Latest Patches, GNU Guix Vulnerability, and Linux Security Enhancements

Total Page：16

File Type：pdf, Size：1020Kb

Latest Patches, GNU Guix Vulnerability, and Linux Security Enhancements

Published on Tux Machines (http://www.tuxmachines.org) Home > content > Security: Latest Patches, GNU Guix Vulnerability, and Linux Security Enhancements Security: Latest Patches, GNU Guix Vulnerability, and Linux Security Enhancements By Roy Schestowitz Created 09/02/2021 - 7:45pm Submitted by Roy Schestowitz on Tuesday 9th of February 2021 07:45:51 PM Filed under Security [1] Security updates for Tuesday [LWN.net] [2] Security updates have been issued by CentOS (flatpak), Debian (connman, golang-1.11, and openjpeg2), Fedora (pngcheck), Mageia (php, phppgadmin, and wpa_supplicant), openSUSE (privoxy), Oracle (flatpak and kernel), Red Hat (qemu-kvm-rhev), SUSE (kernel, python- urllib3, and python3), and Ubuntu (firefox). Risk of local privilege escalation via setuid programs ? 2021 ? Blog ? GNU Guix[3] On Guix System, setuid programs were, until now, installed as setuid-root and setgid-root (in the /run/setuid-programs directory). However, most of these programs are meant to run as setuid-root, but not setgid-root. Thus, this setting posed a risk of local privilege escalation (users of Guix on a ?foreign distro? are unaffected). security things in Linux v5.8 [4] Linux v5.8 was released in August, 2020. Here?s my summary of various security things that caught my attention... Cook: security things in Linux v5.8 [5] Kees Cook catches up with the security-related changes in the 5.8 kernel release. Security Source URL: http://www.tuxmachines.org/node/147465 Links: [1] http://www.tuxmachines.org/taxonomy/term/59 [2] https://lwn.net/Articles/845504/rss [3] https://guix.gnu.org/blog/2021/risk-of-local-privilege-escalation-via-setuid-programs/ [4] https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/ [5] https://lwn.net/Articles/845469/rss.

Copy Link

Recommended publications

GNU Guix Cookbook Tutorials and Examples for Using the GNU Guix Functional Package Manager
GNU Guix Cookbook Tutorials and examples for using the GNU Guix Functional Package Manager The GNU Guix Developers Copyright c 2019 Ricardo Wurmus Copyright c 2019 Efraim Flashner Copyright c 2019 Pierre Neidhardt Copyright c 2020 Oleg Pykhalov Copyright c 2020 Matthew Brooks Copyright c 2020 Marcin Karpezo Copyright c 2020 Brice Waegeneire Copyright c 2020 Andr´eBatista Copyright c 2020 Christine Lemmer-Webber Copyright c 2021 Joshua Branson Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled \GNU Free Documentation License". i Table of Contents GNU Guix Cookbook ::::::::::::::::::::::::::::::: 1 1 Scheme tutorials ::::::::::::::::::::::::::::::::: 2 1.1 A Scheme Crash Course :::::::::::::::::::::::::::::::::::::::: 2 2 Packaging :::::::::::::::::::::::::::::::::::::::: 5 2.1 Packaging Tutorial:::::::::::::::::::::::::::::::::::::::::::::: 5 2.1.1 A \Hello World" package :::::::::::::::::::::::::::::::::: 5 2.1.2 Setup:::::::::::::::::::::::::::::::::::::::::::::::::::::: 8 2.1.2.1 Local file ::::::::::::::::::::::::::::::::::::::::::::: 8 2.1.2.2 `GUIX_PACKAGE_PATH' ::::::::::::::::::::::::::::::::: 9 2.1.2.3 Guix channels ::::::::::::::::::::::::::::::::::::::: 10 2.1.2.4 Direct checkout hacking:::::::::::::::::::::::::::::: 10 2.1.3 Extended example ::::::::::::::::::::::::::::::::::::::::
[Show full text]
The Next-Gen Apertis Application Framework 1 Contents
The next-gen Apertis application framework 1 Contents 2 Creating a vibrant ecosystem ....................... 2 3 The next-generation Apertis application framework ........... 3 4 Application runtime: Flatpak ....................... 4 5 Compositor: libweston ........................... 6 6 Audio management: PipeWire and WirePlumber ............ 7 7 Session management: systemd ....................... 7 8 Software distribution: hawkBit ...................... 8 9 Evaluation .................................. 8 10 Focus on the development user experience ................ 12 11 Legacy Apertis application framework 13 12 High level implementation plan for the next-generation Apertis 13 application framework 14 14 Flatpak on the Apertis images ...................... 15 15 The Apertis Flatpak application runtime ................. 15 16 Implement a new reference graphical shell/compositor ......... 16 17 Switch to PipeWire for audio management ................ 16 18 AppArmor support ............................. 17 19 The app-store ................................ 17 20 As a platform, Apertis needs a vibrant ecosystem to thrive, and one of the 21 foundations of such ecosystem is being friendly to application developers and 22 product teams. Product teams and application developers are more likely to 23 choose Apertis if it offers flows for building, shipping, and updating applications 24 that are convenient, cheap, and that require low maintenance. 25 To reach that goal, a key guideline is to closely align to upstream solutions 26 that address those needs and integrate them into Apertis, to provide to appli- 27 cation authors a framework that is made of proven, stable, complete, and well 28 documented components. 29 The cornerstone of this new approach is the adoption of Flatpak, the modern 30 application system already officially supported on more than 20 Linux distribu- 1 31 tions , including Ubuntu, Fedora, Red Hat Enterprise, Alpine, Arch, Debian, 32 ChromeOS, and Raspian.
