NILFS or NILFS2 (New Implementation of a Log-structured File System) is a log-structured file system implementation for the Linux kernel. It was developed by Nippon Telegraph and Telephone Corporation (NTT) CyberSpace Laboratories and a community from all over the world. NILFS was released under the terms of the GNU General Public License (GPL).

"NILFS is a log-structured file system, in that the storage medium is treated like a circular buffer and new blocks are always written to the end.[…]Log-structured file systems are often used for flash media since they will naturally perform wear-leveling;[…]NILFS emphasizes snapshots. The log-structured approach is a specific form of copy-on-write behavior, so it naturally lends itself to the creation of file system snapshots. The NILFS developers talk about the creation of "continuous snapshots" which can be used to recover from user-initiated file system problems[…]."[2]

Using a copy-on-write technique known as a log-structured file system, NILFS records all data in a continuous log-like format that is only appended to, never overwritten, an approach that is designed to reduce seek times, as well as minimize the kind of data loss that occurs after a crash with conventional file systems. For example, data loss occurs on ext3 file systems when the system crashes during a write operation. When the system reboots, the journal notes that the write did not complete, and any partial data writes are lost.

Syncthing Debian/Ubuntu Packages

Linux Mint 22 "Wilma" debuted late last week and holds on to the crown as the most sensible choice if you're looking to move across from Windows.

In the third part of the Bash Beginner Series, you'll learn to pass arguments to a bash shell script. You'll also learn about special bash shell variables.

Upgrading to Debian 12 is a relatively straightforward process.

If you hit any error, visit the Upgrades from Debian 11 (bullseye) page, which covers the known issues that might happen during an upgrade to Debian 12.

Upgrading from Debian 10 to Debian 11 is a relatively easy and painless process.

If you hit any error, visit the Release Notes for Debian 11 (bullseye) page, which covers the known issues that might happen during an upgrade to Debian 10 bullseye.

FreeBSD is a well-known server platform and a free and open-source Unix-like operating system derived from the Berkeley Software Distribution (BSD). FreeBSD is an OS designed to power contemporary servers, PCs, and embedded systems.

BSD is an abbreviation for "Berkeley Software Distribution". It is the moniker given to source code releases from the University of California, Berkeley that were initially enhancements to AT&T's Research UNIX® operating system. Multiple open-source operating system projects are based on the 4.4BSD-Lite edition of this source code. In addition, they include a variety of packages from other Open Source projects, the GNU project in particular.

Full system compromise possible by peppering servers with thousands of connection requests. //

The severity of the threat posed by exploitation is significant, but various factors are likely to prevent it from being mass exploited, security experts said. For one, the attack can take as long as eight hours to complete and require as many as 10,000 authentication steps, Stan Kaminsky, a researcher at security firm Kaspersky, said. The delay results from a defense known as address space layout randomization, which changes the memory addresses where executable code is stored to thwart attempts to run malicious payloads.

Other limitations apply. Attackers must also know the specific OS running on each targeted server. So far, no one has found a way to exploit 64-bit systems since the number of available memory addresses is exponentially higher than those available for 32-bit systems. Further mitigating the chances of success, denial-of-service attacks that limit the number of connection requests coming into a vulnerable system will prevent exploitation attempts from succeeding. //

The vulnerability affects the following:

• OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
• The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

Ebury backdoors SSH servers in hosting providers, giving the malware extraordinary reach. //

Infrastructure used to maintain and distribute the Linux operating system kernel was infected for two years, starting in 2009, by sophisticated malware that managed to get a hold of one of the developers’ most closely guarded resources: the /etc/shadow files that stored encrypted password data for more than 550 system users, researchers said Tuesday. //

A 47-page report summarizing Ebury's 15-year history said that the infection hitting the kernel.org network began in 2009, two years earlier than the domain was previously thought to have been compromised. The report said that since 2009, the OpenSSH-dwelling malware has infected more than 400,000 servers, all running Linux except for about 400 FreeBSD servers, a dozen OpenBSD and SunOS servers, and at least one Mac. //

