Kernel privledge escalation links

February 11, 2008

Hey Kevin, Veter, whoever’s reading this. There’s an exploit going around and almost every linux kernel from 2.6.17 to 2.6.24.1 is vulnerable. It allows a user with access to a compiler, the ability to compile 1 .c file and run it to become root.

The exploit: http://www.milw0rm.com/exploits/5092

(to use it, save the code, run: gcc filename-of-saved.c -o whatever && ./whatever )

The in-memory fix: http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c

This does fix the vmsplice exploit, and you compile and run it the same way you run the exploit, but it seems that it may also open up a DoS condition…Not sure which is worse or if it’s worth the risk.

The upstream kernel fixes: http://tinyurl.com/2kd7u3 & http://tinyurl.com/2uyymj

These are the fixes if you choose to compile a kernel, also, the 2.6.24.2 kernel has the fixes already in.

There should be new kernel packages in all the distros (we mainly run CentOS…and i’m assuming they will probably have the packages in byWednesday at the latest) by mid-week, but in order for them to apply, we’d need to reboot them.

As a final side note, NO FREEBSD SERVERS ARE VULNERABLE. :)

Debian Unstable (aka Debian Sid or Debian Thermite) Review

September 2, 2007

Here we go with a review of Debian Unstable.

I’ve been running Debian Unstable for about 2-3 weeks now as my main desktop OS and i have to say….I love it. From what i hear, things do occasionally horribly break (example, if grep breaks, you can’t boot and you have to know how to fix that, if pam breaks, you can’t login and you have to know how to fix that) and other horrible situations. This only happens about once a year and if you’re careful about upgrading packages, you can avoid that. The big advantage to why people install Unstable and have to occasionally deal with major and minor breakages alike is that it’s still quite stable for desktop use and it’s reasonably bleeding-edge. For example, about 2 weeks ago, Banshee Media Player released version 0.13.1. 2 days after the project released it, it was in Unstable. It wouldn’t have hit Testing for at least a month and it would probably never hit the current iteration of Debian Stable (Etch). Now, before you go out and download an ISO snapshot of it and install it, there are a few things i should warn about it:

1. It’s not nearly as stable as Etch or Testing. If you’re running a server, router, firewall, etc, I would NOT recommend Unstable.

2. As i said earlier, there can possibly be major breakages and the Debian community assumes you know how to fix them otherwise you shouldn’t be running Unstable.

After all this, if you’re still ready to run Unstable, i have 4 recommendations about new packages.Depending on how many packages you have installed, you’ll probably see 5-20 updates a day, this is how to sort of prevent problems:

1. Install apt-listbugs. With this, everytime you install or upgrade a package, it’ll warn you if there are any serious or grave bugs and from there you can decide if it’s worth it or not (if there’s a bug for the hppa arch. of a package, and you’re using i386, you can safely not worry about it).

2. Subscribe to the debian-devel-changes mailing list. It’s massively high-volume, but it’s a great tool so that you can easily see a changelog of what’s new with packages. If it’s just a minor bugfix, you’re more than likely to be fine, but if it’s a big code re-write or something, i’d personally suggest to wait a few days for bug reports and possible fixes to pop up.

3. Read the #debian-devel topic. You can join that channel on OFTC or read the topic here: http://wiki.debian.org/TopicDebianDevel Usually if there are massive breakages, the topic changes so that’s quite useful.

4. Be smart. If there’s an upgrade to some minor library or package you don’t use, it’s pretty safe to upgrade and if there are bugs, you really don’t have to worry too much. If there’s a kernel upgrade or something that could possibly hurt your system (sysvinit, pam, grep, etc), i suggest to hold back on them for a day or 2 till people start putting in bug reports so you can see if they’ll hurt you at all.

