Re:Just so nobody is confused, this post ^^^ is wr
on
Kernel.org Compromised
·
· Score: 1
If someone is going to argue that GPOs are HARDER than their Linux equivalent , theres not really any arguing with them. But then very few of the people in this thread appear to actually have administered Windows enough to make worthwhile criticisms of its administration.
As to parent's comment about "hoops to make a file executable", its pretty darn trivial in whatever os you use, whether chmod a+x file (which is found in a 3 second google), or rightclick--properties--permissions--allow file to be executed (it is in fact HARDER to grant the executable permission from command line in windows, fwiw).
Incorrect. You have to own the file to change its permissions, but if you don't already own the file, you can't give yourself ownership of it or modify it without first becoming root.
I was specifically referring to windows, which has a specific "change permissions" permission. If you posess that, you can give yourself whatever permissions you want. If you own the file, you can also change permissions however you want.
All filesystem flags, including ownership and permissions, and even the filename itself, are metadata - it's up to other parts of the OS kernel to decide what to do with that metadata, regardless of the structure of the underlying filesystem.
I MAY be wrong here, but I dont think that is correct. Im fairly certain the ext3 filesystem itself interprets the permissions. Certainly in other FSes like NTFS, the permissions are completely separate from metadata like alternate data streams.
A virtual machine or emulator can execute files in a guest disk image as long as those files are marked appropriately, regardless of the state of the disk image's flags in the host filesystem (provided the emulator doesn't care about such things, of course).
Im not 100% clear on what youre saying; is there a guest OS involved? And why would the guest OS care about a host filesystem that it can neither see nor access?
WikiLeaks has been releasing US diplomatic cables according to a carefully laid out plan to stimulate profound changes.
In other words, they have a political agenda, and ARENT some noble, causeless organization solely dedicated to the responsible dissemination of information.
And the SAME IS TRUE IN WINDOWS. If a file does not have execute permissions in NTFS, it will NOT RUN.
I really dont get whats so hard to grasp here.
Linux (ext3), Windows (NTFS), and Mac (HFS+) all have a concept of "execute permission", and have for at least the last 10 years (NTFS goes back the 90s im pretty sure).
NONE of those systems will run content that has execute permission disabled.
All of those systems rely on handlers to figure out what to do with particular extemsions (.Desktop,.exe,.app,.sh,.bat, whatever).
Most of them will make some attempt to figure out what type of file it is for some of the extensions (linux will try to figure out if a non-extension file is executable text, for example).
All of them allow you to have files with NO extension, and all of them allow you to launch such no-extension files if you pass them as arguments to another program.
GPs points are utterly incorrect, every modern OS for the last 7 or 8 years (possibly not Mac for a few years) has restricted content downloaded from the web to not "just run", and they all have mechanisms for declaring how files should run and whether they should run.
My point about it being "about the window manager" is that if you make a text file executable, Linux STILL wont be able to run it; but if you make a file executable and tack a.desktop onto the end of it it WILL try to execute it, same as windows-- but that has nothing to do with the underlying kernel, as it is a desktop environment feature and is unrelated to filesystem permissions.
Unfortunately, when it comes to quality and working, sometimes they are. I still remember a lot of the old nForce woes due to their craptastic drivers.
You must think that rig-building skillz means getting a budget of $1500, buying a bunch of the most expensive crap you can find on newegg, throwing it together, and saying "Sure is fast, I must be a genius or something".
If you know what youre doing, you can get a very performant gaming rig-- windows OS included-- for under $450.
Whats that, you want to know what happens when the caps blow out after 4 years of use? Why, I go buy another $65 motherboard!
Sure is a strange sense of value folks have, thinking someone should build a rig with a $100 processor and a $100 video card and a $40 hard drive, and then drop $300 on the motherboard.
You overspent. Anything over about $150 is just wasteful. That number is opinion to a limited degree, but buying the top-end mobo almost never a good value.
I usually wouldnt go over about $180 for a cpu, and $100 for a mobo, and these days probably not over about $100 for the cpu either.
That is a feature of the window manager, and is present in Gnome and KDE as well-- although in a number of circumstances they WILL check to see with a little more detail what kind of file text-files are (are they scripts?).
Rename all of your mp3s to.Desktop, and then see whether Gnome does the right thing on a doubleclick.
What youre talking about is whether or not a handler has been registered with the base OS. In the case of windows, it certainly is possible to muck with the.exe registered handler so that exes no longer run (which is lots of lulz), or so that all exe's are passed off to another program which launches them (a feature a number of viruses exploit).
