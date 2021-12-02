Security Leftovers
Drupal has released security updates to address vulnerabilities affecting Drupal 9.2 and 9.3. An attacker could exploit these vulnerabilities to take control of an affected system.
Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.
While previously the botnet has targeted Microsoft Exchange servers that are vulnerable to bugs like ProxyLogon, in this current campaign Lemon Duck is achieving initial access via exposed Docker APIs. Docker, a platform used to run container workloads in the cloud, provides APIs to support automation for developers. However, misconfigured cloud instances can expose these APIs to the internet, allowing attackers to leverage them for various nefarious purposes.
Best Linux distro for programming (2022)
Why would you want to go to the trouble? Because you're a programmer, an engineer, or a system administrator who wants to get the most from Linux. Or, you're a power user, and you want to push your computer as far as you can take it. If that's you, then these are the distributions for you.
today's howtos
Have you made customizations to your GNOME desktop environment that you later regretted? Good news, you can easily reset GNOME to the defaults and restore all the original settings. In this tutorial, you will learn how to reset your GNOME Desktop Settings to Factory Default on Ubuntu 22.04 Jammy Jellyfish. The reset will put your desktop appearance and all settings, shortcuts, wallpapers and etc. to the factory default.
There surely is need for better tooling on the BTRFS File System side.
Eclipse is a free C and C++ IDE that can be installed on Ubuntu 22.04 Jammy Jellyfish. In this tutorial, we will take you through the step by step instructions to install the Eclipse C/C++ IDE on Ubuntu 22.04 Jammy Jellyfish as well as the Java prerequisites, via command line. Then, you can use the application to import your current C and C++ projects or develop new ones.
In this short tutorial, you will learn how to disable automatic package updates on Ubuntu 22.04 Jammy Jellyfish Linux. You will see how to disable automatic updates via both command line and GUI. Although this goes against general security recommendations, this will prevent your package manager from being tied up in the background when you need to use it.
Looking to take your company's project management to the next level? Maybe you need to start using Scrum. Jack Wallen walks you through the deployment of the open-source IceScrum platform.
Fail2Ban is a great security measure to deploy for your web application server. It comes with features, default filters, and actions that can immediately impact banning bad web bots, draining your system resources, and stopping attacks, which is the most crucial part of any website.
However, most people system admins and website owners are looking for sometimes a bit more extra than what fail2ban has to offer. In the following tutorial, you will learn how to create and use custom filters on your Nginx server, which can be fine-tuned to suit your needs and expanded later.
Discord is a top-rated online chatting program, especially amongst the gaming community. A popular feature with these channels is the inclusion of bots that range from moderation commands, music bots, trivia bots, leveling, and much more. Most bots are run on servers, and you can invite them. However, many of these Bots require monetary requirements to unlock more features, which can be unstable and a security risk.
So, a growing trend lately is the rise of open-source, self-hosted free Discord bots, one of the absolute powerhouses in this field is called Red Discord Bot. Redbot comes with all features that can be enabled or disabled, along with a vast 3rdParty plugin page of community projects.
Fedora 36 is out to the masses.
I need to modify how the ipxe container mounts directories. Why? AARCH64 iPXE stuff. Specifically, I need to get my own version of a file into the directory that a container mounts when it is running. How do I do that? I don’t know yet, so I am going to look.
I do know that the starting point for running a container in Kolla is the Ansible playbook that launches it, and that for the Ironic containers at least, that calls into a custom library called kolla_docker. This is implemented as python executable:kolla-ansible/ansible/library/kolla_docker.py. The vast majority of that file, however, it parameter parsing, and the real work is done in the call to DockerWorker. While this has ansible as the first stage in the package name, it is actually under the kolla_ansible repository.
Linux Kernel: Four LWN Articles Outside the Paywall Today
The readahead code in the Linux kernel is nominally responsible for reading data that has not yet been explicitly requested from storage, with the idea that it might be needed soon. The code is stable, functional, widely used, and uncontroversial, so it is reasonable to expect the code to be of high quality, and largely this is true. Recently, I found the need to document this code, which naturally shone a rather different light on it. This work revealed minor problems with functionality and significant problems with naming.