Pros of Debian Unstable

1. bleeding-edge packages

2. decently stable for a desktop environment

3. bugs are fix quicker than in any other release

Cons of Debian Unstable

1. Possible massive breakages that can cause your system to be unusable.

2. Times when upgrades can be a bit…wonky.

3. Occasional minor breakages.

From all that, it’s up to you if you’d like to run it. I personally love it because it’s bleeding-edge software and i can fix and i know how to work around if there are any issues.

The ubiquitous “I’m Back” post

September 2, 2007

I know i’ve been neglecting this blog for a while, but a lot of stuff has been going on in my life…I’m ready to restart it and now that i have a true dev box i can try out a lot more distros. However, it’s gonna change a bit…Today, i’m going to write up 2 reviews, first a review of Debian Unstable as of 9/2/07 then an Arch Linux 2007.08 review to kind of make up for lost posts.

The new schedule of the blog will be pretty simple: I’ll review a new distro every week after testing it/playing with it a bit.  If anyone would like to recommend a distro to review, please either post in the comments or email me at: jd.linux.reviews@gmail.com

Thanks and Enjoy

Apple iPhone Review

June 29, 2007

I’m going a little bit different today since it’s kind of a special day. Here is my un-biased review of the Apple iPhone. First, i didn’t get one for free (a la Pogue and Mossberg) but i played with one at my friend’s AT&T store yesterday for an hour or two and that should give plenty of time to form an opinion of the device. Also, i’m not necessarily an Apple fanboy, but i’m far from an Apple hater (i can’t live without my iPod for example). Honestly, i have to say that it sucks, i say that if you’re thinking of getting an iPhone, go with a T-Mobile MDA or a Cingular/AT&T 8525 and a 4GB SD card and you’ll be happier and you’ll spend a lot less money. OK, this is not a completely bashing review, it did have some nice features. The Youtube app was quite cool and the iPod functions were awesome. Onto the bad. The virtual keyboard and multi-touch interface are horrible. Multi-touch barely worked and i had to tap on something 3 times to get it to register, the keyboard is incredibly hard to use compared to my Treo 700, my Treo 650 and my MDA and the spell checking function is ok, but it’s not great. As Pogue and Mossberg said, web browsing on wifi is pretty decent, but it’s incredibly slow on AT&T’s EDGE network. Google Maps is a pretty cool app on the phone, but when you’re driving, without GPS, it really does no good. As for the basic cell phone-type stuff, it was OK, but the call quality really wasn’t that great and i personally think Visual Voicemail is stupid, photos from the onboard camera also look pretty grainy and washed out. One thing i REALLY hate is that there are no true 3rd party apps for the iPhone like there are for PalmOS and Windows Mobile, everything’s on the web and for some stuff like twitter apps, gas price apps, digg apps, that’s OK, but for apps that interact with your phone features or apps that you might use while without access to a data network (such as games) it’s stupid and apps like that should be able to be loaded into the phone. As for the phone being locked down, yes, it is incredibly locked down and they also completely forgot important features, here are a few examples: no expandable memory, no apps that natively run off the device, no SIM card slot, no removable battery, no A2DP (Stereo Bluetooth), it’s got a weird recessed headphone jack so most normal headphones won’t work, no way to copy, cut or paste text and the camera can’t record video. I think this device is NOT worth $500 and being locked into a contract for the next 2 years. You’re better off going with a real smartphone.  I don’t do “scores” but i’ll do one for this review:

Apple iPhone: 5/10

Damn Small Linux 3.3 Review

May 23, 2007

First a bit of Blog news: I haven’t been keeping up with the blog too much lately as i have with most of the blogs i’ve started :( I’m gonna try to update it more. Also, i said in my last post that i would be reviewing either Ubuntu or Fedora Core next…I’m not (apparently from the title). I was told that a new version of FC is coming out soon and Ubuntu’s been giving me a few problems lately so the jury’s still out a bit on that. All this having been said, onto the review of Damn Small 3.3.

