[SOLVED] Any guy able to exploit a Wordpress, Joomla, Drupal from a Slackware Server can get easily root access. How do you comment, Mr. Volkerding?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Nothing stop me to compile a kernel as I like, and I believe that I have some quite experience on that after all those years.
Sadly, not all servers using Slackware are mine. So, more than probably there are thousands administrators expecting official security patches. Because this way are done the things, you know...
No! The way things should be done is administrators should administrate their own boxes. If a kernel/software/php update isn't put out with the expediency they desire, they should compile their own. All the SlackBuilds are available, as is the config used for the kernel.
Yes, Pat will likely get a patch out soon, but as an administrator, it is your job to ensure your system is as secure as it should be, and that will ALWAYS require you to deviate from a completely stock system... whether that be changing a config, starting/stopping a service, or recompiling a piece of software or the kernel.
If you have to get an update piece of software from the distribution to ensure your systems are safe, you're failing as an administrator. Roll your own, and then when the official patch comes, you can switch to that. Until then, any breaches in security are on you, not on the distro. We aren't running Windows, and we don't need to wait for someone who designed the OS to release new updates.
Take some pride and take the initiative to keep your system secure!
This is one of the downsides of running a one-man centric distro. Pat simply can't offer the same level of response as the bigger distros. One should keep that in mind when choosing to run Slackware and be prepared to step in when he's not around to do the work for you. This situation is nothing new.
And so said to all administrators who use Slackware, the great Slackware Thinker, Mr. Bassmadrigal.
Maybe you do not figured it yet, man! All servers running Slackware (while not only) are with the pants down right now.
Why? We know why! We know even who is on fault about!
The question is what do Slackware facing to most epic Linux vulnerability ever...
And, please let's do not go zealots, as usual!
Let me fix that statement for you...
All servers running Slackware (while not only) whose administrators haven't taken the initiative and compiled a patched kernel are with the pants down right now.
GazL is indeed correct. Slackware is a one man team. Pat may be working on compiling kernels for all supported versions of Slackware, or he may be on vacation out in the wilderness without a signal. We don't know the reason why there haven't been updates, but seriously, do you really think Pat is going to work any harder because you posted your usual crap? It would certainly have been nice to have these security updates available as soon as they were available, but we don't have them yet. You can complain all you want, but unless you're willing to compile your own kernel like a good administrator should, you'll remain vulnerable until packages do become available.
If you (not just you, but any system admin) choose to just wait until Pat puts out updates, and decide to keep your systems vulnerable, then that's on you. Not on Pat.
Quote:
Originally Posted by dugan
People...
"a security update should have been issued by now" is a valid criticism.
I totally agree with this, but until a patch is released by Pat, a good sysadmin would upgrade the kernel themselves. As many of us know, this isn't the first time we've had a large gap in updates when valid security patches should've been released. Once the gap in updates during the 14.2 development cycle passed, Pat released updates for 16 packages for 14.1. Raising the question is fine, but geez, Darth has a way of bringing out the bad in everyone with his horrible posts.
Wordpress? Joomla? Drupal? They all have awful, terrible reputations for insecurity. Any fool knows that the only way to run Wordpress and stay sane is to have somebody else do it for you.
"Most epic Linux vulnerability ever" is a ridiculous exaggeration. This is "only" a local privilege escalation with a funny name, a funny logo and a funny online shop. To put that in perspective, look at all these remote exploits that didn't become memes.
Mr Volkerding's 50th birthday was the same day that Dirty Cow was announced. I hope he's having the holiday of a lifetime, and I hope he's off-grid, and anyone with a shred of humanity should bloody well agree.
This sort of thing is the reason I don't outright recommend slackware, even though it's the only distribution I'd use myself for my main OS. I couldn't tell my arch-using brother to switch over if I'd have to add the caveat “Oh, and by the way, don't expect security patches in a timely manner, you'll have to check forums and the obfuscated kernel changelog and fix those things yourself”. As much as I want to view slackware as a system that you set-it-up-once-and-forget-about-it, it ain't, not until security updates are consistently provided. Preferably with a delay inversly correlated to the severity of the issue.
The patches DO come in a timely manner.
If you want them even faster you can do them yourself. There is no "obfuscated kernel changelog".
Security update come much faster than other systems as Slackware is closer to the upstream projects.
If you think the patches are too slow, you can certainly use RH... or Windows (oh wait, Windows still has the unpatched NTLM vulnerability from almost 20 years ago).
The fear mongering tone of this thread is disgraceful. Please conduct a proper threat assessment.
The vulnerability in question is a local privilege escalation. If you are a home user, using a default Slackware install, then the only way a remote user could exploit this would be via an unhardened SSH setup. The SSH port is likely blocked by default on your ISP supplied modem/router.
Anybody else who feels threatened, should reflect on the fact that they have chosen to open up their Slackware system to the internet and/or potentially hostile local users. By doing so, you also accepted responsibility for maintaining the security of your system.
I am not trying to underplay the seriousness of the vulnerability. The full disclosure has escalated the threat. The fix is simple and easy. Compile and install a new kernel.
If you want them even faster you can do them yourself.
That's what I do, and that's the reason I won't recommend slackware.
Quote:
Originally Posted by jpollard
There is no "obfuscated kernel changelog".
How, without digging through the source, or spend time at lwn or other sites, would you know from the changelog that commit 1294d355881cc5c3421d24fee512f16974addb6c fixes a severe security issue?
Quote:
Originally Posted by jpollard
Security update come much faster than other systems as Slackware is closer to the upstream projects.
Well, Alpine, which is the only non-slackware linux system I use, released their grsecurity enhanced 4.4.26 on the 21st of October…
That's what I do, and that's the reason I won't recommend slackware.
You will find VERY few distributions that go faster. Most will spend a week or more verifying that nothing else has been affected by the patch.
I suppose you don't recommend any distribution...
Quote:
How, without digging through the source, or spend time at lwn or other sites, would you know from the changelog that commit 1294d355881cc5c3421d24fee512f16974addb6c fixes a severe security issue?
The words "Fix get_user_pages() race for write access" look fairly obvious.
Quote:
Well, Alpine, which is the only non-slackware linux system I use, released their grsecurity enhanced 4.4.26 on the 21st of October…
Oh gee. VERY slow...
The kernel was provided on 20th.
<sarcasm>And if you want the latest, it was released yesterday. So Alpine must be way behind.... </sarcasm>
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.