doc/Documentation/block/as-iosched.txt
- Deadline http://www.kernel.org/doc/Documentation/block/deadline-iosched.txt
- CFQ http://kerneltrap.org/node/8082

Re:Article is doomed to failure, but PulseAudio is by colin_s_guthrie · 2009-10-19 06:46 · Score: 1 · on PulseAudio Creator Responds To Critics

Flash also uses ALSA. I'm not sure why your version would be using /dev/dsp. Mine certainly uses ALSA.

What is a common problem on distros is installing 64 bit browsers but relying on 32 bit plugins.

When combined with PA under the default setup (ALSA redirected to PA), you need to also remember to install 32 bit versions of: libasound, alsa-plugins, libpulse. If you do not, then the firefox's use of ALSA will fail and (I'm guessing now as the source is closed and I can't look) Flash will fall back to OSS.

Like I say, the distros play a big part here. If this is the setup they distribute, they need to think about this kind of thing.

Also the 1 device per /dev/dsp can be solved by kernel 2.6.32 (maybe) + Fuse 2.0.x and osspd. More info here: http://www.kernel.org/pub/linux/kernel/people/tj/ossp/ when combined with a pulseaudio setup. It could be made to work without PA if someone wrote an appropriate proxy.

Just waiting for this kernel bug to be fixed: http://bugzilla.kernel.org/show_bug.cgi?id=14023

All that said, as OSS is disabled by defaul on Fedora, and other distros will follow suit soon, I suspect that most people will forget about OSS support before too long.

Re:Article is doomed to failure, but PulseAudio is by colin_s_guthrie · 2009-10-19 06:46 · Score: 1 · on PulseAudio Creator Responds To Critics

Flash also uses ALSA. I'm not sure why your version would be using /dev/dsp. Mine certainly uses ALSA.

What is a common problem on distros is installing 64 bit browsers but relying on 32 bit plugins.

When combined with PA under the default setup (ALSA redirected to PA), you need to also remember to install 32 bit versions of: libasound, alsa-plugins, libpulse. If you do not, then the firefox's use of ALSA will fail and (I'm guessing now as the source is closed and I can't look) Flash will fall back to OSS.

Like I say, the distros play a big part here. If this is the setup they distribute, they need to think about this kind of thing.

Also the 1 device per /dev/dsp can be solved by kernel 2.6.32 (maybe) + Fuse 2.0.x and osspd. More info here: http://www.kernel.org/pub/linux/kernel/people/tj/ossp/ when combined with a pulseaudio setup. It could be made to work without PA if someone wrote an appropriate proxy.

Just waiting for this kernel bug to be fixed: http://bugzilla.kernel.org/show_bug.cgi?id=14023

All that said, as OSS is disabled by defaul on Fedora, and other distros will follow suit soon, I suspect that most people will forget about OSS support before too long.

Re:You should not blame Microsoft for this by QuoteMstr · 2009-10-04 10:10 · Score: 1 · on "Side By Side Assemblies" Bring DLL Hell 2.0

sometimes that's just not possible so you have to work with what you've got.

The only time something like this should not be possible is when you're working with some plugin system that needs to support old plugins. (Consider in-process Windows Shell Namespace Extensions).

If there's anything we've learned over the past 20 years, it's that shared-library plugin systems are a really bad idea due to the issues you've just described. It's almost always better to execute plugins out-of-process and communicate over restricted IPC mechanisms. That's the direction modern browsers are heading in.

Re:What is confusing? by Anonymous Coward · 2009-09-25 23:04 · Score: 0 · on Google Serves a Cease-and-Desist On Android Modder

What happens if Cyanogen, or some other person, decided to modify the Talk so that all numbers dialed were reported to third party advertisers?

I am very sure that most would hold cyanogen liable. The others are complete idiots.

... and I don't trust those who don't control distribution.

What, like those guys ?

Re:In other news... by CAIMLAS · 2009-09-15 04:57 · Score: 1 · on Microsoft Says No TCP/IP Patches For XP

Actually, that isn't the only difference (as the topic for this thread illustrates): with Windows, not only are you paying for it, but you don't get it.

Kernel 2.4 was no longer 'current stable' as of sometime in early 2003, IIRC. Since that time, it's been in 'maintanance'. It's roughly the same age as XP, yet it is still actively maintained. XP isn't being maintained for one reason, and one reason alone: they're trying increase their costs by decreasing their maintenance overhead on XP and bringing fresh/increased revenue in with W7.

Meanwhile, the Linux 2.2 tree, which is actually a full 10.5 years old right now, has a patch for this. And what's more, there's modern, current, and secure support for quite a bit in the 2.2 tree due to patching.

I'm not saying MS should be doing this, and I wouldn't expect them to. I am saying your argument (or lack thereof) is full of shit, and that it is completely unacceptable for MS to EOL a product unofficially, while it is still being sold as "new" to customers, ~half a year before the "official" EOL date.