Damn Small Linux (which i’ll be abbreviating DSL from here on) is a distro designed to be very lightweight and able to run on “ancient” hardware…that being a Pentium 1 200MhZ with 32MB of RAM. It also runs great if you need a very small, light distro for something on current hardware as it has many current programs and you can install quite a few more. DSL uses a customized version of the 2.4.26 linux kernel, Xvesa for a lightweight X Server (xorg, XFree86) and Fluxbox for a light window manager. It also has it’s own proprietary MyDSL package manager and it can use apt if you choose to enable it so you can install any number of packages. It can also be installed to a flash drive or your hard drive.
Pros:
1. Very lightweight distro.
2. supports some levels of package management even when running it from the LiveCD.
3. gives you a full linux environment with a GUI in less than 50MB
Cons:
1. Not the easiest distro to get a hang of.
2. Out-of-date packages and kernel (at least 2-3 years old).
3. No support for newer hardware unless you install the kernel modules yourself.
4. Not great to use as a full-time desktop OS.

If you want a distro that you can run and have work reasonably well on a computer from the mid-late 90′s, choose DSL, if you want a distro that you can run on your current system and run as a desktop OS, pick Debian or Ubuntu…DSL’s not really for you. All in all, DSL is pretty great if you know your way around linux and know what is and isn’t supported in the 2.4.26 kernel, but if you’re new to Linux, DSL’s not for you.

Debian Etch (4.0) Review

May 19, 2007

I thought i should do a review of quite possibly my FAVORITE linux distro, Debian…note this might be a little bit biased, here we go:

I’ve been using Debian for close to a year now and more specifically Etch for about 7-8 months. I’m not going to discuss the differences between Etch and Sarge (old stable) because it’s currently somewhat difficult to find Sarge and as i said Etch is the current stable and if you’re running Sarge, it’s worth the upgrade. Unlike most distros, selecting the full CD/DVD set for Debian is not a good idea. The best option is to use the netinstall which installs a base system from the CD and downloads all the other packages from the internet, but make sure your network card works (no wifi support in the installer). In Etch, the installer is new in the fact that it has a GUI instead of a ncurses interface, i wasn’t a big fan of this as it provided less information than the old installer, but for new Debian users, it’s probably a good idea. Unlike Gentoo in my previous review, the installer asks you a bunch of questions, installs your system and if you selected to have a GUI, you reboot right into Gnome. At this point, when you get dropped into Gnome, it will feel a lot like Ubuntu, and it is as Ubuntu is based off of Debian, but in many ways it’s different as Debian doesn’t have wizards and GUI’s for everything, you have to do many things by hand and you learn a lot about linux. If you want things to just work after installing your OS and not having to really tinker with it for a few minutes to get things to work, Debian is not for you. If you want a OS that’s very stable, quite powerful, customizable and has great package managment, Debian might be for you.
Pros:
1. Debian is fast, stable and customizable.
2. Debian has Apt which is great package managment.
3. It’s a reasonably easy to use distro and you learn more about linux than you do with some other distros (such as SuSe, Fedora Core, Ubuntu, etc).
4. Debian is one of the oldest distros out there.
5. Debian is great for a server OS and on that note, you have the option to NOT install the GUI if you don’t want it.
Cons:
1. Debian is a little harder to use than some distros (see list on #3 above).
2. The Debian community is not as big as the Ubuntu community or some others.
3. On the same note as #1, you have to do a lot of things manually.
4. Debian is not updated very often (in stable at least) as all the packages are VERY thoroughly tested (The last debian release before Etch in April 2007 was Sarge way back in June 2005).

Hope you enjoyed this, and enjoy using Debian if you choose it. I’m planning on doing either a review of Ubuntu 7.04 or Fedora Core 6 next.

