[SOLVED] Any guy able to exploit a Wordpress, Joomla, Drupal from a Slackware Server can get easily root access. How do you comment, Mr. Volkerding?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
All servers running Slackware are with the pants down right now.
(...) And, please let's do not go zealots, as usual!
[Non-zealot mode on]
I don't get your statement regarding servers. If I understand correctly the vulnerability, it has to be triggered by a malicious executable, right?
I guess most servers don't (most of the time) run new software, obtained from unknown or dubious sources, right?
So, my understanding is that this vulnerability is more a threat for unmanaged desktops, typically the home PC where the admin-owner-user downloads and tests stuff from ...various places :-)
Did I miss something here?
Last edited by philanc; 10-24-2016 at 07:24 PM.
Reason: typo
Distribution: Slackware64-current on Thinkpad Carbon X1
Posts: 264
Rep:
Quote:
Originally Posted by philanc
[Non-zealot mode on]
I don't get your statement regarding servers. If I understand correctly the vulnerability, it has to be triggered by a malicious executable, right?
I guess most servers don't (most of the time) run new software, obtained from unknown or dubious sources, right?
So, my understanding is that this vulnerability is more a threat for unmanaged desktops, typically the home PC where the admin-owner-user downloads and tests stuff from ...various places :-)
Did I miss something here?
It is a little more complicated. If you read the full article at the start of the other thread it explains the entire problem fairly well.
____
IMO the real question is not when will it be fixed (because honestly if anyone is overly concerned they should update their own kernel immediately and not wait for someone else to do it) but why was it swept under the rug for so many years. That part freaks me out a little because I honestly didn't think linux kernel developers would do such a thing... I am hoping I don't know the whole story and that there was good reason...
If I understand correctly the vulnerability, it has to be triggered by a malicious executable, right?
It is a little more complicated. If you read the full article at the start of the other thread it explains the entire problem fairly well.
Please help me understand what "is a little more complicated". I read the cited article (and several other describing the vulnerability in detail). I think that I understand the mechanism of the vulnerability.
What I also understand is that the vulnerability has to be triggered by a malicious executable, right?
Do you manage servers? do you assume that they already contain such a malicious executable? Or that they can load and execute one?
Distribution: Slackware64-current on Thinkpad Carbon X1
Posts: 264
Rep:
Quote:
Originally Posted by philanc
Please help me understand what "is a little more complicated". I read the cited article (and several other describing the vulnerability in detail). I think that I understand the mechanism of the vulnerability.
What I also understand is that the vulnerability has to be triggered by a malicious executable, right?
Do you manage servers? do you assume that they already contain such a malicious executable? Or that they can load and execute one?
Sorry.. I wasn't implying you didn't read or understand the article. I should have explained that part better.
I do manage a slackware server at a college. From what I understand a person with 'user' privileges sitting at a terminal could use this exploit. I will be 100 percent honest here and say that the more I read the more complicated and unlikely it seems...
There is also talk of other devices such as android phones possibly being exploited. Like I said I am only going by what I am reading and by no means an expert. It does look like it will be a headache for a lot of people in the coming weeks/months.
Distribution: LFS 9.0 Custom, Merged Usr, Linux 4.19.x
Posts: 616
Rep:
Quote:
Originally Posted by slackb0t
Sorry.. I wasn't implying you didn't read or understand the article. I should have explained that part better.
I do manage a slackware server at a college. From what I understand a person with 'user' privileges sitting at a terminal could use this exploit. I will be 100 percent honest here and say that the more I read the more complicated and unlikely it seems...
There is also talk of other devices such as android phones possibly being exploited. Like I said I am only going by what I am reading and by no means an expert. It does look like it will be a headache for a lot of people in the coming weeks/months.
I can't speak for this particular vulnerability. But, assuming someone is at a login prompt, has a target and a plan, they don't even need a login if they know what they're doing. If you're interested in a more complete understanding, this video is good.
Sorry.. I wasn't implying you didn't read or understand the article. I should have explained that part better.
(...) There is also talk of other devices such as android phones possibly being exploited. Like I said I am only going by what I am reading and by no means an expert. It does look like it will be a headache for a lot of people in the coming weeks/months.
No big deal I was also pissed by how media can pick up one vulnerability among many and make big dramatic statements about it.
This one has many good ingredients: a catchy name, a fun logo, Linus let it go for 11 years, your toaster can be pwned at any time now, blah blah...
From the El Reg article cited in the the other thread:
Quote:
Unfortunately, builds of the vulnerable kernel at the heart of countless millions of routers, Internet-of-Things gadgets and other embedded devices remain vulnerable – and many will be difficult to patch. Most people won't even know they've got a security risk sitting next to them at home.
If a hacker can execute a malicious program in your home router, he is probably already root and don't need the exploit!
OTOH for Android, if the vulnerability works on it, it is a bigger deal. A rogue app, even with no or few permission, could root your phone... And not everybody did patch their Android kernel on October 21st
This sort of thing is the reason I don't outright recommend slackware, even though it's the only distribution I'd use myself for my main OS. I couldn't tell my arch-using brother to switch over if I'd have to add the caveat “Oh, and by the way, don't expect security patches in a timely manner, you'll have to check forums and the obfuscated kernel changelog and fix those things yourself”. As much as I want to view slackware as a system that you set-it-up-once-and-forget-about-it, it ain't, not until security updates are consistently provided. Preferably with a delay inversly correlated to the severity of the issue.
I've found Slackware to be very timely with security updates.
Wordpress? Joomla? Drupal? They all have awful, terrible reputations for insecurity. Any fool knows that the only way to run Wordpress and stay sane is to have somebody else do it for you.
Among many other things, I'm running a few Wordpress installations for a few clients as well as for myself. I concur that a box running nothing is much more secure.
My $0.02... if you can't learn and do for yourself, such as build your own kernel, patch your own packages, then you have no business using any version of GNU/Linux as a user or administrator of any system or network.
So Patrick hasn't released a patch within Slackware yet Darth, you have the ability to do it yourself, as the old saying goes...
My $0.02... if you can't learn and do for yourself, such as build your own kernel, patch your own packages, then you have no business using any version of GNU/Linux as a user or administrator of any system or network
Although I've upgraded my systems manually, I do think that a patch should be issued for this. It's just not something that you want lying around in your system. Interesting to note that grsec catches this one though.
I am just an old man who likes computers and Linux. I have had no formal training and most of the time have no idea what I am doing BUT I just compiled and switched over to linux-4.4.27
Was able to compile kernels years ago but now recall nothing of that experience so had to start from scratch.
Thanks to Alien Bob for his instructions in the Slackware Book
Although I've upgraded my systems manually, I do think that a patch should be issued for this. It's just not something that you want lying around in your system. Interesting to note that grsec catches this one though.
Like anything the patch will come soon enough, but for now, anyone can do this themselves. You can wait for Patrick to add the patch officially, or you can add it yourself and not have to wait. Of course common sense should tell you, you should do it yourself.
Perhaps you may also be uninformed about the difference between polite and informed questions and to arrogant demands.
I am from a similar part of the world (if they are indeed Romanian) and I can say that we are more direct which doesn't translate well into some other cultures where you need to be a bit more "flowery". Not saying the OP wasn't being demanding, or that this attitude would be appropriate otherwise but I generally give people the benefit of the doubt when they're from a different culture, speaking in a language that isn't their native tongue.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.