Salted rain ? What could possibly go wrong with that ? Did he mention cloud desalination plants in his project, or does he sees it as a pro ("No need to salt roads anymore, heck, it won't even snow anymore anyway") ?
The problem is that Xorg is pretty much tied to the kernel's video subsystem. Apart from changing the whole architecture, avoiding it running with full root rights implies having a capability-based security model.
Either Xorg doesn't support capabilities (which seems to be the case, when I try to launch a second X session as an user from the command line on my Debian it fails and the log mentions a permission denied accessing/dev/tty0), or the operating system doesn't implement them.
Therefore, while it's dangerous, it makes sort of sense to have the setuid bit on the binary on a system not starting an X session on startup, so that a user can start a session later. If Xorg follows basic security practices, it drops the privileges after the program initialization to minimize the attack surface, but the bug here happens early, so it's still vulnerable.
As a side note, I'm pretty sure that Xorg isn't shipped on a default OpenBSD install, so it would have to be installed first from the ports.
The point was that if your system is using a display manager, it's probably launched at system startup (because why would a user launch a display manager ?), which means the X server was launched as root, which means that Xorg doesn't need to be setuid.
I mentioned it as an easy heuristic. The "full" check is: ls -l `which Xorg` If there's an 's' in the permission mask, privilege escalation is possible. Otherwise it's just arbitrary code execution with current user's rights, which is a less important issue (and the chmod workaround doesn't prevent that issue -- actually the chmod command doesn't even work if you're not root).
It's not about having Xorg being run as root (which is probably the case if you run an X display manager), but about the ability for a user to launch Xorg with root privileges (with the setuid bit).
On my Debian stretch, Xorg is not setuid, so there's no privilege escalation.
FTFA:
As a temporary solution, users can disable the Xorg binary by running the following command: chmod u-s/usr/X11R6/bin/Xorg
Seriously, that guy is an idiot. Obviously doesn't understand what's a setuid bit and copy/pasting command lines as if it they were magic spells.
While the assessment of the situation sounds accurate, it lacks the context of why this could happen.
Just a century ago, it was more likely that a couple got half a dozen of kids, half of them reaching adulthood (losing the other mainly to diseases). So the worth of a kid was much less than it is to parents today.
Also, at the time just as of today, in big families, there's no way parents can keep an eye on all of the kids, so it's commonplace to relieve a part of the duty to the elders (such as in tlhIngan's story).
In less urbanized environments, there's also the illusion that the kid remains in a more controlled space, as people know each other in small towns. Though this is only an illusion: if a kid gets abducted it's most likely by someone he knows.
So, the current situation is not only the result of parents becoming increasingly paranoid, but because in one or two kids families, the worth of a kid is effectively more.
Will we get a follow-up story about (for example) how young Canadians come to the Silicon Valley to get credentials, then leave because of the high cost of living / insecurity over employee buses attacks ?
"The vibrant and open research that Americans cherish isn't going anywhere." "it's a better way of making money" "[research paper neutrality] had slowed investment"
Google Working To Remove MINIX-Based ME From Intel Platforms
... and replacing it with Android. "Just how much juicy monetizable user data could we get that way?" (I believe I'm joking, but I'm not completely sure...)
Perhaps anti-virus wouldn't be even necessary if there were less users infected with anti-intelligence.
So tired of this bullshit argument.
if you can't deal with people being people, you don't fucking belong into information security.
The main reason you have to run anti-software sits between the keyboard and the chair, and runs a common sense blocker plug-in.
And If you can't deal with reading posts, you have no fucking business in responding to them.
Apparently a bunch of slashdotters can't care to read parent posts before moderating "retorts", so writing straw man fallacies is an easy way to get +5...
In the 1960s, [...] users were charged rent for the terminal, a charge for hours of connect time, a charge for seconds of CPU time, and a charge for kilobyte-months of disk storage.
Or a schrödingbug that they triggered but didn't fix.
A design or implementation bug in a program that doesn't manifest until someone reading source or using the program in an unusual way notices that it never should have worked, at which point the program promptly stops working for everybody until fixed.
This is disingenuous. You're confusing int with arithmetic type / integer. An int is a specific size of integer on a given compiling environment. size_t doesn't have to be an int and indeed it usually isn't on 64-bit platforms (because it's then usually 64-bit wide and most common platforms have 32 bits ints on 64-bit CPUs. It's ultimately a long long on my current Linux, and a long on my current macOS ). I don't find a requirement for size_t to be signed either. I've checked ISO/IEC 9899:TC2 and Open Group's Single UNIX ® Specification, Version 2. What kind of ISO standard did you see that in ?
The 8088 is an x86 CPU, released in 1979. It's an 8086 (released in 1978) with an halved data bus (8-bit instead of 16-bit). Or maybe were you thinking of the IA-32, introduced with the 80386?