The same thing is the case in Gnome (dunno about KDE), handlers are registered for various extensions, so that the system knows to launch.mp3 with Amarok and.png with GIMP.
He leaks information primarily about the US because he has an axe to grind with us. He may along the way leak genuinely good things (either from the US or other countries), but lets not pretend he isnt really pro-tearing-the-us-down.
So every one of those diplomatic cables exposed malfeasance? Tsvingarai is guilty of malfeasance?
WikiLeaks' act of leaking the original (redacted) leaks and their suit against this new (non-redacted) leak are a consistent stance from the point of doing the most good while avoiding the most damage.
Assange doesnt think there should be any secrets, and has a known axe to grind with the US. There may be other reasons for why he leaks the way he does, but one only has to see the edits that he did to "collateral murder" (or even the title he gave it) to see that hes hardly some noble unbiased source.
Im sure many will think Im astroturfing for them simply because I dont believe that "loot and pillage" is a legitimate response to someone abusing the legal system. Our society generally recognizes that you respond to abuses of the legal system, through the legal system.
There are specific penalties in place for when people make light of the courts, like treble damages and disbarment (remember Jack Thompson?), and though they might not be perfect, its a heck of a lot better than people pretending that the MPAA has no place suing people for actual violations of actual laws that they actually do have a stake in.
Generally read/execute are grouped together and trying to set them differently often breaks things. The usual case for windows is that if you can read the file, you can execute it
Its true you have to dig a little bit to get to the execute permission (under advanced permissions), but I have used them before for the purposes of making network shares non-infectable (virus may hide there, but it sure as heck wont run).
Ive not run into an issue where read-but-not-execute has broken something, other than executable content that obviously refused to run.
Linux has a great mounting option called noexec, which is very handy to apply to the home partition.
I am aware of it, though as I do not administer any linux workstations I have never had the opportunity to use it. It certainly is a nice feature, and Im not trying to denigrate Linux or its mounting options or any of the rest.
Im simply firing back at someone who foolishly declared that NTFS's permissions were less "good" than ext3's, which is a load of rubbish if ive ever heard any.
I am aware that they are seperate, but for all intents and purposes having one is having the other. If you can take ownership of a file, you can change its permissions however you want, and if you can change permissions, you can grant yourself "take ownership". There may be a corner case where there is some difference, but I have never encountered it.
Also, have you ever heard of ext2/3's extended attributes
I had not; I have heard of the extended ACLs (which appear to be a kludge). Howeve, according to wikipedia, extended attributes are not a filesystem feature, but metadata. Extended file attributes is a file system feature that enables users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem
The manpages for setattr seem to reinforce this, that they are for metadata, not permissions.
And honestly, Ive never heard anyone argue that NTFS doesnt have finer-grained filesystem ACLs; its pretty obvious to anyone who has used each which has more control and flexibility (such as inheritance, selective inheritance, and all the rest).
Re:Just so nobody is confused, this post ^^^ is wr
on
Kernel.org Compromised
·
· Score: 1
It IS present in XP, and has been probably since SP2. As you said, bmo doesnt have a clue.
Again, it doesn't bloody matter because that doesn't fucking happen in reality.
BZZZZT Wrong again.
By default downloaded content-- I believe all of it-- is marked with an ADS flag, and requires approval before launching.
Additionally, I DO have a number of clients where I have restricted where executable content can come from, and I did it in about 5 minutes without having to dick around with chmods, or scripting chmods, or figuring out how to prevent them from changing the acl while still having write access to the file.
See, in EXT3, unless im mistaken, you cannot give a user write access or ownership to a file and still prevent them from executing the content-- they can just chmod a+x the file. Thats not the case in windows.
So you should really just simmer down and stop displaying your ignorance.
Windows just sees the.exe and says "whoopee, we can execute it!"
BZZZT Wrong, try again.
NTFS has a specific "execute" permission; additionally, it uses alternate data streams to block execution of any executable code downloaded from the internet. Finally, GPOs can easily block code execution based on file signature, location, or publisher.
Hey buddy, 1995 called, they wanted their antiquated filesystems back. NTFS has supported seperate "execute" permissions since its inception, I believe. In fact, call me when ext3 seperates its "write" permission from its "change permissions / take ownership" permission.
If someone is going to argue that GPOs are HARDER than their Linux equivalent , theres not really any arguing with them.
But then very few of the people in this thread appear to actually have administered Windows enough to make worthwhile criticisms of its administration.
