Comments for codeblog

Comment on facedancer built by Xatru

Xatru — Thu, 24 Jan 2013 21:11:26 +0000

Hi,

I build some of them too. I ordered all the parts on DigiKey, but they are also available at mouser. Here are the P/N:

RES 33 OHM 1/10W 5% 0603 SMD Mouser: 71-CRCW0603-33-E3 DigiKey: RMCF0603JT33R0CT-ND

P.S. If someone need help to build them up, leave me a comment on my blog.

Comment on clean module disabling by daniel

daniel — Sat, 01 Dec 2012 18:22:54 +0000

Hello, last question. You wrote: “And then in /etc/modules (…) put “disable” on the last line. (…)”. Did I have to put ‘disable’ exactly in the /etc/modules file? Do I understand it? So, it should look this way; ‘/etc/modules’ file:

,———–
| (…)
| lp
| snd
| usbhid
| hid
| floppy
| (…)
| disable
`———–

Then, in the created ‘/etc/modprobe.d/disable.conf’ file, I should put;

,———–
| install disable /sbin/sysctl kernel.modules_disabled=1
`———–

That’s all? Sorry for asking again about it, but… I just want to be completly sure.

Best regards, Mr Cook.

Comment on clean module disabling by daniel

daniel — Thu, 29 Nov 2012 19:37:53 +0000

Okay, thank You. It is very smart, you know? Certainly it will increase the level of system security. Maybe you should announce it for example on lwn.net website? ;-)

Comment on clean module disabling by kees

kees — Thu, 29 Nov 2012 19:23:03 +0000

Yup, if you want to use the “disable” alias, you need to define it by creating /etc/modprobe.d/disable.conf and fill it with the contents I mentioned in the post.

Comment on clean module disabling by daniel

daniel — Thu, 29 Nov 2012 19:19:02 +0000

Hello again! Thank you for your contribution to the safety of the Linux. I really appreciate it. One more thing; should I create ‘/etc/modprobe.d/disable.conf’ file? I’m so confused. ;-)

Regards, Mr Cook.

Comment on clean module disabling by kees

kees — Thu, 29 Nov 2012 18:35:44 +0000

Yup! That’s what I did.

Comment on clean module disabling by daniel curtis

daniel curtis — Thu, 29 Nov 2012 16:41:27 +0000

Hello Mr Kees Cook. It is very nice, but I would like to ask a question. You wrote, that in “/etc/modules I can list all the modules I actually need, and then put “disable’(…)” – it is enough to add results of the ‘lsmod’ command? I mean the name of modules, for example, ‘joydev’ or ‘snd_pcm’ modules? So ‘/etc/modules’ file will look more or less in this way;

,—-
| iptable_filter
| (…)
| lp
| joydev
`—-

Is that correct?

Comment on product search in Ubuntu 12.10 by cm-t

cm-t — Mon, 12 Nov 2012 14:20:50 +0000

Hi,

You might want to add your +1 on this bug on launchpad: https://bugs.launchpad.net/ubuntu/+source/unity-lens-shopping/+bug/1073114

Librement

Comment on using select on a fifo by Andrew H.

Andrew H. — Sat, 03 Nov 2012 02:02:23 +0000

I was bashing my head against this problem today, and you were the first Google search result for “select fifo” and this solves my problem entirely, thanks! This (and the clearerr() reference in the comments) is useful information. And coincidental—I think the last time I talked to you was like 14 years ago at UIUC. :)

Comment on CUPS banner template variables by non7top

non7top — Sat, 13 Oct 2012 03:42:29 +0000

Might be too late, but now it is documented at http://www.cups.org/documentation.php/doc-1.5/spec-banner.html

Comment on Link restrictions released in Linux 3.6 by wojtek

wojtek — Tue, 02 Oct 2012 13:22:50 +0000

Whoa! That’s certainly impressive as an example of unstoppable, relentless development. Respect the kernel devs!

Comment on Link restrictions released in Linux 3.6 by tshirtman

tshirtman — Tue, 02 Oct 2012 11:23:11 +0000

I believe this makes it a little harder to get root on some android phones/tablets :(. Security issues are sometime a good thing.

Comment on Link restrictions released in Linux 3.6 by Geert

Geert — Mon, 01 Oct 2012 22:24:22 +0000

Great work. Thanks!

Comment on use of ptrace by naughty bit

naughty bit — Tue, 07 Aug 2012 17:58:14 +0000

Cool, thanks for answering;) I have to wait for a while then.

Had to Google VFS to get the picture painted. I assume that reasoning behind it is twofold, to have kernel hardened by default in simplest possible way by supporting all of the existing filesystems through VFS and not using LSM interface in order to have it available for other sec modules if wanted?

Good to know this stuff is getting accepted in the main tree. As a regular user I can’t be bothered to learn complex stuff like SELinux or recompile kernel just for grsec. Keep up the good work, you seem to be very good at it!

Comment on use of ptrace by kees

kees — Tue, 07 Aug 2012 17:03:28 +0000

The hardlink and symlink restrictions are scheduled for the 3.6 Linux kernel, but as part of the VFS, not Yama.

The additional scopes (2 and 3) for Yama were introduced in the 3.5 Linux kernel, so it is not available in 3.4, as you’ve discovered. :)

Comment on seccomp filter now in Ubuntu by kees

kees — Tue, 07 Aug 2012 16:59:02 +0000

Yup — it’s that critical a feature. And it was pretty touch-and-go for a while there, but everything seems to have worked out.