There is no indication that either infection resulted in tampering with the Linux kernel source code.

ranthog Ars Tribunus Angusticlavius
9y
11,300
numerobis said:
I was assuming the real-time stuff (e.g. TACC's control loop) was on a separate real-time OS, since it doesn't get affected when the user-mode apps go bonkers. Are they using a real-time linux for that?
You can run a non-real time process, such as an OS, on top of a real time OS. The underlying hypervisor layer is the effective real time OS and safety related stuff is handled down at that layer, and it is likely a fully real time OS in addition to a virtualization environment. //

Numfuddle Ars Scholae Palatinae
4y
1,243
Subscriptor
Rauth85 said:
Hmm surprised none of the current systems would be using nix.
Most use Linux for Non-Safety critical systems (like parts of the infotainment) and QNX for safety. Usually they also use seperate MCUs or cores for the vehicle bus systems that run dedicated low level real time OS kernels (like MicroSAR from Vector Informatik or TresosOS from elektrobit). Tesla is no exception here.

The ability to use Linux for high end safety and non-safety SW (i.e. ASIL certified safety) is novel. It hasn't been done before because it's both hard to certify an OS with as many lines of code as Linux for ISO 26262 and it's also a moving target. As soon as you add a change you would have to re-certify the whole system again and again and again.

If the claims of Elektrobit are true they have now solved the certification issue as well as the IS26262 hardening of the SW stack which makes Liinux ready for ASIL rated systems without running years old kernels and the respective security issues.

One does not simply suggest changing a kernel line to help out a parsing tool. //

Cloudgazer Ars Tribunus Angusticlavius
9y
17,106
Syntactic sugar causes cancer of the semi-colon - Alan Perlis. //

DJ Farkus Ars Centurion
3y
368
Tabs or spaces: flexible, don't care.
Tabs of 2, 4, 8, whatever: flexible, don't care

But ask me to use a language where whitespace is syntax (eg, python) and we will have sharp words.

An A-Z Index of the Linux command line: bash + utilities.

A here document is a block of text or code which is redirected to an interactive program or a command.

 #!/bin/bash
 Command <<MyUniqueLimitString
 some text
 some more text
 MyUniqueLimitString

The above is equivalent to Command < tempfile.txt where the tempfile contains the text required.

EOF and END are often chosen as the MyUniqueLimitString but any string can be used as long as it does not appear within the here document text.

The - option to mark a here document limit string (<<-LimitString) will suppress leading tabs (but not spaces) in the output. This allows the use of indentation (with tabs) when writing here-documents in shell scripts making them more readable.

Here documents can also be used to supply values to variables or functions.

Understanding Linux file permissions (how to find them, read them, and change them) is an important part of maintaining and securing your systems.

Getting permissions in Linux can sometimes be a 'sticky' situation. Learn how to set the appropriate permissions, even in special circumstances.

chmod changes the permissions of each given file according to mode, where mode describes the permissions to modify.
Mode can be specified with octal numbers or with letters. //

Equivalent Windows command: CACLS - Change file permissions.

mustached-dog Seniorius Lurkius
22y
30
Subscriptor
Interestingly enough, "Jia Tan" is very close to 加蛋 in Mandarin, meaning "to add an egg". Unlikely to be a real name or a coincidence. //

choco bo Ars Praetorian
11y
402
Subscriptor++
Performance hit is quite substantial, actually. I have no doubt that this thing would have been detected, eventually. However, it might have happened months from now. Then it would have been everywhere already.

But this is a good thing. A very good thing, actually.

There have been discussions about supply chain attacks, for years. Decades, actually. We used to call it "poisoning the well" many years ago. But no matter how much we talk about it, it was all theoretical. I mean, people even assumed that compilers have been backdoored many years ago. But noone was going to spend this much effort just to show that it was possible and to make people accept the possibility. So not much was really done about it.

Until now.

