mjg59

@mjg59@nondeterministic.computer

Former biologist. Actual PhD in genetics. Security at https://aurora.tech, OS security teaching at https://www.ischool.berkeley.edu. Blog: https://mjg59.dreamwidth.org. He/him.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

mjg59, 25 days ago (edited 25 days ago) to random

STOP DOING HARDLINKS

INODES WERE NOT MEANT TO EXIST IN MULTIPLE DIRECTORIES

YEARS OF FILES yet NO REAL-WORLD USE FOUND for being in more than one directory

Wanted to reference files from more than one directory anyway? We had a tool for that: it was called "SYMLINKS"

"Yes please give me FIFTEEN paths that this file resolves to" - Statements dreamed up by the utterly Deranged

"Hello I would like different permissions on this file based on path" They have played us for absolute fools

reply

expand (8)

collapse (8)

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ Paxxi, ljrk, oblomov, gruik +5 more

mjg59, 25 days ago to random

The idea that an inode has no idea which directory it's associated with was a mistake and I will take no questions

reply

expand (17)

collapse (17)

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

Seriously if I had a time machine and the ability to influence unix design this would be way up my fucking list

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@maswan Yes that's the problem

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@leftpaddotpy The abstract sockets interface fucking sucks but at least it doesn't tend to bleed into anything else you want to do that's good

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@lkundrak Weird spelling can be worked around, filesystem semantics are forever

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@maswan Do they need to be hardlinks, or would symlinks be sufficient there?

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@leftpaddotpy Linux allows fds to exist without filesystem access, software running on Linux kind of has to take that into account

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@leftpaddotpy To be fair a lot of Unix is surprising behaviour

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@rfc6919 Probably no hardlinks

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

pid_eins, 25 days ago to random

9️⃣ Here's the 9th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

I am sure you are aware of systemd-nspawn, systemd's minimal container manager focussed on full OS containers, that can boot up a Linux image from an OS in a disk image or from a directory. systemd-nspawn was originally a development tool, to make it easy for us to develop the service manager without constantly having to reboot.

Nowadays it's a lot more than that, …

reply

expand (11)

collapse (11)

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ njoseph

mjg59, 25 days ago

@pid_eins My LSS EU talk last year gave us a way to make per-process TPM values, in theory this could be extended to per-container

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago to random

I am, once again, attempting to figure out how the fuck Okta's API actually works

reply

expand (14)

collapse (14)

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

Enrolling MFA tokens in Firefox while staring at the network debug console and cutting and pasting into curl trying to figure out what the fuck magic is actually happening here

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

Begging IdP vendors to actually make it possible to script doing everything that a user can do because I do not want to rely on an API token for this

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ campuscodi

mjg59, 25 days ago

@ljrk I mean it's possible to enroll MFA tokens so I guess?

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@kfh I've already figured out how Fastpass works, this should be trivial in comparison but

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@plambrechtsen I've already got the session token but the documented APIs want an API token (no) and the web flow uses undocumented Identity Engine endpoints

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 26 days ago to random

Refactor code to allow me to call login method from other contexts
Wonder why I'm getting invalid session errors
Realise I'm no longer actually calling the login method

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 26 days ago to random

Well shit I apparently need to write about agent forwarding

reply

expand (1)

collapse (1)

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 26 days ago to random

One of the problems here is that the SSH agent protocol doesn't include the host that's being authenticated to in the request. In theory we could implement an SSH agent that popped up a request asking you to agree to the request before signing - but it has no way of knowing who it's signing on behalf of, because the protocol doesn't include the destination

reply

expand (12)

collapse (12)

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 26 days ago

I unironically love the SSH agent protocol and I have done some terrible things with it at a professional level but I think given what we know now this is now what it would look like if developed again

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 26 days ago

@azonenberg You're still trusting the remote system to forward to the correct host and for you to notice the key mismatch

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 26 days ago

@azonenberg (I agree that this is easier)

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 26 days ago

@jmc someone who has root on the remote server can just fake all of that

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 25 days ago

@faidon …oh gosh I did read about that and then entirely forgot! I think just giving the server key back makes it hard to do confirmation notification if you're using hashed entries in known_hosts?

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

mjg59, 26 days ago (edited 26 days ago) to random

I'm sure this is general knowledge but anyway: never enable SSH agent forwarding by default if you log into any systems that you don't trust 100%. It gives whoever has root on that system the ability to log into anything else your SSH agent can connect to. Either explicitly pass -A or add host entries to ~/.ssh/ssh_config to enable it for the scenarios you need it.

reply

expand (7)

collapse (7)

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ Binder, tshirtman, mmu_man, majorlinux +9 more

mjg59, 25 days ago

@jomo In my case, providing a tunneling mechanism back to the local system so I can use local WebAuthn tokens to satisfy queries triggered on the remote machine

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...