"PS. Fuck you. At worst, I screwed up - an honest mistake. You were intentionally rude. There are humans behind these letters on the screen, and you need to learn that"
Well said. Everyone makes mistakes (although in this case it seems to come down more to what "in the language" means; personally I think if something's just a constant in an include file that tends to be used then that's not "in the language", even if it is "in a standard", but obviously some would argue. I'm not claiming to know which is the case here)... but not everyone's intentially rude, so which one says more about a person huh?
Some people just get really wound up over the most pointless things.
"I'd be very curous to see guidelines or notes on getting PHP utilities running as their own user"
Fcgid is what to look for, which is a slightly newer replacement to the original fastcgi. Compile php with --enable-fastcgi. There are a few bits that get more complicated, as each website gets its own php.ini file etc, which can make management more tricky, but nothing that a bit of scripting doesn't sort out very nicely. One good thing is it means I can easily offer multiple versions of php for people that need specific versions (php4, 5.2 and the new 5.3) side by side - launching different version for different file extension (.php4,.php5,.php53). When the first one's run, it spawns a php-cgi child as the user you specified (with obvious uid/gid checks on the files being run) which then sits listening and talking to apache over a pipe/socket - full privilege seperation. Then, user directories can be 700 instead of the 755 (or even 777 if php running as httpd needs to be able to read/write to same directories as the users scp/ftp user!)
If scripts to make it all manageable would be useful let me know, I'll try dig out the important bits 'n post 'em up somewhere.
"It basically has all the delightful power of Perl"
I wish! I've had to do some work recently on projects in php - I always knew I didn't like the language, but I've had the pleasure of finding out all the reasons why not now. I've spent ages looking for how to do certain things in php that you can do in perl and even javascript running in an old browser only to find out that in php you just can't. Ridiculously limited variable scoping control, no anonymous functions (5.3, released 2 weeks ago has it, but it's not made it out into the wild enough to be able to count on that being available yet), poor introspection, inability to trap variable accesses, the list goes on (but they're the main brick walls I've hit with it). Oh and they just randomly change well established vocabulary; like exec(), whether you're programming C, Perl, even writing Bash scripts, it does the same thing... but not php. Oh yeah, you can't have a function that accepts values passed by references if you ever might wanna call it with an immediate value (writeString('hello there'); or writeString(getInput());) because it can't figure out how to pass those by reference, so you end up having to copy everything around between functions wasting cycles when it could just pass a goddamn pointer... grrr!!!
"Guaranteeing that "your network isn't sniffed" is like guaranteeing that your date doesn't have venereal disease"
Quite possibly, but point was just that the telnet server has one entry point, which means that with an unsniffed password, it's highly secure, as it's simple enough to guarentee that. The more complex the code, the greater potential for hidden entry points to exist within it. Perhaps what's needed is ssh running as an unprivileged user that merely passes on connections to the telnet server, as then exploits in the compression/encryption code don't open up the server. Academic here really, I know, openssh is a lot better than it used to be, with things like not enabling compression until after user is authenticated so that flaws in the compression code can't be used as an entry point, and a lot of other bugs have been found and closed down. Recent security issues that've been found (that I've been aware of) have been more theoretical than practical.
Wait... SELinux is easier to configure than Apache?!!
I do the chroot/unionfs/bind mounts way mostly... can stick people on parts of the filesystem mounted with noexec etc, and then use bind mounts to bring directories that will allow executables into their namespace. The main problem I've had is with people running php stuff (probably because of the low bar of entry to writing stuff with php than it being inherently insecure, at least with newer php versions, but that debate's not important here) and finding that somehow people have been able to run code that's downloaded a bot to run. I've found a few of them end up in/tmp, which has then failed simply because/tmp is on an noexec filesystem. Using chattr +ia on directories like/bin,/usr/bin, avoids stuff where tools like 'cp' and 'ls' get kitted (and I rename the chattr tool). None of these things by themselves would probably stop a determined hacker, but most attacks aren't determined hackers (I have no clients that are big enough to attract that kind of attention), but they do stop the automated search-and-infect scripts from working.
But mostly - I will not compile php as an apache module! Fcgi, each site's php instances will run as their own user! I can't believe the amount of hosts out there that don't do the seperation, and anyone with a site on a server can access everybody elses stuff as it all runs as the apache user.