My particular reason for wanting documentation probably colors my view of the code so I'll start there. Once upon a time, Linux had a strong concept of "congestion" as it applied to I/O paths. If the queue of requests to some device grew too large, the backing device would be marked as "congested" and certain optional I/O requests would be skipped or delayed, particularly writeback and readahead. As time has passed, so too (apparently) has the need for congestion management. Maybe this is because many I/O devices are now faster than our CPUs but, whatever the reason, the block layer no longer tracks congestion and only a few virtual "backing devices" continue this outdated practice.
In Linux 5.16, the only backing device that gets marked as "read congested" is the virtual device used for FUSE filesystems. As part of a project to remove all remnants of congestion tracking, I proposed that there was really nothing special about FUSE, and it should just accept all readahead requests just like everyone else. Miklos Szeredi, the maintainer of FUSE, found my reasoning to be unsatisfactory — and who could blame him? If FUSE doesn't want readahead requests, it shouldn't have to accept them. Trying to understand how FUSE could safely say "no" to readahead, without having to maintain the congestion-tracking functionality in common code, started me on the path to understanding readahead — once it was explained to me that it wasn't as simple as just changing the "readahead" callback in FUSE to return zero.
Filesystems and the virtual filesystem layer are in the business of managing files that actually exist, but the Linux "dentry cache", which remembers the results of file-name lookups, also keeps track of files that don't exist. This cache of "negative dentries" plays an important role in the overall performance of the system but, if it is allowed to grow too large, its role can become negative in its own right. As the 2022 Linux Storage, Filesystem, and Memory-Management Summit (LSFMM) approaches, the subject of negative dentries has come up yet again; whether one can be positive about the prospects for a resolution this time around remains unclear.
The kernel's dentry cache saves the results of looking up a file in a filesystem. Should the need arise to look up the same file again, the cached result can be used, avoiding a trip through the underlying filesystem and accesses to the storage device. Repeated file-name lookups are common — consider /usr/bin/bash or ~/.nethackrc — so this is an important optimization to make.
The importance of remembering failed lookups in negative dentries may be less obvious at the outset. As it happens, repeated attempts to look up a nonexistent file are also common; an example would be the shell's process of working through the search path every time a user types "vi" (Emacs users start the editor once and never leave its cozy confines thereafter, so they don't benefit in the same way). Even more common are failed lookups created by the program loader searching for shared libraries or a compiler looking for include files. One is often advised to "fail fast" in this society; when it comes to lookups of files that don't exist, that can indeed be good advice.
So negative dentries are a good thing but, as we all know, it is possible to have too much of a good thing. While normal dentries are limited by the number of files that actually exist, there are few limits to the number of nonexistent files. As a result, it is easy for a malicious (or simply unaware) application to create negative dentries in huge numbers. If memory is tight, the memory-management subsystem will eventually work to push some of these negative dentries out. In the absence of memory pressure, though, negative dentries can accumulate indefinitely, leaving a large mess to clean up when memory does inevitably run out.
Cloud computing is a wonderful thing; it allows efficient use of computing systems and makes virtual machines instantly available at the click of a mouse or API call. But cloud computing can also be problematic; the security of virtual machines is dependent on the security of the host system. In most deployed systems, a host computer can dig through its guests' memory at will; users running guest systems have to just hope that doesn't happen. There are a number of solutions to that problem under development, including this KVM guest-private memory patch set by Chao Peng and others, but some open questions remain.
A KVM-based hypervisor runs as a user-space process on the host system. To provide a guest with memory, the hypervisor allocates that memory on the host, then uses various KVM ioctl() calls to map it into the guest's "physical" address space. But the hypervisor retains its mapping to the memory as well, with no constraints on how the memory can be accessed. Sometimes that access is necessary for communication between the guest and the hypervisor, but the guest would likely want to keep much of that memory to itself.
When last we looked in on the proposed trusted_for() system call, which would allow user-space interpreters and other tools to ask the kernel whether a file is "trusted" for execution, it looked like it was on-track for the mainline. That was back in October 2020; the patch has been updated multiple times since then, made its way into linux-next, and a pull request was made by Mickaël Salaün for the 5.18 merge window. But it seems that there will be more to the story of getting this functionality into the kernel, as Linus Torvalds declined to pull trusted_for(), at least partly because he did not like the name, but there were other reasons as well. While he is not opposed to the functionality it would provide, he also had strong feelings that a new system call was not the right approach.
