@mjg59@nondeterministic.computer
@mjg59@nondeterministic.computer avatar

mjg59

@mjg59@nondeterministic.computer

Former biologist. Actual PhD in genetics. Security at https://aurora.tech, OS security teaching at https://www.ischool.berkeley.edu. Blog: https://mjg59.dreamwidth.org. He/him.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

mjg59, to random
@mjg59@nondeterministic.computer avatar

My annual plea for a thing: I want a type 1 hypervisor that just has a small isolated VM and then passes through the rest of the hardware to the main VM which runs Linux. The small VM is intended to be used to run small pieces of code that the main OS should not be able to interfere with. Does such a thing exist? (Think Xen, but with a Dom0 that can't see into DomUs)

pippin, to random

For a minute the last line made me doubt myself. But a quick test and no, I did remember right: at least on ext*, permissions are stored in the inode.
nondeterministic.computer/

mjg59,
@mjg59@nondeterministic.computer avatar

@pippin apparmor MAC decisions are based on path, not inode

mjg59, to random
@mjg59@nondeterministic.computer avatar

I love it when I can just dump some RE notes on reddit and then someone writes an actually working library https://github.com/GoneUp/mask-go

mjg59, to random
@mjg59@nondeterministic.computer avatar

I'll be at Bsides SF this weekend, if anyone wants to say hi

mjg59, (edited ) to random
@mjg59@nondeterministic.computer avatar

STOP DOING HARDLINKS

INODES WERE NOT MEANT TO EXIST IN MULTIPLE DIRECTORIES

YEARS OF FILES yet NO REAL-WORLD USE FOUND for being in more than one directory

Wanted to reference files from more than one directory anyway? We had a tool for that: it was called "SYMLINKS"

"Yes please give me FIFTEEN paths that this file resolves to" - Statements dreamed up by the utterly Deranged

"Hello I would like different permissions on this file based on path" They have played us for absolute fools

mjg59,
@mjg59@nondeterministic.computer avatar

@cate Maybe our tooling should be better

mjg59,
@mjg59@nondeterministic.computer avatar

@wjt Oh no

mjg59, to random
@mjg59@nondeterministic.computer avatar

The idea that an inode has no idea which directory it's associated with was a mistake and I will take no questions

mjg59,
@mjg59@nondeterministic.computer avatar

Seriously if I had a time machine and the ability to influence unix design this would be way up my fucking list

mjg59,
@mjg59@nondeterministic.computer avatar

@maswan Yes that's the problem

mjg59,
@mjg59@nondeterministic.computer avatar

@leftpaddotpy The abstract sockets interface fucking sucks but at least it doesn't tend to bleed into anything else you want to do that's good

mjg59,
@mjg59@nondeterministic.computer avatar

@lkundrak Weird spelling can be worked around, filesystem semantics are forever

mjg59,
@mjg59@nondeterministic.computer avatar

@maswan Do they need to be hardlinks, or would symlinks be sufficient there?

mjg59,
@mjg59@nondeterministic.computer avatar

@leftpaddotpy Linux allows fds to exist without filesystem access, software running on Linux kind of has to take that into account

mjg59,
@mjg59@nondeterministic.computer avatar

@leftpaddotpy To be fair a lot of Unix is surprising behaviour

mjg59,
@mjg59@nondeterministic.computer avatar

@rfc6919 Probably no hardlinks

mjg59,
@mjg59@nondeterministic.computer avatar

@kithrup @rfc6919 opened-but-unlinked don't cause problems here, the two main issues are that you can't apply security policy based on path (one file may exist in multiple paths) and you can't look for notifications based on parent directory (if files have no canonical parent, how do you know to notify on modification?)

pid_eins, to random

9️⃣ Here's the 9th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

I am sure you are aware of systemd-nspawn, systemd's minimal container manager focussed on full OS containers, that can boot up a Linux image from an OS in a disk image or from a directory. systemd-nspawn was originally a development tool, to make it easy for us to develop the service manager without constantly having to reboot.

Nowadays it's a lot more than that, …

mjg59,
@mjg59@nondeterministic.computer avatar

@pid_eins My LSS EU talk last year gave us a way to make per-process TPM values, in theory this could be extended to per-container

mjg59, to random
@mjg59@nondeterministic.computer avatar

I am, once again, attempting to figure out how the fuck Okta's API actually works

mjg59,
@mjg59@nondeterministic.computer avatar

@ljrk I mean it's possible to enroll MFA tokens so I guess?

mjg59,
@mjg59@nondeterministic.computer avatar

@kfh I've already figured out how Fastpass works, this should be trivial in comparison but

mjg59,
@mjg59@nondeterministic.computer avatar

@plambrechtsen I've already got the session token but the documented APIs want an API token (no) and the web flow uses undocumented Identity Engine endpoints

mjg59,
@mjg59@nondeterministic.computer avatar

@plambrechtsen Direct experience is that a lot of it doesn't work with normally scoped OIDC tokens, it's more aimed at different flows

mjg59,
@mjg59@nondeterministic.computer avatar

@plambrechtsen I literally can't open an external browser because of how Apple handles hardware backed key ownership

mjg59, to random
@mjg59@nondeterministic.computer avatar

One of the problems here is that the SSH agent protocol doesn't include the host that's being authenticated to in the request. In theory we could implement an SSH agent that popped up a request asking you to agree to the request before signing - but it has no way of knowing who it's signing on behalf of, because the protocol doesn't include the destination

mjg59,
@mjg59@nondeterministic.computer avatar

@faidon …oh gosh I did read about that and then entirely forgot! I think just giving the server key back makes it hard to do confirmation notification if you're using hashed entries in known_hosts?

mjg59, (edited ) to random
@mjg59@nondeterministic.computer avatar

I'm sure this is general knowledge but anyway: never enable SSH agent forwarding by default if you log into any systems that you don't trust 100%. It gives whoever has root on that system the ability to log into anything else your SSH agent can connect to. Either explicitly pass -A or add host entries to ~/.ssh/ssh_config to enable it for the scenarios you need it.

mjg59,
@mjg59@nondeterministic.computer avatar

@jomo In my case, providing a tunneling mechanism back to the local system so I can use local WebAuthn tokens to satisfy queries triggered on the remote machine

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • magazineikmin
  • everett
  • InstantRegret
  • rosin
  • Youngstown
  • slotface
  • love
  • Durango
  • kavyap
  • ethstaker
  • tacticalgear
  • DreamBathrooms
  • provamag3
  • cisconetworking
  • mdbf
  • tester
  • khanakhh
  • osvaldo12
  • normalnudes
  • GTA5RPClips
  • ngwrru68w68
  • modclub
  • anitta
  • Leos
  • cubers
  • JUstTest
  • All magazines
    •