Sorry. Little rant there. I've come into too many infected servers tasks with cleaning out infections... it gets old. I guess whatever security measures there are, they work least when you don't use them. That said, sometimes security measures do give more entry points to a system. Code for a telnet server can be really simple and easily audited, that as long as your network's not being sniffed, it can't be broken in to. SSH on the other hand can be (and has been) vulnerable through exploits in the compression libraries, the ssl libraries. I remember a version of Nortan anti-virus email scanner than had a buffer overflow bug that meant that a properly constructed email would allow arbitrary code to run on the system, which meant that if you wasn't running the email virus scanner, you were actually safer than if you were.
Recognising delusions of grandure really isn't that amazing. Google "this isn't slashdot" to see what people outside this site think of the unreasonable emotional reactionists that flood this site. This really isn't a site that anyone would use to try and change the hearts and minds of the public, the signal to noise ratio would just make it futile. You may as well walk out into a field and yell "switch to windows!" amongst cattle for all the good it would do.
"And I'm sure, being Linux, this won't take a reboot right? (I'm joking on that last one - of course it will)"
Not heard of ksplice?:-p
"all foam at the mouth how quickly it will be patch. OK. That's nice and all, but how long until it's disseminated on say 90% of Linux machines exhibiting the flaw?"
I'd say fairly quickly. Anyone running a 2.6.30 kernel is someone who's updating the kernel themselves rather than relying on distro updates, as I doubt 2.6.30 is too common amongst distros at the moment, and that being so, it should be rare that the bug ever really gets out amongst the masses. Someone who's keeping their kernel that updated will probably continue doing so.
It's still not good, sure, but I doubt it's really going to be devastating.
Not really... there's a big difference between manned exploring in space as opposed to on earth, at least at speeds within our grasp. Take the famous 1492 voyage to India by travelling round the back of the globe. Those folks never did reach India, as the America's were discovered to be somewhat in the way. But the entire journey, there's fish to be found in the sea, and where they landed, even though it was *completely* not what they thought it was, they'd've been able to find fresh water, other food, been able to breath. Some 25-30% of the surface of earth is land, but the same is nowhere near true for space. You can't just point your ship west and hope you hit something. You can travel for hundreds of years and if you spot a gas planet and a sub-freezing methane sea planet be considered lucky. We need to use probe's for exploring, because in space, we need to know where there is we can go.
"since they are already talking about deorbiting it"
Already? They've been talking about deorbiting it since before they started putting it up, this isn't new, it's part of the original plan... can't put something that big up there without a plan of what to do with it once they've finished with it.
"There was one really interesting experiment I remember reading about a while ago but I think it was killed and will never make it to the ISS. Can't remember what it was called or what it did though"
Wow... so, given an indefinite timeline, you admit to being able to think of nothing... that your mind is so incapable of envisioning ideas that would result in a positive outcome, that you believe such a situation actually occuring lies between improbably and impossible... well, thanks for sharing, your comments have enriched us all. Seriously, I mean that without sarcasm, as now even the more stupid ideas I've read on this page shine with more merit than Mr "Nothing will happen simply because I can't think of it".
What unilateral plan??? Don't post about stuff that exists purely as a construct of your imagination as if it was real. I know this is slashdot, but still.
"I'm sorry, maybe it was all the pot smoke floating around back in the '60s and '70s"
Ships... not spaceships... when ships were used for exploration I think you'll have to go back a little further than 60s and 70s USA... think: how was America most recently discovered? By people, many considered 'expendable' (ie, would otherwise just be in prisons) on ships.
Say what you want about what we're learnt about the moon, but if we'd had to send people along, do you think we'd have made discoveries about the farthest reachest of out solar system as we have with the Voyagers, or know what we do about the composition of the gas planet's moons, or know what we do about Pluto? That's exploration, of the kind that we have made simply because we took sending humans along out of the equation.
Re:Been trying to switch users for years
on
R.I.P. FTP
·
· Score: 2, Informative
Tunnelier is rather good, includes an FTP bridge. Connect to your ssh server, and it listens on localhost for ftp commands, translates and sends them to your server over ssh. Not only means encryption, but also compression (something I often care more about). Will sit in your system tray and auto reconnect if connection drops, and enable all old ftp-only software to talk to an ssh only server. I talk to everything over it, mysql, imap/smtp, even web traffic can be sped up.