[Show full text]
On Package Freshness in Linux Distributions Work in Progress
On Package Freshness in Linux Distributions Work in progress Damien Legay, Alexandre Decan, Tom Mens Software Engineering Lab University of Mons Legay, Decan, Mens On Package Freshness in Linux Distributions 1 Linux Distributions Legay, Decan, Mens On Package Freshness in Linux Distributions 2 Distribution Focus Distros emphasise different aspects: § Stability: § Debian (Stable) § CentOS § Security: § Qubes OS § Parrot Security OS § Alpine Linux § Package Freshness (how up to date compared to upstream): § Arch Linux § OpenSUSE Tumbleweed § Gentoo Legay, Decan, Mens On Package Freshness in Linux Distributions 3 Survey § First part of mixed study, empirical analyses in future § CHAOSSCon / FOSDEM § 68 participants § Questions: § Distros used § Perception of freshness § Importance of freshness § Motivations to update § Mechanisms used to update Legay, Decan, Mens On Package Freshness in Linux Distributions 4 Distributions Used Distribution First Second Third Total Ubuntu LTS 22 13 3 38 Debian Stable 13 9 8 30 Ubuntu 13 7 9 20 Debian Testing 5 8 2 15 Arch 8 4 2 14 CentOS 0 8 2 10 Mint 2 4 3 9 Fedora 3 4 1 8 Misc Others 2 6 2 10 Legay, Decan, Mens On Package Freshness in Linux Distributions 6 Package Categories Asked about 6 package categories: § Open source end-user software (OSS): LibreOffice, Firefox, GIMP… § Proprietary end-user software (PS): Adobe Reader, Skype, Spotify… § Development tools (DT): Emacs, Eclipse, git … § System tools and libraries (STL): openSSL, zsh, sudo … § Programing language runtimes (PLR): Python, Java… § Programing
[Show full text]
Functional Package and Configuration Management with GNU Guix
Functional Package and Configuration Management with GNU Guix David Thompson Wednesday, January 20th, 2016 About me GNU project volunteer GNU Guile user and contributor since 2012 GNU Guix contributor since 2013 Day job: Ruby + JavaScript web development / “DevOps” 2 Overview • Problems with application packaging and deployment • Intro to functional package and configuration management • Towards the future • How you can help 3 User autonomy and control It is becoming increasingly difficult to have control over your own computing: • GNU/Linux package managers not meeting user needs • Self-hosting web applications requires too much time and effort • Growing number of projects recommend installation via curl | sudo bash 1 or otherwise avoid using system package managers • Users unable to verify that a given binary corresponds to the source code 1http://curlpipesh.tumblr.com/ 4 User autonomy and control “Debian and other distributions are going to be that thing you run Docker on, little more.” 2 2“ownCloud and distribution packaging” http://lwn.net/Articles/670566/ 5 User autonomy and control This is very bad for desktop users and system administrators alike. We must regain control! 6 What’s wrong with Apt/Yum/Pacman/etc.? Global state (/usr) that prevents multiple versions of a package from coexisting. Non-atomic installation, removal, upgrade of software. No way to roll back. Nondeterminstic package builds and maintainer-uploaded binaries. (though this is changing!) Reliance on pre-built binaries provided by a single point of trust. Requires superuser privileges. 7 The problem is bigger Proliferation of language-specific package managers and binary bundles that complicate secure system maintenance.