The Guardian compiled a list of interesting facts from books written by parties insiders.
You're right that the Brexit campaign was never meant to succeed, however your deductions are IMHO incorrect :
Populists break promises at breakfast (1,2). The boldest the lie, the better. Do you believe Donald Trump campaigned to lose ?
The remain side campaigns were sabotaged from the inside: the issue was highly divisive for both Conservative and Labour.
About May, she was a remainer in name only: from past behaviour, it's obvious that she prioritize (lack of) immigration to trade, as she was personally responsible for stalling talks on an EU free trade deal with India.
(1) They didn't lie. You misunderstood. Probably dishonest media pretended they promised what they didn't (come on, it was obvious hyperbole!), or failing media are pretending they broke promises that they didn't (better, alternative facts show differently). Anyway, on that topic, they have Better Lies (r) now. (2) While regular politicians just figure out they were too optimistic: now that they've been elected, they find out it costs too much, it is more complicated than they expected, it would require a majority that they don't have, and they're really sorry about it (3). And who would vote for a boring, down-to-earth administrator anyway? (3) The amount of genuine sincerity in that statement is not guaranteed.
At least you get that urbanized vs rural population matters more than average population density. But USA are no more rural than Nordic countries: 82,4% for the USA, 79,4% for Norway, 86% for Sweden, 83,7% for Finland.
Important aspects are insulation, and probably also the sort of housing, but I can't find statistics about the proportion of the population living in apartments vs independent houses.
Slashdot Mirror
Salted rain ? What could possibly go wrong with that ?
Did he mention cloud desalination plants in his project, or does he sees it as a pro ("No need to salt roads anymore, heck, it won't even snow anymore anyway") ?
Thanks anon !
Indeed, when I tried to launch a second X session from my main session, in preparation of my answer to Guybrush_T below, I got the following error:
And that file is both setuid and setgid.
The man page mentions:
By default Xorg.wrap will autodetect if root rights are necessary, and if not it will drop its elevated rights before starting the real X server.
So Debian stretch is vulnerable in cases where Xorg.wrap decides Xorg needs root rights.
The problem is that Xorg is pretty much tied to the kernel's video subsystem. Apart from changing the whole architecture, avoiding it running with full root rights implies having a capability-based security model.
Either Xorg doesn't support capabilities (which seems to be the case, when I try to launch a second X session as an user from the command line on my Debian it fails and the log mentions a permission denied accessing /dev/tty0), or the operating system doesn't implement them.
Therefore, while it's dangerous, it makes sort of sense to have the setuid bit on the binary on a system not starting an X session on startup, so that a user can start a session later. If Xorg follows basic security practices, it drops the privileges after the program initialization to minimize the attack surface, but the bug here happens early, so it's still vulnerable.
As a side note, I'm pretty sure that Xorg isn't shipped on a default OpenBSD install, so it would have to be installed first from the ports.
The point was that if your system is using a display manager, it's probably launched at system startup (because why would a user launch a display manager ?), which means the X server was launched as root, which means that Xorg doesn't need to be setuid.
I mentioned it as an easy heuristic. The "full" check is:
ls -l `which Xorg`
If there's an 's' in the permission mask, privilege escalation is possible.
Otherwise it's just arbitrary code execution with current user's rights, which is a less important issue (and the chmod workaround doesn't prevent that issue -- actually the chmod command doesn't even work if you're not root).
It's not about having Xorg being run as root (which is probably the case if you run an X display manager), but about the ability for a user to launch Xorg with root privileges (with the setuid bit).
On my Debian stretch, Xorg is not setuid, so there's no privilege escalation.
FTFA:
As a temporary solution, users can disable the Xorg binary by running the following command: /usr/X11R6/bin/Xorg
chmod u-s
Seriously, that guy is an idiot. Obviously doesn't understand what's a setuid bit and copy/pasting command lines as if it they were magic spells.
Where do I mod this story Troll ?
Actually, where can I flag this story as Inappropriate ?
Can we get msmash (4491995) banned ?
- Yeah. We're gonna bring in some entry-level graduates, farm some work out to Singapore(*), that's the usual deal.
- Standard operating procedure
(*) I guess that should read India these days...
You sure are raining on their parade...
But you're right, of course, though you forgot the sound effects (unless this comes with fluid simulation).
While the assessment of the situation sounds accurate, it lacks the context of why this could happen.
Just a century ago, it was more likely that a couple got half a dozen of kids, half of them reaching adulthood (losing the other mainly to diseases). So the worth of a kid was much less than it is to parents today.
Also, at the time just as of today, in big families, there's no way parents can keep an eye on all of the kids, so it's commonplace to relieve a part of the duty to the elders (such as in tlhIngan's story).