Comment on use of ptrace by naugty bit

naugty bit — Sat, 04 Aug 2012 15:02:42 +0000

When it is expected to have other aspects of Yama available in kernel tree?
Like hardlink ad symlink protections in place?

I have an issue also when setting ptrace. When passing:
sudo sysctl -w kernel.yama.ptrace_scope=2
I get:
sysctl: setting key “kernel.yama.ptrace_scope”: Invalid argument

Maybe I’m doing it wrong, I’m not well versed with linux. I’d like to have increased security by default and Yama seems to fit the bill.

Currently running:
3.4.0-7.dmz.1-liquorix-amd64

Comment on USB AVR fun by rmspeers

rmspeers — Tue, 03 Jul 2012 01:10:44 +0000

Nice work and a great post! I’ve posted regarding some Scapy I wrote to work with the Facedancer boards from Travis/Sergey, and at the end I’ve shown the one-line change to do this with the Facedancer. If you’re interested/using that platform, take a look at http://rmspeers.com/archives/252.

Comment on USB AVR fun by kees

kees — Thu, 31 May 2012 18:08:47 +0000

Yup, totally. Need to retool a bit to do that, but it should be very possible. That’s what these devices were originally designed for (poking at the PS3 USB stack).

Comment on USB AVR fun by Alon

Alon — Thu, 24 May 2012 04:28:53 +0000

I wonder if this AVR board could be used to fuzz the _kernel’s_ USB-detection code… (I.e., how does the kernel react to flagrant violations of the USB device-identification protocol?)

Comment on keeping your process unprivileged by kees

kees — Thu, 19 Apr 2012 00:38:08 +0000

@James: looks like you can restore euid of 0. Not sure if that is intentional or not.

@jww: securebits (specifically SECURE_NOROOT_LOCKED) will keep a process from gaining capabilities, but not changing uid. nnp will block setuid transitions of any kind:

-rwsrwxr-x 1 root kees 8485 Apr 18 17:34 getuid
-rwxrwxr-x 1 kees kees 8637 Apr 18 17:36 nnp

$ ./getuid
euid:0 uid:501
$ ./nnp ./getuid
euid:501 uid:501

Comment on keeping your process unprivileged by jww

jww — Wed, 18 Apr 2012 23:37:08 +0000

How is this different from just using caps+securebits?

Comment on keeping your process unprivileged by James Brown

James Brown — Mon, 26 Mar 2012 22:55:26 +0000

This is quite awesome. I don’t have a system running a modern-enough kernel to test; how does this interact with effective id changes? For example, if I set the euid to something, call prctl, then restore my saved euid, what happens?

Comment on seccomp filter now in Ubuntu by Robert

Robert — Fri, 23 Mar 2012 13:09:34 +0000

Um, you’re introducing a feature into LTS that isn’t even certain to make it into upstream?

Are you sure you’re not going to be left holding the baby here?

Comment on discard, hole-punching, and TRIM by Marius Gedminas

Marius Gedminas — Fri, 17 Feb 2012 15:18:02 +0000

Oh! I misunderstood what mke2fs -E discard meant. It discards all data during mkfs time, which is a sensible thing to do. It doesn’t set any filesystem options, or adjust the layout of the ext4 metadata, like I assumed.

Comment on discard, hole-punching, and TRIM by kees

kees — Thu, 16 Feb 2012 19:30:32 +0000

AIUI, as long as it’s been mounted with “-o discard”, it should pass down discard intent to the block device driver under it. I haven’t tried this with a migrated ext3, thought. Also note that not all SSDs provide TRIM support. See what “hdparm -I /dev/yourssd | grep TRIM” shows. For an older SSD, it’ll say nothing (no TRIM at all). Some will say “Data Set Management TRIM supported”, and among those, some will also have either “Deterministic read data after TRIM” or “Deterministic read ZEROs after TRIM”. The latter of these is needed for speeding up mkfs with “-E discard”.

Comment on discard, hole-punching, and TRIM by Marius Gedminas

Marius Gedminas — Thu, 16 Feb 2012 18:04:49 +0000

Hm, does ext4 need to be mkfs’ed with some special flags to support discard? What if my SSD had an ext3 filesystem created in 2009 that was converted to ext4 at some point during one of Ubuntu upgrades? I can see that it is mounted with -o discard, but does that do anything?

Comment on discard, hole-punching, and TRIM by Ritesh Raj Sarraf

Ritesh Raj Sarraf — Thu, 16 Feb 2012 15:15:26 +0000

Wow!! I haven’t fully caught up on the 3.2 release. But it is great to read that 3.2 now supports discard for the loopback device. This definitely helps for virtualization images. For pre 3.2 kernels (which don’t have discard for loopback), the cp command can come handy. Not really a great solution, but works. Details here: http://linux.netapp.com/node/93

Comment on kvm and product_uuid by Andrew Pollock

Andrew Pollock — Mon, 13 Feb 2012 07:04:32 +0000

Huh. I’d always been using /sys/class/dmi. Seems /sys/devices/virtual/dmi works too, if you like typing a longer path ;-)

Comment on fixing vulnerabilities with systemtap by Tim

Tim — Tue, 24 Jan 2012 19:58:01 +0000

… okay the comment-function filters out “what-looks-like-html”.
The if-line should read:
if((now LESSTHAN last) || (( now – last ) GREATERTHAN HZ() )) {

(I hope you don’t mind me spamming your blog ;-) )