[Show full text]
Bulletin Issue 25
Issue 25 Bulletin November 2014 Contents Free software needs your vote Free software needs your 1 by John Sullivan vote Executive Director What would a free 3 t the Free Software Foundation, software world look like? Awe want to empower all computer GNU Guix and GNU’s 4 users everywhere to do everything they 31st Birthday might need or want to do on any com- Appropriate legal 5 puter, using only free software, with- notices out having to ask permission. Free tools for the FSF 6 By definition, proprietary software Common misconceptions 7 does not empower users in this way. in licensing It places limits on what they can do, Volunteer opportunities 9 such as preventing sharing of the soft- at the FSF ware, or looking at its code to see how See you at LibrePlanet 10 it works. 2015! Proprietary software enables users Around the world in (a 11 to pursue everything they might need hundred and) eighty or want to do, only as long as the soft- days ware distributor approves. The four freedoms that define free software — to run the program (0), to study and modify it (1), to share it (2), and to share modifications (3) — are meant for everyone, in their inter- actions with any program. Free soft- ware is a means to protect the individ- ual freedom of computer users. But why would someone who has Register for LibrePlanet at u.fsf.org/14w. no intention of ever reading the source code of programs running on their computer, much less in modifying it, care about Freedom 1, or Freedom 3? Why do they need or want the freedom to do things they might never need or want to do? 1 One reason is that any computer general, the right to vote can be a pow- user can ask someone else to do those erful check on government behavior.
[Show full text]
Snap Vs Flatpak Vs Appimage: Know the Differences | Which Is Better
Published on Tux Machines (http://www.tuxmachines.org) Home > content > Snap vs Flatpak vs AppImage: Know The Differences | Which is Better Snap vs Flatpak vs AppImage: Know The Differences | Which is Better By Rianne Schestowitz Created 08/12/2020 - 8:29pm Submitted by Rianne Schestowitz on Tuesday 8th of December 2020 08:29:48 PM Filed under Software [1] Every Linux distribution has its own package manager tool or command-line based repository system to update, install, remove, and manage packages on the system. Despite having a native package manager, sometimes you may need to use a third-party package manager on your Linux system to get the latest version of a package to avoid repository errors and server errors. In the entire post, we have seen the comparison between Snap, AppImage, and Flatpak. Snap, Flatpak, and AppImage; all have their pros and cons. In my opinion, I will always prefer the Flatpak package manager in the first place. If I can?t find any packages on Flatpak, then I?ll go for the AppImage. And finally, Snap is an excellent store of applications, but it still requires some development. I would go to the Snap store for proprietary or semi-proprietary applications than main applications. Please share it with your friends and the Linux community if you find this post useful and informative. Let us know which package manager do you prefer to use on your Linux system. You can write also write down your opinions regarding this post in the comment section. [2] Software Source URL: http://www.tuxmachines.org/node/145224 Links: [1] http://www.tuxmachines.org/taxonomy/term/38 [2] https://www.ubuntupit.com/snap-vs-flatpak-vs-appimage-know-the-difference/.
[Show full text]
Ubuntu 16.04 LTS – Das Umfassende Handbuch 1145 Seiten, Gebunden, Mit DVD, 9
Wissen, wie’s geht. Leseprobe Ob Sie Einsteiger oder fortgeschrittener Ubuntu-User sind: Von der Installation bis zur Administration (Desktop und Server) zeigt Ihnen dieses Standardwerk, was Sie für Ihre Arbeit mit der beliebtesten Linux-Distribution benötigen. In dieser Leseprobe finden Sie nicht nur interessante Ubuntu-Grundlagen, sondern können außerdem einen Blick darauf werfen, wie tief Sie mit diesem Buch bei Bedarf in diese spannende Linux-Distribution eintauchen können. »Vorwort und Leitfaden für die Nutzung« »Die Wurzeln von Ubuntu« »Ubuntu ohne Risiko ausprobieren und Daten retten« »Daten sichern, migrieren und synchronisieren »Erste Schritte mit dem Unity-Desktop« »Datensicherung und Sicherheit« Inhaltsverzeichnis Index Der Autor Leseprobe weiterempfehlen Marcus Fischer Ubuntu 16.04 LTS – Das umfassende Handbuch 1145 Seiten, gebunden, mit DVD, 9. Auflage 2016 49,90 Euro, ISBN 978-3-8362-4299-8 www.rheinwerk-verlag.de/4214 Vorwort Vorwort Ein Betriebssystem auf GNU/Linux-Basis wurde früher lediglich von Spezialisten, Informa- tikern und besonders mutigen Nutzern verwendet. Technisch weit fortgeschritten, aber für einen Normalnutzer unbedienbar war die weit verbreitete Meinung. Dies änderte sich 2004, als einige erfahrene Entwickler sich zusammentaten, die Firma Canonical gründeten und ein kostenloses Betriebssystem namens Ubuntu entwickelten. Ubuntu sollte GNU/Linux aus der Expertenecke befreien und durch Benutzerfreundlichkeit einer breiten Öffentlichkeit zugänglich gemacht werden. Nicht alle Wege, die während der Entwicklung eingeschlagen wurden, waren von Erfolg ge- krönt, aber Ubuntu hat es wie kein zweites GNU/Linux-Betriebssystem geschafft, derart viele Nutzer von z. B. Windows zu einem Umstieg zu bewegen. Über die genauen Zahlen gibt es kein gesichertes Wissen, aber Canonical geht aufgrund der Downloadzahlen von inzwischen mehreren hundert Millionen Nutzern aus, die das System auf Notebooks, PCs, Servern und in virtuellen Maschinen nutzen.
