A here document is a block of text or code which is redirected to an interactive program or a command.

 #!/bin/bash
 Command <<MyUniqueLimitString
 some text
 some more text
 MyUniqueLimitString

The above is equivalent to Command < tempfile.txt where the tempfile contains the text required.

EOF and END are often chosen as the MyUniqueLimitString but any string can be used as long as it does not appear within the here document text.

The - option to mark a here document limit string (<<-LimitString) will suppress leading tabs (but not spaces) in the output. This allows the use of indentation (with tabs) when writing here-documents in shell scripts making them more readable.

Here documents can also be used to supply values to variables or functions.

Understanding Linux file permissions (how to find them, read them, and change them) is an important part of maintaining and securing your systems.

Getting permissions in Linux can sometimes be a 'sticky' situation. Learn how to set the appropriate permissions, even in special circumstances.

chmod changes the permissions of each given file according to mode, where mode describes the permissions to modify.
Mode can be specified with octal numbers or with letters. //

Equivalent Windows command: CACLS - Change file permissions.

mustached-dog Seniorius Lurkius
22y
30
Subscriptor
Interestingly enough, "Jia Tan" is very close to 加蛋 in Mandarin, meaning "to add an egg". Unlikely to be a real name or a coincidence. //

choco bo Ars Praetorian
11y
402
Subscriptor++
Performance hit is quite substantial, actually. I have no doubt that this thing would have been detected, eventually. However, it might have happened months from now. Then it would have been everywhere already.

But this is a good thing. A very good thing, actually.

There have been discussions about supply chain attacks, for years. Decades, actually. We used to call it "poisoning the well" many years ago. But no matter how much we talk about it, it was all theoretical. I mean, people even assumed that compilers have been backdoored many years ago. But noone was going to spend this much effort just to show that it was possible and to make people accept the possibility. So not much was really done about it.

Until now.

Now we are already seeing changes being made to OpenSSH that would have not been possible few months ago. Native systemd notification integration is already been developed (since 30th of March), so no need for libsystemd linking anymore. It will take some time to get integrated but it will happen. We are seeing people understanding that there is absolutely no need to have binary blobs in source repositories (except rare cases, of course, but those are going to be audited even more now). Checking source repositories against tarballs have been done before, many times. But obviously it wasn't good enough or often enough. That will change as well. People being dicks to maintainers are going to get greeted with "go fuck yourself" now, without a second thought. It will be extreme but it will be safer. For eternity I was terrified of compiling software myself because every time I invoked "./configure ..." I would think "fuck knows what is going on there right now". I did occasionally check scripts, I would grep for unexpected things but I was aware I'd never detect a very skilled attacker, like this one. Now there is going to be much more checking of autoconf/make/CMake/etc files in source repos. It won't be easy to detect things, but it will be easier. More eyes will be put on sources. For example, I am going to pick a random smaller project and just read the commit history, look for oddities, etc. Not because I expect to find something but I want to see what else should be looked at, etc. Eventually, I might end up with toolset that might help speed this process up. So there will be at least one more set of eyes looking at sources. I imagine that companies/organizations with more resources are going to put tons of effort into automating all this. So yeah, xz backdoor is actually a good thing, in a very bizarre way.

Also, I can't hunt all the references at the moment but I believe it was certificate (not the SSH key) that is used as a vector of attack, because certs are checked early and no configuration options will disable that check, while it wouldn't be the case with keys. A change to OpenSSH has already been suggested so OpenSSH will only get more secure because of this and one less vector of attack is now available.

Amount of skill and time/effort invested in this is mind blowing. I don't think people outside security really comprehend the skill/time involved here, this was insanely well executed attack. My first thought was "This had to be TURLA" because it was insanely smart and whoever did this had lots of patience. This does not (and will not) happen often.

So yeah, we were incredibly lucky that a Postgres developer caught it early.

However, it is mind blowing how many times security incidents have been detected by looking at CPU/RAM usage on systems, it is really no surprise that this is how xz backdoor got detected.

