In your ld-linux.so example, if your ld-linux.so is running executables from a noexec fs, you've got a bug. When I try it I get this:
[user@host ~]$/lib64/ld-linux-x86-64.so.2/bin/echo hello
hello
[user@host ~]$ cp/bin/echo/tmp/echo
[user@host ~]$/lib64/ld-linux-x86-64.so.2/tmp/echo hello /tmp/echo: error while loading shared libraries:/tmp/echo: failed to map segment from shared object: Operation not permitted
[user@host ~]$
As for the rest:
Nothing saying you can't pipe a script into perl or bash.
Scripts are an entirely different beast. They don't (normally) allow execution of arbitrary code without the appropriate permissions (non-interpreted code that is). If they do, it's a bug and should be fixed. If you're worried about scripting, you're worried about bash altogether, so you might as well disable login for the user in that case. Using noexec at least lets you give the user a login shell.
So in general there is no danger to home users. Except that some program with a buffer overflow can now also be used to get root access.
Only servers that allow untrusted people to login are in danger. So most people have nothing to worry about. Trust is exploitable, too. Don't give away too much of it.
My server which has a vanilla 2.6.23.15 is vulnerable. But I don't worry because everyone else's home except mine is on a noexec volume. tmp and var are too. Another win for noexec:)
But I subscribe to a webhost service that is vulnerable. Hackers are probably reading my e-mail as we speak.:(
I still can't run administrative functions (like ifconfig) without running them with an absolute path
That's only because/sbin and/usr/sbin didn't get put in your path, which is set at login. It is the same as the difference between "su" and "su -l" (the later working as a login shell).
Surely the user will be prompted by the browser to ask whether they want to open the pdf to begin with?
There's an HTTP header:
Content-disposition: inline
With a typically configured browser, it doesn't ask the user anything if you use that, it just launches the plugin. However, you can change the configuration to treat it like a file download instead.
I worked at a web shop once, where clients use passwords to access their online accounts,
At the time the database stored passwords in cleartext (guess they haven't heard of hashing then). When doing some work of course I can see everyone's passwords. People choose funny passwords. There's the obvious "password", "<my name>", or whatever.
But there was one that was a strange 9 digit number. Later when I had a chance to talk to that person on the phone I got to learn that his password was his SSN. I didn't have to ask (I didn't even need it), he volunteered it to me when asking for help.
He said "It's a good password because nobody knows what my SSN is!"
but $9.99/yr is not much. What's the point of going through all that trouble? Are the people who practice domain kitting registering thousands of domains this way? It makes a very big difference when you're talking about someone kiting many hundreds or even thousands of domains.
Also I don't think it is much trouble for the kiters. I would imagine they have all sorts of automated tools to run the process of juggling that many names.
If the true goal of a computer program for a school is to ready its students for the workplace, then is linux really the best method of doing so? Isn't the school in some way doing its students a dis-service my training them on a computing method that they will very likely never use again?
Anything a kid can learn about one system can be adapted and applied to another similar system.
The teaching should not be focused on any particular implementation. Leave the specifics to the vocational training if the kid just wants to learn how to do one thing only.
Otherwise you are just stuck with circular logic. You despise Microsoft, but you want to keep kids learning it in schools so they will succeed. This assumes the kids aren't adaptable. And it results in furthering Microsoft's exposure which leads to an even bigger and focused market which means kids will keep learning it and etc.
Upgrade to 2.6.23 right now? Are you out of your mind? Everyone knows you're supposed to wait for the SP1 release before upgrading to a new operating system!
Slashdot Mirror
earplugs.
But you can get hired as a Private Investigator.
You probably want to get 2.6.24.2 when it shows up instead. rc releases have a lot of freshly-merged stuff that isn't fully stable yet.
They might spring a 2.6.25 on us but I doubt it. It likely isn't stable enough yet.
[user@host ~]$
hello
[user@host ~]$ cp
[user@host ~]$
[user@host ~]$
As for the rest:
Nothing saying you can't pipe a script into perl or bash.
Scripts are an entirely different beast. They don't (normally) allow execution of arbitrary code without the appropriate permissions (non-interpreted code that is). If they do, it's a bug and should be fixed. If you're worried about scripting, you're worried about bash altogether, so you might as well disable login for the user in that case. Using noexec at least lets you give the user a login shell.
Worked on my x86_64. I'm compiling a patched 2.6.23.15 now.
It is still vulnerable to CVE-2008-0600.
Only servers that allow untrusted people to login are in danger. So most people have nothing to worry about. Trust is exploitable, too. Don't give away too much of it.
Yes. Exploit the vulnerability in order to fix it. That is quite funny. :)
My server which has a vanilla 2.6.23.15 is vulnerable. But I don't worry because everyone else's home except mine is on a noexec volume. tmp and var are too. Another win for noexec :)
:(
But I subscribe to a webhost service that is vulnerable. Hackers are probably reading my e-mail as we speak.
That's only because
Does anyone still think that it's a good idea to permanently store your passwords in your browser?
There's an HTTP header:
Content-disposition: inline
With a typically configured browser, it doesn't ask the user anything if you use that, it just launches the plugin. However, you can change the configuration to treat it like a file download instead.
That's a shame, because I'd like to send my application to work for them.
I worked at a web shop once, where clients use passwords to access their online accounts,
At the time the database stored passwords in cleartext (guess they haven't heard of hashing then). When doing some work of course I can see everyone's passwords. People choose funny passwords. There's the obvious "password", "<my name>", or whatever.
But there was one that was a strange 9 digit number. Later when I had a chance to talk to that person on the phone I got to learn that his password was his SSN. I didn't have to ask (I didn't even need it), he volunteered it to me when asking for help.
He said "It's a good password because nobody knows what my SSN is!"
Good lord some people are fucking stupid.
They do that already, it is called Google Desktop.
"oops"
You want to donate your network to google?
Turn off the phone when you're driving.
Dish won't disable DVR, they'll just start charging more for it to get TiVO their cut.
Also I don't think it is much trouble for the kiters. I would imagine they have all sorts of automated tools to run the process of juggling that many names.
I would be glad if they remove the grace period.
Anything a kid can learn about one system can be adapted and applied to another similar system.
The teaching should not be focused on any particular implementation. Leave the specifics to the vocational training if the kid just wants to learn how to do one thing only.
Otherwise you are just stuck with circular logic. You despise Microsoft, but you want to keep kids learning it in schools so they will succeed. This assumes the kids aren't adaptable. And it results in furthering Microsoft's exposure which leads to an even bigger and focused market which means kids will keep learning it and etc.
What we need instead are smarter kids.
Have you ever heard of SSL?
Do you always click on "OK" when a bad certificate warning comes up on your browser?
I have had it with these motherfucking hackers on this motherfucking plane!
Upgrade to 2.6.23 right now? Are you out of your mind? Everyone knows you're supposed to wait for the SP1 release before upgrading to a new operating system!