Of course, because they're different things, well spotted, if they were the same thing, there'd be no point trying to draw comparisons because there would be no differences. Just like how I can compare my house to that of one of my neighbours, but if I were to try treat their house as I do my own, I'm gonna get into trouble.
Firefox is SO behind the curve compared to IE8, Safari4 and Chrome, it's not going to be long before everyone's complaining about how much of a pain it is "having to support FF just because people heard it was more secure than IE before they tried adding features to it and now they won't upgrade to a decent browser".
Reminds me of the end of the Walmart South Park episode, after they burn down Walmart and start shopping at a small shop which then grows and grows until... oops, gonna have to burn that one down. Not gonna make that mistake again! Let's go shop at NewShop3!!!
People think they're learning from mistakes when actually they're actually reliving them exactly the same, just calling it something else this time.
Huh? My (genuine) version of Win95 (first edition) came with IE2. It just didn't have an icon on the desktop. Think it was the IE3 update that did that, however we just used the browser that came on the CD our first ISP sent us (which was netscape) because that's what opened after we clicked their 'connect' icon that the CD installed. It was several months and some accidental clicking before I found IE, and that was the first time I found there was actually a choice, and as IE opened up in a split of the time that Netscrape did, I used that.
I'm most annoyed other peoples complaining has meant it's been uncoupled from my shell, I found that really useful, and still do with KDE/Konqueror, but in Windows it's no longer 'allowed'.
An operating system shipping without a browser in this day 'n age is ridiculous. Yes I know the slashdot think wrt IE, but freedom should go both ways.
Slashdot Mirror
"PS. Fuck you. At worst, I screwed up - an honest mistake. You were intentionally rude. There are humans behind these letters on the screen, and you need to learn that"
Well said. Everyone makes mistakes (although in this case it seems to come down more to what "in the language" means; personally I think if something's just a constant in an include file that tends to be used then that's not "in the language", even if it is "in a standard", but obviously some would argue. I'm not claiming to know which is the case here)... but not everyone's intentially rude, so which one says more about a person huh?
Some people just get really wound up over the most pointless things.
"I'd be very curous to see guidelines or notes on getting PHP utilities running as their own user"
Fcgid is what to look for, which is a slightly newer replacement to the original fastcgi. Compile php with --enable-fastcgi. There are a few bits that get more complicated, as each website gets its own php.ini file etc, which can make management more tricky, but nothing that a bit of scripting doesn't sort out very nicely. One good thing is it means I can easily offer multiple versions of php for people that need specific versions (php4, 5.2 and the new 5.3) side by side - launching different version for different file extension (.php4, .php5, .php53). When the first one's run, it spawns a php-cgi child as the user you specified (with obvious uid/gid checks on the files being run) which then sits listening and talking to apache over a pipe/socket - full privilege seperation. Then, user directories can be 700 instead of the 755 (or even 777 if php running as httpd needs to be able to read/write to same directories as the users scp/ftp user!)
If scripts to make it all manageable would be useful let me know, I'll try dig out the important bits 'n post 'em up somewhere.
"It basically has all the delightful power of Perl"
I wish! I've had to do some work recently on projects in php - I always knew I didn't like the language, but I've had the pleasure of finding out all the reasons why not now. I've spent ages looking for how to do certain things in php that you can do in perl and even javascript running in an old browser only to find out that in php you just can't. Ridiculously limited variable scoping control, no anonymous functions (5.3, released 2 weeks ago has it, but it's not made it out into the wild enough to be able to count on that being available yet), poor introspection, inability to trap variable accesses, the list goes on (but they're the main brick walls I've hit with it). Oh and they just randomly change well established vocabulary; like exec(), whether you're programming C, Perl, even writing Bash scripts, it does the same thing... but not php. Oh yeah, you can't have a function that accepts values passed by references if you ever might wanna call it with an immediate value (writeString('hello there'); or writeString(getInput());) because it can't figure out how to pass those by reference, so you end up having to copy everything around between functions wasting cycles when it could just pass a goddamn pointer... grrr!!!