Malicious code planted in xz Utils has been circulating for more than a month. //

GolbatsEverywhere
This might have been the worst Linux backdoor in history except that it was caught so soon. An SSH authentication backdoor is surely worse than the Debian weak keys incident and also worse than Heartbleed, the two most notorious Linux security incidents that I can think of. Probably this would have been abused to hack most if not all of the Fortune 500, except Mr. Freund decided to investigate some small performance issue that anybody else would have dismissed as unimportant. We are spared only due to sheer dumb luck. This guy has probably just averted at least billions of dollars worth of damages. Cannot emphasize enough how grateful we should be to him right now. //

dwrd Ars Tribunus Militum
6y
2,020
Subscriptor++
Big oof, after reading the commit messages, I'm going to have to assume they owed some bad people a lot of money, or they had an involuntary sleepover at an undisclosed location with several ill-tempered fellows from the state secret police agency. //

This could have made it into a lot more places had they not been doing benchmarking at just the right time.
Milliseconds. About 500 milliseconds. That's what started him down the rabbit hole. He was bothered by a half-second hiccup in an ssh connection refusal. //

crepuscularbrolly Ars Scholae Palatinae
17y
802
Subscriptor++
Andres Freund's post on OpenWall indicates the backdoor is only injected if:
targeting only x86-64 linux
Building with gcc and the gnu linker
Running as part of a debian or RPM package build
But, better safe than sorry.

In this article, you will learn how to reset the root password of your Dedicated Server (Linux) using the rescue system.

Also known as the Y2K38 Bug, The Unix Y2K Bug or Epochalypse

The year 2038 problem is a problem caused by how some software systems store dates. When these dates reach 1 second after 03:14:07 UTC on 19 January 2038 they could have an error or incorrectly store the wrong date (in some cases 20:45:52 on Friday, 13 December 1901).

Buffer overflow in bootloader shim allows attackers to run code each time devices boot up. //

The risk of successful exploitation is mostly limited to extreme scenarios, as noted earlier. The one scenario where exploitation is most viable—when devices receive boot images over an unencrypted HTTP server—is one that should never happen in 2024 or the past decade, for that matter.

That said, the harm from successful exploitation is serious and is the reason for the severity rating of 9.8 out of a possible 10. People should install patches promptly once they become available.

You should avoid symlinks, it can make nasty bugs to appear... one day. And very hard to debug.

Use mount --bind:

# as root
cp -a /root /home/
echo "" >> /etc/fstab
echo "/home/root /root none defaults,bind 0 0" >> /etc/fstab

# do it now
cd / ; mv /root /root.old; mkdir /root; mount -a

it will be made at every reboots which you should do now if you want to catch errors soon ///

Better to use rsync -a /root /home/ instead of cp -a because cp will not copy hidden files.

I wish I had learned the things I have been learning in prison about talking through problems, and believing I can talk through problems and doing it, before I had married or joined the LKML. I hope that day when they teach these things in Elementary School comes.

I thank Richard Stallman for his inspiration, software, and great sacrifices,

It has been an honor to be of even passing value to the users of Linux. I wish all of you well.

These are called shell operators and yes, there are more of them. I will give a brief overview of the most common among the two major classes, control operators and redirection operators, and how they work with respect to the bash shell.

The world of Linux is a vast one. Everyone in the tech world has at least come in contact with Linux, but not always FreeBSD. Join us on a journey of discovery from Linux to FreeBSD

When it comes to choosing a firewall technology for your operating system, the options can be overwhelming. This is particularly true for Linux and FreeBSD, which offer multiple choices. In this article, we’ll take a closer look at four of the most popular firewall options for both systems: iptables, nftables, ipfw, and pf, to help you make an informed decision.

So here’s our contribution to the effort, this article is essentially your four-way comparison of iptables, nftables, IPFW and PF 

Extended Long Term Support for Debian
Freexian extends security support for old Debian releases up to 10 years, albeit only on the subset of packages used by the customers of this service. Click here to learn more.

