Ya, the dude who "corrected" you is fucking insane.
No version of apache has code that drops the privs of the master process, only the workers.
It fundamentally breaks operations like HUPs (lest you decide that you want your apache configs readable by the workers.)
What's not an answer is "run the actual process as root while serving user requests".
Good thing that's not what's happening here.
It's shocking that this is even considered remotely like a possible solution.
It's also shocking when people offer an uninformed opinion.
or using a small shim or utility that runs in a high-privileged space and communicates with the rest of the service via IPC.
This is the funniest quote here, because that's exactly how apache works.
What's triply galling is that the fix doesn't actually appear to mentioned fixing any of this, just patching this one vulnerability.
The vulnerability here is in how the privileged parent process handled IPC with the unprivileged children.
IPC between privileged and unprivileged processes is always dangerous without formal verification and lots of eyeballs making sure you parse that IPC safely.
They got bit here. They fixed where they got bit.
Apache's parent process always runs as root.
This is so that it can spawn the necessary privileged ports.
Only children in fork/pre-fork models run as the unprivileged user, which is precisely what this CVE is about.
Unprivileged fork/pre-fork workers that have had their code compromised can fuck with the scoreboard (chunk of shared memory between privileged parent, and unprivileged child) and get the privileged parent to run worker-supplied code before privilege drop after the fork.
You're mixing up shared hosting with a VPS. They are separate products, and both exist (I know, because my company sells both)
With a VPS, obviously *you* can only root yourself, but more importantly, someone who has access to whatever the Wordpress exploit du jour is can root your VPS. Still problematic.
The joke is, nobody uses a shared stack with a web config running as an apache module anymore.
5 pinnocchios, right there.
We host about 5000 domains on shared web hosting, and about 300 VPS instances.
Are you really so fucking stupid as to require me to spell this out for you, or are you deflecting because you've begun to smell a hint of the mistake you've made?
Assuming a modicum from intelligence for you is a stretch, I'll admit, but I had hoped for better than your normal ignorant opinions fired off in the guise of fact.
A "Space Force" and a "Space Command" are the same thing. China doesn't even have an independent Space Command. It's part of the PLA's Strategic Forces, which is responsible for electronic, space, and cyber warfare.
That article was written largely by a single person with zero citations for any of his assertions; it did however get one thing right- lumping "Space Forces" with "Space Commands"
In summary, literally every single thing you said was wrong.
Oh-I get it. You think a "Space Force" and a Space Command are different. I gotcha. You're imagining little luke skywalkers flying around in X-Wings and shit. That's awesome. Keep drinking that Trump-aid, chief.
Current space forces and military space commands:
China:
+++ People's Liberation Army Strategic Support Force
France:
+++ Joint Space Command
India:
+++ Integrated Space Cell
Russia:
+++ Russian Aerospace Forces
++++++ Russian Space Forces
United Kingdom:
+++ Royal Air Force
++++++ No. 11 Group RAF
United States:
+++ United States Air Force
++++++ U.S. Air Force Space Command
Wha?
Where the hell did you get that idea?
That station isn't even operable without the Russian components. The very first module launched was fucking Russian.
It's always came as a surprise to me that we allowed it to take that form, though it's great that we decided to cooperate at that level.
I'm wondering if you have a definition of "Space Force" that isn't shared by... anyone else.
The US has a "Space Force". The proposal is to turn it into its own branch. We had an air force before the U.S. Air Force was an independent branch of the military as well.
The Russian Federation does as well. And the French. And the Brits. And the Indians.
Or did you really think the nuclear powers of the world were sitting here while only China had a space military command?
Why would I need to do that?
His claim wasn't regarding "this recently announced processor". It was generalized "CPUs and GPUs"
To debunk his clam as bullshit, I merely needed to lookup naked pictures of current high-core-count processors. I used 48-core AMDs as an instance.
Let's just ask someone who is a senior engineer at a company that operates 7 of them...
Oh hey, that's me.
You have no idea what you're talking about.