Now we are already seeing changes being made to OpenSSH that would have not been possible few months ago. Native systemd notification integration is already been developed (since 30th of March), so no need for libsystemd linking anymore. It will take some time to get integrated but it will happen. We are seeing people understanding that there is absolutely no need to have binary blobs in source repositories (except rare cases, of course, but those are going to be audited even more now). Checking source repositories against tarballs have been done before, many times. But obviously it wasn't good enough or often enough. That will change as well. People being dicks to maintainers are going to get greeted with "go fuck yourself" now, without a second thought. It will be extreme but it will be safer. For eternity I was terrified of compiling software myself because every time I invoked "./configure ..." I would think "fuck knows what is going on there right now". I did occasionally check scripts, I would grep for unexpected things but I was aware I'd never detect a very skilled attacker, like this one. Now there is going to be much more checking of autoconf/make/CMake/etc files in source repos. It won't be easy to detect things, but it will be easier. More eyes will be put on sources. For example, I am going to pick a random smaller project and just read the commit history, look for oddities, etc. Not because I expect to find something but I want to see what else should be looked at, etc. Eventually, I might end up with toolset that might help speed this process up. So there will be at least one more set of eyes looking at sources. I imagine that companies/organizations with more resources are going to put tons of effort into automating all this. So yeah, xz backdoor is actually a good thing, in a very bizarre way.

Also, I can't hunt all the references at the moment but I believe it was certificate (not the SSH key) that is used as a vector of attack, because certs are checked early and no configuration options will disable that check, while it wouldn't be the case with keys. A change to OpenSSH has already been suggested so OpenSSH will only get more secure because of this and one less vector of attack is now available.

Amount of skill and time/effort invested in this is mind blowing. I don't think people outside security really comprehend the skill/time involved here, this was insanely well executed attack. My first thought was "This had to be TURLA" because it was insanely smart and whoever did this had lots of patience. This does not (and will not) happen often.

So yeah, we were incredibly lucky that a Postgres developer caught it early.

However, it is mind blowing how many times security incidents have been detected by looking at CPU/RAM usage on systems, it is really no surprise that this is how xz backdoor got detected.

Malicious code planted in xz Utils has been circulating for more than a month. //

GolbatsEverywhere
This might have been the worst Linux backdoor in history except that it was caught so soon. An SSH authentication backdoor is surely worse than the Debian weak keys incident and also worse than Heartbleed, the two most notorious Linux security incidents that I can think of. Probably this would have been abused to hack most if not all of the Fortune 500, except Mr. Freund decided to investigate some small performance issue that anybody else would have dismissed as unimportant. We are spared only due to sheer dumb luck. This guy has probably just averted at least billions of dollars worth of damages. Cannot emphasize enough how grateful we should be to him right now. //

dwrd Ars Tribunus Militum
6y
2,020
Subscriptor++
Big oof, after reading the commit messages, I'm going to have to assume they owed some bad people a lot of money, or they had an involuntary sleepover at an undisclosed location with several ill-tempered fellows from the state secret police agency. //

This could have made it into a lot more places had they not been doing benchmarking at just the right time.
Milliseconds. About 500 milliseconds. That's what started him down the rabbit hole. He was bothered by a half-second hiccup in an ssh connection refusal. //

crepuscularbrolly Ars Scholae Palatinae
17y
802
Subscriptor++
Andres Freund's post on OpenWall indicates the backdoor is only injected if:
targeting only x86-64 linux
Building with gcc and the gnu linker
Running as part of a debian or RPM package build
But, better safe than sorry.

In this article, you will learn how to reset the root password of your Dedicated Server (Linux) using the rescue system.

Also known as the Y2K38 Bug, The Unix Y2K Bug or Epochalypse

The year 2038 problem is a problem caused by how some software systems store dates. When these dates reach 1 second after 03:14:07 UTC on 19 January 2038 they could have an error or incorrectly store the wrong date (in some cases 20:45:52 on Friday, 13 December 1901).