The Linux Foundation has released their 2023 Annual Report... and it is an absolute doozy.

The first big headline?

As of 2023, The Linux Foundation now spends just 2% -- that's two percent -- of their revenue on their namesake: The Linux Kernel. //

Your eyes do not deceive you.

1. Linux : 2%
2. Blockchain : 4%
3. A.I. : 12%

While it's true that The Linux Foundaiton continues to grow substantially -- now bringing in over a quarter of a Billion dollars per year (seriously) -- the total amount spent on the Linux kernel dropped roughly $400,000 in 2023. (Not surprising as The Lunduke Journal previously pointed out that lowering the total support of Linux appeared to be the goal.)

Linux doesn't have to be for nerds only.

• sl: Full Steam Ahead
• CMatrix: Enter the Matrix
• aafire: ASCII Art Fireworks
• oneko: A Playful Desktop Pet
• xeyes: Watch the Eyeballs
• espeak: Let Your Computer Speak Up
• yes: The Ultimate Affirmation
• rig: Generate Virtual Identities
• asciiquarium: Under the Sea
• toilet: Text Art Banners
• Toying With the Linux Terminal

A dispute between a prominent open-source developer and the maker of software used to manage Linux kernel development has forced Linux creator Linus Torvalds to embark on a new software project of his own. The new effort, called "git," began last week after a licensing dispute forced Torvalds to abandon the proprietary BitKeeper software he had used since 2002 to manage Linux kernel development.

The conflict touches on the difference between open-source developers who view Linux's open, collaborative approach as a technically superior way to build software and advocates of free software who see the ability to access and change source code as fundamental freedom.

As a result of the dispute, Torvalds is now working with other Linux developers to create software that can quickly make changes to 17,000 files that make up the Linux kernel, the central component of the Linux operating system. "Git, to some degree, was designed on the principle that everything you ever do on a daily basis should take less than a second," Torvalds said in an e-mail interview.

Reproducible
Nix builds packages in isolation from each other. This ensures that they are reproducible and don't have undeclared dependencies, so if a package works on one machine, it will also work on another.

Declarative
Nix makes it trivial to share development and build environments for your projects, regardless of what programming languages and tools you’re using.

Reliable
Nix ensures that installing or upgrading one package cannot break other packages. It allows you to roll back to previous versions, and ensures that no package is in an inconsistent state during an upgrade.

Use the -prune primary. For example, if you want to exclude ./misc:

 find . -path ./misc -prune -o -name '*.txt' -print

To exclude multiple directories, OR them between parentheses.

 find . -type d \( -path ./dir1 -o -path ./dir2 -o -path ./dir3 \) -prune -o -name '*.txt' -print

And, to exclude directories with a specific name at any level, use the -name primary instead of -path.

 find . -type d -name node_modules -prune -o -name '*.json' -print

This didn't work for me until I prefixed my local path wih ./, e.g. ./name. This distinction for find might not be obvious to the occasional find user. – sebkraemer

There is clearly some confusion here as to what the preferred syntax for skipping a directory should be.

GNU Opinion

To ignore a directory and the files under it, use -prune

From the GNU find man page

Reasoning

-prune stops find from descending into a directory. Just specifying -not -path will still descend into the skipped directory, but -not -path will be false whenever find tests each file.

Issues with -prune

-prune does what it's intended to, but are still some things you have to take care of when using it.

1. find prints the pruned directory.

• TRUE That's intended behavior, it just doesn't descend into it. To avoid printing the directory altogether, use a syntax that logically omits it.

  2. -prune only works with -print and no other actions.

• NOT TRUE. -prune works with any action except -delete. Why doesn't it work with delete? For -delete to work, find needs to traverse the directory in DFS order, since -delete will first delete the leaves, then the parents of the leaves, etc... But for specifying -prune to make sense, find needs to hit a directory and stop descending it, which clearly makes no sense with -depth or -delete on.

///
My example:

  find -s . -path "./C*" -prune -o -name '*' -type d -maxdepth 2 -print