"Single thread performance" is absolutely important, even in applications that are multithreaded. The only time that it becomes irrelevant is in embarrassingly parallel problem spaces, which are nearly non-existent in my datacenters.
We've done the math, and that's why we're still using Intel. We're open to AMD at some point when they're not trying to win the fight that no one cares about.
Intel is making Apple Bionic chips, and AMD is building Samsung 8 core chips desperate to keep up where they can't compete.
Performance per dollar simply isn't a large concern of ours. We want *the best* performance in a particular application.
doesn't seem like it should be one of those functions that only some members have.
Nope. Which is why I like the Protestant interpretation far better.
But it is still just that. An interpretation.
There are more passages in scripture supporting the idea of a specific clergy formed in the structure of Christ and his Apostles, and there are more passages in scripture supporting the idea of an egalitarian priesthood.
I don't take sides on what's right. The book is too damn contradictory for that, which should surprise no one as it's composed of many books written by different people (unless of course you want to argue it's the literal word of God)
For whatever it's worth, I hope one day Protestantism is the dominant form Christianity settles on. In the mean time, I still don't think anyone's argument is better than anyone else's from the point of scripture.
I already avoid the slower clocked Xeons. Aggregate performance is simply not comparable in most workloads with highly disparate per-core performance. I know a lot of armchair computing experts like to claim that it is, but I'm sorry. The reality on the ground is that it is not. That's why we're not using AMD, and we're not using ARM. Though I promise you- we look forward to being able to some day.
The real problem is that ARM is currently nothing even approaching competitive on a per-core performance metric with Intel.
You need 20 A53 cores to match the performance of 4 Xeon cores.
In some workloads, this doesn't matter, because they can be scaled well.
In a lot of workloads, it simply does matter.
I administrate around 150 servers, and we run 7 datacenters.
I already avoid the slower
I know a lot of armchair computing experts like to claim that it is, but I'm sorry. The reality on the ground is that it is not. That's why we're not using AMD, and we're not using ARM. Though I promise you- we look forward to being able to some day.
Not just porting to ARM, porting to your goddamn board and processor.
When I can compile an "ARM" kernel, and not a kernel specifically built for a board and processor, I think it'll have a lot more of a in the server market.
Nothing is generic on these things.
Every fucking chip has its own PCIe bridge.
Yes, that is official catholic doctrine.
Next paragraph, though:
But with the intention of forming the christians into one body, in which "all members do not have the same function" (Rm 12:4), on the evening of his Resurrection, he sent especially the Apostles, in the same way he was sent by the Father (cf John 20:21); from here originates the doctrine of the "special mandate" of the hierarchy in the Church.
I'm not giving them a pass. I'm pointing out that both the DNC and RNC are private organizations. I think they're both despicable. I think they're the fucking root of what is wrong with party politics.
The fact remains though, that they are in fact private organizations, and we simply have zero right to dictate to them how they select their candidates.
And that is still very distinct from the actual public democracy.
It bears repeating- I am definitely not defending Catholic dogma.
However, there are plenty of aspects of the New Covenant that protestants chose to ignore, or interpret creatively to move toward a more egalitarian philosophy.
There is, for example, much to be said biblically speaking for the Priesthood and a lot of its dogma that the protestants have interpreted to mean all people, when it requires some serious stretching of word meaning to arrive at that conclusion.
I'd prefer if people must practice Christianity, that they practice a Protestant interpretation of it, for sure. But I find it astounding that any of the sects think their way is the right way, biblically speaking.
No true Scotsman or appeal to purity is an informal fallacy in which one attempts to protect a universal generalization from counterexamples by changing the definition in an ad hoc fashion to exclude the counterexample.
Sorry, it's No True Scotsman.
It's called No True Scotsman, because the same logic can be applied both directions, even if you're only applying it one direction.
The fact is, if you take the average person who considers themselves Christian, you get a Catholic.
Slashdot Mirror
Ya, the dude who "corrected" you is fucking insane.
No version of apache has code that drops the privs of the master process, only the workers.
It fundamentally breaks operations like HUPs (lest you decide that you want your apache configs readable by the workers.)