As to parent's comment about "hoops to make a file executable", its pretty darn trivial in whatever os you use, whether chmod a+x file (which is found in a 3 second google), or rightclick--properties--permissions--allow file to be executed (it is in fact HARDER to grant the executable permission from command line in windows, fwiw).
Incorrect. You have to own the file to change its permissions, but if you don't already own the file, you can't give yourself ownership of it or modify it without first becoming root.
I was specifically referring to windows, which has a specific "change permissions" permission. If you posess that, you can give yourself whatever permissions you want. If you own the file, you can also change permissions however you want.
All filesystem flags, including ownership and permissions, and even the filename itself, are metadata - it's up to other parts of the OS kernel to decide what to do with that metadata, regardless of the structure of the underlying filesystem.
I MAY be wrong here, but I dont think that is correct. Im fairly certain the ext3 filesystem itself interprets the permissions. Certainly in other FSes like NTFS, the permissions are completely separate from metadata like alternate data streams.
A virtual machine or emulator can execute files in a guest disk image as long as those files are marked appropriately, regardless of the state of the disk image's flags in the host filesystem (provided the emulator doesn't care about such things, of course).
Im not 100% clear on what youre saying; is there a guest OS involved? And why would the guest OS care about a host filesystem that it can neither see nor access?
WikiLeaks has been releasing US diplomatic cables according to a carefully laid out plan to stimulate profound changes.
In other words, they have a political agenda, and ARENT some noble, causeless organization solely dedicated to the responsible dissemination of information.
And the SAME IS TRUE IN WINDOWS. If a file does not have execute permissions in NTFS, it will NOT RUN.
I really dont get whats so hard to grasp here.
GPs points are utterly incorrect, every modern OS for the last 7 or 8 years (possibly not Mac for a few years) has restricted content downloaded from the web to not "just run", and they all have mechanisms for declaring how files should run and whether they should run.
My point about it being "about the window manager" is that if you make a text file executable, Linux STILL wont be able to run it; but if you make a file executable and tack a .desktop onto the end of it it WILL try to execute it, same as windows-- but that has nothing to do with the underlying kernel, as it is a desktop environment feature and is unrelated to filesystem permissions.
Unfortunately, when it comes to quality and working, sometimes they are. I still remember a lot of the old nForce woes due to their craptastic drivers.
You must think that rig-building skillz means getting a budget of $1500, buying a bunch of the most expensive crap you can find on newegg, throwing it together, and saying "Sure is fast, I must be a genius or something".
If you know what youre doing, you can get a very performant gaming rig-- windows OS included-- for under $450.
Hey look, its a $65 motherboard with 4 star rating capable of running an i3!
Whats that, you want to know what happens when the caps blow out after 4 years of use? Why, I go buy another $65 motherboard!
Sure is a strange sense of value folks have, thinking someone should build a rig with a $100 processor and a $100 video card and a $40 hard drive, and then drop $300 on the motherboard.
And how the mobo-maker doesnt actually make the chips on the board, they just put them together with a BIOS.
Theyre sort of like a general contractor, what matters is who the real vendors are.
You overspent. Anything over about $150 is just wasteful. That number is opinion to a limited degree, but buying the top-end mobo almost never a good value.
I usually wouldnt go over about $180 for a cpu, and $100 for a mobo, and these days probably not over about $100 for the cpu either.
You mean the Corporate states of america where nVida just got the crap kicked out of them in a class action lawsuit about a year ago? To the tune of having to give all affected brand new laptops?
Yea, kindly refrain from spouting nonsense. Companies regularly get hit and found liable in class action lawsuits.
Yea, except for those times (Rome, American Revolution, lots of others) where the WERENT just stuck with "the strongest rules".
Pretty sure Rome didnt go from "city-state" to "empire". I think there might have been an intermediate step there somewhere.
Ah, thanks for the correction. That does make sense.
That is a feature of the window manager, and is present in Gnome and KDE as well-- although in a number of circumstances they WILL check to see with a little more detail what kind of file text-files are (are they scripts?).
Rename all of your mp3s to .Desktop, and then see whether Gnome does the right thing on a doubleclick.
What youre talking about is whether or not a handler has been registered with the base OS. In the case of windows, it certainly is possible to muck with the .exe registered handler so that exes no longer run (which is lots of lulz), or so that all exe's are passed off to another program which launches them (a feature a number of viruses exploit).
The same thing is the case in Gnome (dunno about KDE), handlers are registered for various extensions, so that the system knows to launch .mp3 with Amarok and .png with GIMP.