"Guaranteeing that "your network isn't sniffed" is like guaranteeing that your date doesn't have venereal disease"
Quite possibly, but point was just that the telnet server has one entry point, which means that with an unsniffed password, it's highly secure, as it's simple enough to guarentee that. The more complex the code, the greater potential for hidden entry points to exist within it. Perhaps what's needed is ssh running as an unprivileged user that merely passes on connections to the telnet server, as then exploits in the compression/encryption code don't open up the server. Academic here really, I know, openssh is a lot better than it used to be, with things like not enabling compression until after user is authenticated so that flaws in the compression code can't be used as an entry point, and a lot of other bugs have been found and closed down. Recent security issues that've been found (that I've been aware of) have been more theoretical than practical.
Wait... SELinux is easier to configure than Apache?!!
I do the chroot/unionfs/bind mounts way mostly... can stick people on parts of the filesystem mounted with noexec etc, and then use bind mounts to bring directories that will allow executables into their namespace. The main problem I've had is with people running php stuff (probably because of the low bar of entry to writing stuff with php than it being inherently insecure, at least with newer php versions, but that debate's not important here) and finding that somehow people have been able to run code that's downloaded a bot to run. I've found a few of them end up in /tmp, which has then failed simply because /tmp is on an noexec filesystem. Using chattr +ia on directories like /bin, /usr/bin, avoids stuff where tools like 'cp' and 'ls' get kitted (and I rename the chattr tool). None of these things by themselves would probably stop a determined hacker, but most attacks aren't determined hackers (I have no clients that are big enough to attract that kind of attention), but they do stop the automated search-and-infect scripts from working.
But mostly - I will not compile php as an apache module! Fcgi, each site's php instances will run as their own user! I can't believe the amount of hosts out there that don't do the seperation, and anyone with a site on a server can access everybody elses stuff as it all runs as the apache user.
Sorry. Little rant there. I've come into too many infected servers tasks with cleaning out infections... it gets old. I guess whatever security measures there are, they work least when you don't use them. That said, sometimes security measures do give more entry points to a system. Code for a telnet server can be really simple and easily audited, that as long as your network's not being sniffed, it can't be broken in to. SSH on the other hand can be (and has been) vulnerable through exploits in the compression libraries, the ssl libraries. I remember a version of Nortan anti-virus email scanner than had a buffer overflow bug that meant that a properly constructed email would allow arbitrary code to run on the system, which meant that if you wasn't running the email virus scanner, you were actually safer than if you were.
Oops, I forgot to stop ranting. I will now :-)
"it appears that only people running MS has mod points these days"
Try recompiling your kernel without the CONFIG_MS_PARANOIA option set.
"however I could be wrong"
Abuse of term "could be", go straight to jail, do not pass go, do not collect 100 karma points.
"It's because they're a majority that the media thinks it's okay"
No it's not. It's because it actually is okay... even deserved :-p
Recognising delusions of grandure really isn't that amazing. Google "this isn't slashdot" to see what people outside this site think of the unreasonable emotional reactionists that flood this site. This really isn't a site that anyone would use to try and change the hearts and minds of the public, the signal to noise ratio would just make it futile. You may as well walk out into a field and yell "switch to windows!" amongst cattle for all the good it would do.
Argument doesn't hold... China's products are cheap, whereas Microsoft definitely aren't beating Linux on price.
"And I'm sure, being Linux, this won't take a reboot right? (I'm joking on that last one - of course it will)"
Not heard of ksplice? :-p
"all foam at the mouth how quickly it will be patch. OK. That's nice and all, but how long until it's disseminated on say 90% of Linux machines exhibiting the flaw?"
I'd say fairly quickly. Anyone running a 2.6.30 kernel is someone who's updating the kernel themselves rather than relying on distro updates, as I doubt 2.6.30 is too common amongst distros at the moment, and that being so, it should be rare that the bug ever really gets out amongst the masses. Someone who's keeping their kernel that updated will probably continue doing so.
It's still not good, sure, but I doubt it's really going to be devastating.
Yes well these days code's quite a bit bigger than 32K so we've shortened the term by one letter to help compensate :)
FFS!!! Don't go telling them that the solar system can launch a devisatating attack in just 30-45 seconds, what do you want, a war on space?!!