What's not an answer is "run the actual process as root while serving user requests".
Good thing that's not what's happening here.
It's shocking that this is even considered remotely like a possible solution.
It's also shocking when people offer an uninformed opinion.
or using a small shim or utility that runs in a high-privileged space and communicates with the rest of the service via IPC.
This is the funniest quote here, because that's exactly how apache works.
What's triply galling is that the fix doesn't actually appear to mentioned fixing any of this, just patching this one vulnerability.
The vulnerability here is in how the privileged parent process handled IPC with the unprivileged children. IPC between privileged and unprivileged processes is always dangerous without formal verification and lots of eyeballs making sure you parse that IPC safely.
They got bit here. They fixed where they got bit.
You're killing us, smalls.
Apache's parent process always runs as root.
This is so that it can spawn the necessary privileged ports.
Only children in fork/pre-fork models run as the unprivileged user, which is precisely what this CVE is about.
Unprivileged fork/pre-fork workers that have had their code compromised can fuck with the scoreboard (chunk of shared memory between privileged parent, and unprivileged child) and get the privileged parent to run worker-supplied code before privilege drop after the fork.
With a VPS, obviously *you* can only root yourself, but more importantly, someone who has access to whatever the Wordpress exploit du jour is can root your VPS. Still problematic.
The joke is, nobody uses a shared stack with a web config running as an apache module anymore.
5 pinnocchios, right there.
We host about 5000 domains on shared web hosting, and about 300 VPS instances.
Are you really so fucking stupid as to require me to spell this out for you, or are you deflecting because you've begun to smell a hint of the mistake you've made?
Assuming a modicum from intelligence for you is a stretch, I'll admit, but I had hoped for better than your normal ignorant opinions fired off in the guise of fact.
A "Space Force" and a "Space Command" are the same thing. China doesn't even have an independent Space Command. It's part of the PLA's Strategic Forces, which is responsible for electronic, space, and cyber warfare.
That article was written largely by a single person with zero citations for any of his assertions; it did however get one thing right- lumping "Space Forces" with "Space Commands"
In summary, literally every single thing you said was wrong.
Oh-I get it. You think a "Space Force" and a Space Command are different. I gotcha. You're imagining little luke skywalkers flying around in X-Wings and shit. That's awesome. Keep drinking that Trump-aid, chief.
Current space forces and military space commands:
China:
+++ People's Liberation Army Strategic Support Force
France:
+++ Joint Space Command
India:
+++ Integrated Space Cell
Russia:
+++ Russian Aerospace Forces
++++++ Russian Space Forces
United Kingdom:
+++ Royal Air Force
++++++ No. 11 Group RAF
United States:
+++ United States Air Force
++++++ U.S. Air Force Space Command
Thanks? lol.
Wha?
Where the hell did you get that idea?
That station isn't even operable without the Russian components. The very first module launched was fucking Russian.
It's always came as a surprise to me that we allowed it to take that form, though it's great that we decided to cooperate at that level.
lolwut?
I'm wondering if you have a definition of "Space Force" that isn't shared by... anyone else.
The US has a "Space Force". The proposal is to turn it into its own branch. We had an air force before the U.S. Air Force was an independent branch of the military as well.
The Russian Federation does as well. And the French. And the Brits. And the Indians.
Or did you really think the nuclear powers of the world were sitting here while only China had a space military command?
The more you know, amirite???
Why would I need to do that? His claim wasn't regarding "this recently announced processor". It was generalized "CPUs and GPUs"
To debunk his clam as bullshit, I merely needed to lookup naked pictures of current high-core-count processors. I used 48-core AMDs as an instance.
Any other logic lessons I can teach you today?
This is very easily provable as false, simply by looking at pictures of naked processors.
Stop talking out of your ass.
Let's just ask someone who is a senior engineer at a company that operates 7 of them...
Oh hey, that's me.
You have no idea what you're talking about.
"Single thread performance" is absolutely important, even in applications that are multithreaded. The only time that it becomes irrelevant is in embarrassingly parallel problem spaces, which are nearly non-existent in my datacenters.