He leaks information primarily about the US because he has an axe to grind with us. He may along the way leak genuinely good things (either from the US or other countries), but lets not pretend he isnt really pro-tearing-the-us-down.
The point of leaking is to expose malfeasance
So every one of those diplomatic cables exposed malfeasance? Tsvingarai is guilty of malfeasance?
WikiLeaks' act of leaking the original (redacted) leaks and their suit against this new (non-redacted) leak are a consistent stance from the point of doing the most good while avoiding the most damage.
Assange doesnt think there should be any secrets, and has a known axe to grind with the US. There may be other reasons for why he leaks the way he does, but one only has to see the edits that he did to "collateral murder" (or even the title he gave it) to see that hes hardly some noble unbiased source.
Assange is on record stating that he doesnt think there should be ANY secrets at all. A large number of slashdotters have reinforced that belief.
Why the hypocrisy all of a sudden?
Im sure many will think Im astroturfing for them simply because I dont believe that "loot and pillage" is a legitimate response to someone abusing the legal system. Our society generally recognizes that you respond to abuses of the legal system, through the legal system.
There are specific penalties in place for when people make light of the courts, like treble damages and disbarment (remember Jack Thompson?), and though they might not be perfect, its a heck of a lot better than people pretending that the MPAA has no place suing people for actual violations of actual laws that they actually do have a stake in.
Above post should have read
extended attributes are not a filesystem security feature, but metadata.
It made sense in my head when I typed it, but obviously it didnt translate so well to a post.
Generally read/execute are grouped together and trying to set them differently often breaks things. The usual case for windows is that if you can read the file, you can execute it
Its true you have to dig a little bit to get to the execute permission (under advanced permissions), but I have used them before for the purposes of making network shares non-infectable (virus may hide there, but it sure as heck wont run).
Ive not run into an issue where read-but-not-execute has broken something, other than executable content that obviously refused to run.
Linux has a great mounting option called noexec, which is very handy to apply to the home partition.
I am aware of it, though as I do not administer any linux workstations I have never had the opportunity to use it. It certainly is a nice feature, and Im not trying to denigrate Linux or its mounting options or any of the rest.
Im simply firing back at someone who foolishly declared that NTFS's permissions were less "good" than ext3's, which is a load of rubbish if ive ever heard any.
I am aware that they are seperate, but for all intents and purposes having one is having the other. If you can take ownership of a file, you can change its permissions however you want, and if you can change permissions, you can grant yourself "take ownership". There may be a corner case where there is some difference, but I have never encountered it.
Also, have you ever heard of ext2/3's extended attributes
I had not; I have heard of the extended ACLs (which appear to be a kludge). Howeve, according to wikipedia, extended attributes are not a filesystem feature, but metadata.
Extended file attributes is a file system feature that enables users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem
The manpages for setattr seem to reinforce this, that they are for metadata, not permissions.
And honestly, Ive never heard anyone argue that NTFS doesnt have finer-grained filesystem ACLs; its pretty obvious to anyone who has used each which has more control and flexibility (such as inheritance, selective inheritance, and all the rest).
It IS present in XP, and has been probably since SP2. As you said, bmo doesnt have a clue.
Again, it doesn't bloody matter because that doesn't fucking happen in reality.
BZZZZT Wrong again.
By default downloaded content-- I believe all of it-- is marked with an ADS flag, and requires approval before launching.
Additionally, I DO have a number of clients where I have restricted where executable content can come from, and I did it in about 5 minutes without having to dick around with chmods, or scripting chmods, or figuring out how to prevent them from changing the acl while still having write access to the file.
See, in EXT3, unless im mistaken, you cannot give a user write access or ownership to a file and still prevent them from executing the content-- they can just chmod a+x the file. Thats not the case in windows.
So you should really just simmer down and stop displaying your ignorance.
But I've always been told by the fanboys that Linux is inherently secure, right? So that's not possible.
Hurr durr, patching the source code of software with malicious code means the software has always been inherently insecure....
Windows just sees the .exe and says "whoopee, we can execute it!"
BZZZT Wrong, try again.
NTFS has a specific "execute" permission; additionally, it uses alternate data streams to block execution of any executable code downloaded from the internet. Finally, GPOs can easily block code execution based on file signature, location, or publisher.
Care to try again?
Hey buddy, 1995 called, they wanted their antiquated filesystems back. NTFS has supported seperate "execute" permissions since its inception, I believe. In fact, call me when ext3 seperates its "write" permission from its "change permissions / take ownership" permission.