[Show full text]
Flatpak a Desktop Version of Containers
Flatpak a desktop version of containers Alexander Larsson, Red Hat What is Flatpak? A distribution-independent, Linux-based application distribution and deployment mechanism for desktop applications distribution-independent ● run on any distribution ● build on any distribution ● Any version of the distribution Linux-based ● Flatpak runs only on Linux ● Uses linux-specific features ● However, needs to run on older kernel ● Current minimum target – RHEL 7 – Ubuntu 16.04 (Xenial) – Debian 9 (Stretch) Distribution mechanism ● Built in support for install ● Built in support for updates ● Anyone can set up a repository Deployment mechanism ● Run apps in a controlled environment – “container” ● Sandbox for improved security – Default sandbox is very limited – Apps can ask for more permissions Desktop application ● Focus on GUI apps ● No root permissions ● Automatically integrates with desktop ● App lifetimes are ad-hoc and transient ● Nothing assumes a “sysadmin” being available How is flatpak different from containers Filesystem layout Docker requirements ● Examples: – REST API micro-service – Website back-end ● Few dependencies, all hand-picked ● Runs as a daemon user ● Writes to nonstandard locations in file-system ● Not a lot of integration with host – DNS – Port forwarding – Volumes for data ● No access to host filesystem ● Updates are managed Docker layout ● One image for the whole fs – Bring your own dependencies – Layout up to each app ● Independent of host filesystem layout Flatpak requirements ● Examples – Firefox – Spotify – gedit
[Show full text]
GNU/Linux Operating System
A Bibliography of Publications about the GNU/Linux Operating System Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 07 April 2021 Version 2.135 Title word cross-reference [Tho05]. 0-13-167984-8 [Sta07b]. 0-596-00482-6 [Sch04]. 0-7821-4428-4 [Koh06]. '03 [ACM03b]. 046 [Sav11]. '05 [ACM05b, MS05]. + [Ste01e]. $100 [CS95]. $39.95 [Sch04]. $44.99 [Sta07b]. $49.95 [Jen05]. $49.99 1 [FOP06, Jen05, She03]. 1-59327-036-4 [Hid04, Tho05]. $59.99 [Koh06]. $99 [Jen05]. 1-GHz [Ano03b]. 1.0 [Coc01]. 1.2 [Kro00]. = [Ste01e]. × [Hun99]. [Gar98]. 1.x [KGG00]. 10 [DWV06]. 10-Gigabit [cFJH+03]. 10th [USE96a]. * [TYKZ07]. */ [TYKZ07]. *BSD [Den99a]. 12-step [Mil01]. 12th [MS05]. 1394 *icomment [TYKZ07]. [Ale00, HKP09]. 14-16 [ACM06]. 18th [KD96]. 1999 [Den99b, Tim99]. 19th -dienste [WF03]. [ACM03b, SS05b]. 1Z0 [Sav11]. 1Z0-046 [Sav11]. /*icomment [TYKZ07]. /GNOME [Wri00, Pen99]. 2 [Ano94c, Com00, Com03, Gab07, MK04]. 2.0 [B¨ol01, Car98, McN99, PF97, Swe01]. 0 [Hid04, Koh06, Sch04, Sta07b, Tho05]. 2.0.1 [ISO05]. 2.1 [BR95, CV00]. 2.2 0-13-101415-3 [Hid04]. 0-13-144853-6 1 2 [Ano00b, BB99b, Bra04]. 2.4 [Cal00]. 2.6 [Mon00b, GR09]. Action [NR03]. ActiveX [BS05, PTS+14, TCM07]. 2000 [Kro99]. activity [MB08]. Acumen [Kro99]. [Bru02, Kro00, MYH00, War01]. 2003 Ada [SB99]. Ada95 [Gar09].