"This is a false dichotomy, and/or a strawman"
Not really... there's a big difference between manned exploring in space as opposed to on earth, at least at speeds within our grasp. Take the famous 1492 voyage to India by travelling round the back of the globe. Those folks never did reach India, as the America's were discovered to be somewhat in the way. But the entire journey, there's fish to be found in the sea, and where they landed, even though it was *completely* not what they thought it was, they'd've been able to find fresh water, other food, been able to breath. Some 25-30% of the surface of earth is land, but the same is nowhere near true for space. You can't just point your ship west and hope you hit something. You can travel for hundreds of years and if you spot a gas planet and a sub-freezing methane sea planet be considered lucky. We need to use probe's for exploring, because in space, we need to know where there is we can go.
"since they are already talking about deorbiting it"
Already? They've been talking about deorbiting it since before they started putting it up, this isn't new, it's part of the original plan... can't put something that big up there without a plan of what to do with it once they've finished with it.
"There was one really interesting experiment I remember reading about a while ago but I think it was killed and will never make it to the ISS. Can't remember what it was called or what it did though"
Thanks for sharing.
"I'm not sure it can ever be turned around"
Wow... so, given an indefinite timeline, you admit to being able to think of nothing... that your mind is so incapable of envisioning ideas that would result in a positive outcome, that you believe such a situation actually occuring lies between improbably and impossible... well, thanks for sharing, your comments have enriched us all. Seriously, I mean that without sarcasm, as now even the more stupid ideas I've read on this page shine with more merit than Mr "Nothing will happen simply because I can't think of it".
*sigh*
What unilateral plan??? Don't post about stuff that exists purely as a construct of your imagination as if it was real. I know this is slashdot, but still.
"I'm sorry, maybe it was all the pot smoke floating around back in the '60s and '70s"
Ships... not spaceships... when ships were used for exploration I think you'll have to go back a little further than 60s and 70s USA... think: how was America most recently discovered? By people, many considered 'expendable' (ie, would otherwise just be in prisons) on ships.
Say what you want about what we're learnt about the moon, but if we'd had to send people along, do you think we'd have made discoveries about the farthest reachest of out solar system as we have with the Voyagers, or know what we do about the composition of the gas planet's moons, or know what we do about Pluto? That's exploration, of the kind that we have made simply because we took sending humans along out of the equation.
Tunnelier is rather good, includes an FTP bridge. Connect to your ssh server, and it listens on localhost for ftp commands, translates and sends them to your server over ssh. Not only means encryption, but also compression (something I often care more about). Will sit in your system tray and auto reconnect if connection drops, and enable all old ftp-only software to talk to an ssh only server. I talk to everything over it, mysql, imap/smtp, even web traffic can be sped up.
...rather than just lady flaps...
It's not even tangerinely related?
Of course, because they're different things, well spotted, if they were the same thing, there'd be no point trying to draw comparisons because there would be no differences. Just like how I can compare my house to that of one of my neighbours, but if I were to try treat their house as I do my own, I'm gonna get into trouble.
or just put the email address producing javascript file in a location excluded by robots.txt... then google won't look at it
is that the sound your farts make afterwards?
Nuh, everyone hates the French.
Firefox is SO behind the curve compared to IE8, Safari4 and Chrome, it's not going to be long before everyone's complaining about how much of a pain it is "having to support FF just because people heard it was more secure than IE before they tried adding features to it and now they won't upgrade to a decent browser".
Reminds me of the end of the Walmart South Park episode, after they burn down Walmart and start shopping at a small shop which then grows and grows until... oops, gonna have to burn that one down. Not gonna make that mistake again! Let's go shop at NewShop3!!!
People think they're learning from mistakes when actually they're actually reliving them exactly the same, just calling it something else this time.
Lynx?!! W3M man all the way!
Huh? My (genuine) version of Win95 (first edition) came with IE2. It just didn't have an icon on the desktop. Think it was the IE3 update that did that, however we just used the browser that came on the CD our first ISP sent us (which was netscape) because that's what opened after we clicked their 'connect' icon that the CD installed. It was several months and some accidental clicking before I found IE, and that was the first time I found there was actually a choice, and as IE opened up in a split of the time that Netscrape did, I used that.
I'm most annoyed other peoples complaining has meant it's been uncoupled from my shell, I found that really useful, and still do with KDE/Konqueror, but in Windows it's no longer 'allowed'.
An operating system shipping without a browser in this day 'n age is ridiculous. Yes I know the slashdot think wrt IE, but freedom should go both ways.