Gentoo Linux Review

May 14, 2007

Here’s my (not so) short review of Gentoo Linux:

I installed Gentoo Linux about 2 weeks ago from the 2006.1 minimal install CD (about a week before 2007.0 came out). The install was different from what i was used to and what all of you are probably used to as you boot a liveCD and all it does is drop you at a commandline, no Gui/X, no ncurses (command-line GUI thing), just straight commandline, you have to use fdisk and the mk2fs commands to partition and format your drive. Then you download a “Stage3 Tarball” which is basically the base system of your new installation (the ls, cd, su, etc commands and other essential stuff) which is precompiled (i’ll explain why this makes a difference in a bit), you then download and install the Portage tree which gives you your package management (sorta like apt in Debian/Ubuntu)> Then you chroot into your installation which basically moves you from the livecd to your installation. Then you emerge (gentoo’s pacakge manager) your kernel and compile it. depending on how you choose to do this it could be very easy or very complicated. The first time i compiled my kernel by manually selecting my options, i had most things working…but i didn’t have sound, so when there was a kernel update, i had gentoo auto-config my kernel. Then you run a few miscellaneous commands to setup users, cflags, use flags, timezones, systemlog, grub (bootloader), a cron maintainer, and that’s about it. With that, you’ve pretty much got a full Gentoo install, but all you have is commandline…If you want gnome or KDE, you can emerge them, and i would recommend you do, they however WILL take a long time to install. Probably between 5-10 hours depending on the speed of your system.
Now, you’re probably wondering: “i run Ubuntu/Debian/insert-other-distro-here, why should i spend all this time and work to install Gentoo”
Well…There are a few answers to this question:
1. Because in using/installing Gentoo you learn A LOT about Linux.
2. Gentoo is VERY, VERY fast, for me, i get to a login screen about 10-20 seconds after boot (after selecting Gentoo in grub), Gnome opens instantly after i enter my password to login and firefox opens instantly when i click on it…Debian/Ubuntu are not even close to that fast.
3. Because Gentoo is very customizable because of the USE flags, for example, if you’re installing VLC and there’s a feature you don’t want or need, you can simply tell it to leave that feature out to keep VLC small and fast. If you want the feature in the future, you can always add it as a USE flag later and reinstall VLC.
4. Gentoo compiles EVERYTHING from scratch. This is good because Ubuntu packages might be built on a dual 3GhZ Xeon server, but they’re not optimized for your 1.4GhZ Pentium M. This is where Gentoo is great. It compiles everything for your hardware which makes it rather custom and damn good in my opinion.
5. Gentoo has BLEEDING EDGE packages. Yesterday Wine 0.9.37 came out…that same day, it was in portage (gentoo’s packagemanager). Very few other distros are nearly that fast about pushing packages out.
6. The community is great and really helpful on the forums, irc, etc.
7. The newest or unstable packages are what’s called masked so you really can’t bork your system with a bad package.
Now, that’s almost all the good stuff about Gentoo, there are 1 or 2 bad things though:
1. Packages take a long time to install. Wine may take 30 seconds to 5 minutes to install on Ubuntu…it could take up to 1-2 hours on Gentoo.
2. There is a handbook to help you install, but you do need to have at least semi-decent knowledge of Linux command-line.
3. Because of bleeding-edge packages (see #5 above), sometimes things break and you have to either know how to fix them or know where/how to get help when you may not have a GUI or something of the like.

I hope you guys enjoy this REALLY long review/rant of sorts. Please comment and tell me if you liked it, if i should do more reviews of Linux distros i’ve run, if i should not quit my day job, etc. Also, if you’d like some help/more information about Gentoo because you want to try it for yourself, please feel free to ask.

Hello world!

May 14, 2007

This blog is going to be a review page of sorts for all the different Linux distributions i use, i’ll try to make it as non-biased as i can and i hope to provide you all with some good content…perhaps in the future, i’ll turn this into a podcast of sorts…hmm…in any event, enjoy the content and if you’d like any linux help, comment and i’ll try to help you with that as well.


Follow

Get every new post delivered to your Inbox.