[Show full text]
Functional Package Management with Guix
Functional Package Management with Guix Ludovic Courtès Bordeaux, France [email protected] ABSTRACT 1. INTRODUCTION We describe the design and implementation of GNU Guix, a GNU Guix1 is a purely functional package manager for the purely functional package manager designed to support a com- GNU system [20], and in particular GNU/Linux. Pack- plete GNU/Linux distribution. Guix supports transactional age management consists in all the activities that relate upgrades and roll-backs, unprivileged package management, to building packages from source, honoring the build-time per-user profiles, and garbage collection. It builds upon the and run-time dependencies on packages, installing, removing, low-level build and deployment layer of the Nix package man- and upgrading packages in user environments. In addition ager. Guix uses Scheme as its programming interface. In to these standard features, Guix supports transactional up- particular, we devise an embedded domain-specific language grades and roll-backs, unprivileged package management, (EDSL) to describe and compose packages. We demonstrate per-user profiles, and garbage collection. Guix comes with a how it allows us to benefit from the host general-purpose distribution of user-land free software packages. programming language while not compromising on expres- siveness. Second, we show the use of Scheme to write build Guix seeks to empower users in several ways: by offering the programs, leading to a \two-tier" programming system. uncommon features listed above, by providing the tools that allow users to formally correlate a binary package and the Categories and Subject Descriptors \recipes" and source code that led to it|furthering the spirit D.4.5 [Operating Systems]: Reliability; D.4.5 [Operating of the GNU General Public License|, by allowing them to Systems]: System Programs and Utilities; D.1.1 [Software]: customize the distribution, and by lowering the barrier to Applicative (Functional) Programming entry in distribution development.
[Show full text]
Reproducible Builds Summit II
Reproducible Builds Summit II December 13-15, 2016. Berlin, Germany Aspiration, 2973 16th Street, Suite 300, San Francisco, CA 94103 Phone: (415) 839-6456 • [email protected] • aspirationtech.org Table of Contents Introduction....................................................................................................................................5 Summary.......................................................................................................................................6 State of the field............................................................................................................................7 Notable outcomes following the first Reproducible Builds Summit..........................................7 Additional progress by the reproducible builds community......................................................7 Current work in progress.........................................................................................................10 Upcoming efforts, now in planning stage................................................................................10 Event overview............................................................................................................................12 Goals.......................................................................................................................................12 Event program........................................................................................................................12 Projects participating
[Show full text]
A New Generation of Linux-Only
Newsdesk THIS ISSUE: Linux-exclusive PCs Linus Torvalds has doubts Microsoft protects Linux severs Steam on Chromebooks HARDWARE SYSTEMS A new generation of Dell Linux-only PCs CREDIT: It’s the year of Linux on some desktops – perhaps this whole FOSS thing will catch on! omething unusual is happening in the output supporting 4K at world of computing: companies big and 60Hz it’s ideal for use as a S small are releasing PCs with Linux media centre system, but running on them. Crucially, in these cases a Linux would run well as either a The Dell XPS 13 Developer operating systems being the only OS option. mini-destop or mini-server. Edition is an Ubuntu-only model. This shows an operational change in the Juno Computers, based both in the UK and marketplace, demonstrating that companies are the US, has made us aware of its all-new gaming not only confident that Linux-only models can laptop, the Neptune 15, that can be bought either sell in enough volume to make money, but that with Ubuntu 20.04 pre-installed, or no OS at all3. they’re happy to support those devices. It’s one It’s powered by the latest Intel Core i7-10875H thing to offer variations of existing Windows eight-core processor and runs a high-end Nvidia models, but quite another to only build a model GeForce RTX 2060 GPU with 6GB of GDDR6. At that offers Linux. £1,650 it’s one powerful – if expensive – system. We reported in LXF265 that Lenovo has We could argue that this trend, in part, extended its Ubuntu certification, making it able coincides with figures that show during the to offer Ubuntu pre-installed on a wider range of its Workstation offerings.
[Show full text]