In less urbanized environments, there's also the illusion that the kid remains in a more controlled space, as people know each other in small towns. Though this is only an illusion: if a kid gets abducted it's most likely by someone he knows.
So, the current situation is not only the result of parents becoming increasingly paranoid, but because in one or two kids families, the worth of a kid is effectively more.
Funny, I practically had the opposite reaction:
No need to freak out, just say "hell no", and when their mobile usage drops close to 0, it's FaceBook that will freak out...
It already dropped dramatically with the #deletefacebook movement, right ? Right ?
Two weeks ago, we learned that Engineers Are Leaving America For Canada.
Do the stories cancel out ?
Will we get a follow-up story about (for example) how young Canadians come to the Silicon Valley to get credentials, then leave because of the high cost of living / insecurity over employee buses attacks ?
*repealed*
(spell-checker couldn't help this time)
Research paper neutrality has been repelled.
"The vibrant and open research that Americans cherish isn't going anywhere."
"it's a better way of making money"
"[research paper neutrality] had slowed investment"
Is Elon Musk Greatly Exaggerating
Yes.
Google Working To Remove MINIX-Based ME From Intel Platforms
... and replacing it with Android. "Just how much juicy monetizable user data could we get that way?"
(I believe I'm joking, but I'm not completely sure...)
Perhaps anti-virus wouldn't be even necessary if there were less users infected with anti-intelligence.
So tired of this bullshit argument.
if you can't deal with people being people, you don't fucking belong into information security.
The main reason you have to run anti-software sits between the keyboard and the chair, and runs a common sense blocker plug-in.
And If you can't deal with reading posts, you have no fucking business in responding to them.
Apparently a bunch of slashdotters can't care to read parent posts before moderating "retorts", so writing straw man fallacies is an easy way to get +5...
They produce around 10 millions cars a year, and expect to sell just 20 all-electric ones in 5 years (to be kind) ?
(Yes, I understand that "models" was lost somewhere. "Implied" as they pretend :) )
Back in the old days, you needed to buy or lease a server if you needed access to compute power," remembers Amazon's AWS blog.
Someone didn't learn History, again.
In the 1960s, [...] users were charged rent for the terminal, a charge for hours of connect time, a charge for seconds of CPU time, and a charge for kilobyte-months of disk storage.
You're going to wait a long time for the answer of the guy that's using Windows 10 on a FAT32 filesystem :)
Or a schrödingbug that they triggered but didn't fix.
A design or implementation bug in a program that doesn't manifest until someone reading source or using the program in an unusual way notices that it never should have worked, at which point the program promptly stops working for everybody until fixed.
This is disingenuous. You're confusing int with arithmetic type / integer. An int is a specific size of integer on a given compiling environment. size_t doesn't have to be an int and indeed it usually isn't on 64-bit platforms (because it's then usually 64-bit wide and most common platforms have 32 bits ints on 64-bit CPUs. It's ultimately a long long on my current Linux, and a long on my current macOS ). I don't find a requirement for size_t to be signed either. I've checked ISO/IEC 9899:TC2 and Open Group's Single UNIX ® Specification, Version 2. What kind of ISO standard did you see that in ?
The 8088 is an x86 CPU, released in 1979. It's an 8086 (released in 1978) with an halved data bus (8-bit instead of 16-bit). Or maybe were you thinking of the IA-32, introduced with the 80386?
The Guardian compiled a list of interesting facts from books written by parties insiders.
You're right that the Brexit campaign was never meant to succeed, however your deductions are IMHO incorrect :
About May, she was a remainer in name only: from past behaviour, it's obvious that she prioritize (lack of) immigration to trade, as she was personally responsible for stalling talks on an EU free trade deal with India.
(1) They didn't lie. You misunderstood. Probably dishonest media pretended they promised what they didn't (come on, it was obvious hyperbole!), or failing media are pretending they broke promises that they didn't (better, alternative facts show differently). Anyway, on that topic, they have Better Lies (r) now.
(2) While regular politicians just figure out they were too optimistic: now that they've been elected, they find out it costs too much, it is more complicated than they expected, it would require a majority that they don't have, and they're really sorry about it (3). And who would vote for a boring, down-to-earth administrator anyway?
(3) The amount of genuine sincerity in that statement is not guaranteed.
it's going to be interesting if intel has the legal bass to actually stop this from happening.
If they don't, they can always attempt the shark with frickin' laser beams attached to its head.
At least you get that urbanized vs rural population matters more than average population density. But USA are no more rural than Nordic countries: 82,4% for the USA, 79,4% for Norway, 86% for Sweden, 83,7% for Finland.
Important aspects are insulation, and probably also the sort of housing, but I can't find statistics about the proportion of the population living in apartments vs independent houses.