We've done the math, and that's why we're still using Intel. We're open to AMD at some point when they're not trying to win the fight that no one cares about. Intel is making Apple Bionic chips, and AMD is building Samsung 8 core chips desperate to keep up where they can't compete.
Performance per dollar simply isn't a large concern of ours. We want *the best* performance in a particular application.
Can't tell if kidding. If not... No, no it is not.
Christ, I can't wait to go back to the awesome experience of running slackware on a Pentium 2.
Na. Very much na.
The last time I used qemu-i386 on an ARM, it took just over 10 minutes to boot a kernel.
doesn't seem like it should be one of those functions that only some members have.
Nope. Which is why I like the Protestant interpretation far better.
But it is still just that. An interpretation.
There are more passages in scripture supporting the idea of a specific clergy formed in the structure of Christ and his Apostles, and there are more passages in scripture supporting the idea of an egalitarian priesthood.
I don't take sides on what's right. The book is too damn contradictory for that, which should surprise no one as it's composed of many books written by different people (unless of course you want to argue it's the literal word of God)
For whatever it's worth, I hope one day Protestantism is the dominant form Christianity settles on. In the mean time, I still don't think anyone's argument is better than anyone else's from the point of scripture.
Sigh.
Should have been:
I already avoid the slower clocked Xeons. Aggregate performance is simply not comparable in most workloads with highly disparate per-core performance. I know a lot of armchair computing experts like to claim that it is, but I'm sorry. The reality on the ground is that it is not. That's why we're not using AMD, and we're not using ARM. Though I promise you- we look forward to being able to some day.
*avoid the slower clocked Xeons.
The real problem is that ARM is currently nothing even approaching competitive on a per-core performance metric with Intel.
You need 20 A53 cores to match the performance of 4 Xeon cores.
In some workloads, this doesn't matter, because they can be scaled well.
In a lot of workloads, it simply does matter.
I administrate around 150 servers, and we run 7 datacenters.
I already avoid the slower I know a lot of armchair computing experts like to claim that it is, but I'm sorry. The reality on the ground is that it is not. That's why we're not using AMD, and we're not using ARM. Though I promise you- we look forward to being able to some day.
Not just porting to ARM, porting to your goddamn board and processor.
When I can compile an "ARM" kernel, and not a kernel specifically built for a board and processor, I think it'll have a lot more of a in the server market.
Nothing is generic on these things.
Every fucking chip has its own PCIe bridge.
Next paragraph, though:
But with the intention of forming the christians into one body, in which "all members do not have the same function" (Rm 12:4), on the evening of his Resurrection, he sent especially the Apostles, in the same way he was sent by the Father (cf John 20:21); from here originates the doctrine of the "special mandate" of the hierarchy in the Church.
I'm not giving them a pass. I'm pointing out that both the DNC and RNC are private organizations. I think they're both despicable. I think they're the fucking root of what is wrong with party politics.
The fact remains though, that they are in fact private organizations, and we simply have zero right to dictate to them how they select their candidates.
And that is still very distinct from the actual public democracy.
It bears repeating- I am definitely not defending Catholic dogma.
However, there are plenty of aspects of the New Covenant that protestants chose to ignore, or interpret creatively to move toward a more egalitarian philosophy.
There is, for example, much to be said biblically speaking for the Priesthood and a lot of its dogma that the protestants have interpreted to mean all people, when it requires some serious stretching of word meaning to arrive at that conclusion.
I'd prefer if people must practice Christianity, that they practice a Protestant interpretation of it, for sure. But I find it astounding that any of the sects think their way is the right way, biblically speaking.
Mean, median, and mode, in fact.
No true Scotsman or appeal to purity is an informal fallacy in which one attempts to protect a universal generalization from counterexamples by changing the definition in an ad hoc fashion to exclude the counterexample.
Sorry, it's No True Scotsman.
It's called No True Scotsman, because the same logic can be applied both directions, even if you're only applying it one direction.
The fact is, if you take the average person who considers themselves Christian, you get a Catholic.