Re:In other news... by UnderDark · 2009-09-15 01:51 · Score: 5, Informative · on Microsoft Says No TCP/IP Patches For XP

Link in case you think this is sarcasm: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=summary

Linux equivalents to Solaris headline features by Lemming+Mark · 2009-09-15 00:55 · Score: 1 · on OpenSolaris vs. Linux, For Linux Users

Linux containers provide similar functionality to Solaris Zones: http://lxc.sourceforge.net/ They're a younger project but the support for them is in mainline Linux and you can do some pretty cool stuff with them. One thing that's nice (and I don't know if Zones can do this) is that you don't have to virtualise every aspect of a container, so for instance you can just isolate at the filesystem level if that's all you needed. Solaris Zones is capable of running apps for another OS within a Zone, using their system call compatibility layer. Linux has a system call compatibility layer but I don't know if it can run a complete other-OS userspace as Zones can (e.g. Zones can run CentOS or RHEL userland in a Zone, on top of the Solaris kernel).

Most everyone here is going to have heard of Btrfs but here it is again anyhow: http://btrfs.wiki.kernel.org/index.php/Main_Page It gives you similar stuff (checksumming, RAID-in-filesystem, writeable snapshots) to ZFS but again is a younger project. It's also in mainline Linux so you can play with it if you have a recent kernel (don't trust it with critical data, yet).

System Tap is one (of a number) DTrace-ish system for Linux: http://sourceware.org/systemtap/ I understand it'll run on basically any non-stoneage kernel but to get all of the juicy features you would (I *think*) need to patch your kernel. This is the only one of these projects for which full functionality appears not to be completely in mainline. Various distributions include it, so you can probably install a package and try it out (at least in a limited form, depending on your kernel).

A notable feature here is that none of these sound quite as mature as the Solaris equivalents. Not all of them constitute "copying", however - for instance, container-like solutions for Linux predate Solaris Zones by years (and BSD Jails, a similar concept, are almost certainly even older). I'm not sure on the dates of the others.

Re:ZFS by xiox · 2009-09-15 00:07 · Score: 1 · on OpenSolaris vs. Linux, For Linux Users

1. It relies on kernel layer of software RAID -- very bad idea.

Not true: See here

Re:Except they're here to teach you to fish by Simetrical · 2009-09-11 02:04 · Score: 1 · on Greg Kroah-Hartman Gripes About Microsoft's Linux Contribution; MS Renews Effort

I don't think that's the situation. The drivers currently only exist in the -staging tree. That is far different than Linus' official tree. The -staging tree is home to driver code that does not meet the standards of Linus' tree, and it's purpose is to assist the maintainers of the code to increase its quality such that it can be included in Linus' tree. MS is not being asked to "commit resources in perpetuity," but merely to get the code up to the state where it can be included in Linus' kernel tree.

staging/ is part of mainline at this point, and has been for a while. Entirely correct aside from that, though. When they're cleaned up they'll be moved from drivers/staging/ to drivers/.

Re:is btrfs ready for regular desktop use ? by anonieuweling · 2009-09-10 03:38 · Score: 3, Informative · on Linux Kernel 2.6.31 Released

http://btrfs.wiki.kernel.org/index.php/Main_Page has the info, answers, etc

Re:why do they keep trying? by schon · 2009-09-09 05:31 · Score: 1 · on DRM Take II — Digital Personal Property

if you can use a universal assembler to obtain any object you want, what motivation is there to do labor?

Exactly - it's just like with software.. when coders don't get paid, they don't have any motivation to write software!

Oh, crap.

OK then, it's just like writing music. If music writers didn't get paid, there would be no motivation to make music.

Umm.. ignore that

Well, then it's like writing. If authors didn't get paid, they'd have no motivation to write stories.

Oh, sec..

Hmm.. maybe the motivation to do "labour" will come from enjoyment - it will be done by people who enjoy doing it, rather than those who are only in it for the money?

Re:Please grow up, you're driving us away by Anonymous Coward · 2009-09-08 08:28 · Score: 0 · on Windows 7 Reintroduces Remote BSoD

I cannot join in with the Linux community because of you people.
I'm sorry, Sir. This is not the Linux community, this is the Slashdot community.
If you want the Linux community, go to http://www.kernel.org/

I would like to join in with the Linux community, but all I ever hear is this pathetic nyerr-nyerr-nyerr garbage.
If you look on kernel.org, there is none of this garbage. You are mistaken.

However, the fact that this confusion exists (this is not the first time I have seen it) is cause for pause. It appears to me that the slashdot community, for better or for worse, does form a good portion of the the public face of the linux community. Just something to consider.

Re:Please grow up, you're driving us away by Anonymous Coward · 2009-09-08 06:18 · Score: 0 · on Windows 7 Reintroduces Remote BSoD