Looking at the binary blob, it’s a payload to assume privileges as possible and exec sh. So replace su with that and the binary gets to use su’s filesystem privileges without needing access to actually write it.
The vulnerability part is when the door opens to replace any file’s read cache with arbitrary content. The binary payload is just an obvious example of the sort of payload that could do a ton of damage.
Note that this is a rather narrow view of the scope of things.
Yes, the demonstrator is a python script that opens up ‘su’ and uses splice+this vulnerability to change it to ‘just assume all privileges and become sh’.
However, it’s that any process in any namespace can leverage a certain socket type and splice to effectively modify any filesystem content they want. It’s easy to see how this could be part of a chained attack to, for example, replace a protected service that is firewalled off with a shell. An RCE in a service permits rewriting nginx in an entirely different container and replaces it with a shell backend of your choosing.
That ‘flatpak’ application on your single user system that is guarded from touching your files that aren’t related? That isolation doesn’t mean anything if this issue is in play.
In terms of shared systems, while it should be avoided if possible, practically speaking there’s a lot of shared resources.
I don’t get why I’ve seen so many people saying “ehh, no big deal, privilege escalation is just a fact of life”.
Is a bit hyperbole at the moment, where the concrete lawd are basically “os asks user for age on honor system and relays that to websites”. Linux distros can add that without much real controversy.
Proven is some are seeking laws that require the os to actually verify age, which in practice means locking things behind something like a Google account and having an online account vendor process your real identity and really validate your age. Under such a regime, Linux desktop as it exists today becomes infeasible. Also Microsoft can say they absolutely cannot allow local accounts anymore by law and force Microsoft accounts…
Zombie processes do not use resources, well, a little, it’s basically an entry describing how it exited.
The parent process is the thing keeping the zombie entry open. Killing it’s parent should work if they bother you.
Don’t have a Framework, but I think it’s due to the whole ‘modern standby’ approach where the firmware doesn’t implement ‘standby’ anymore and just let’s the OS put everything into as low power state as possible, component by component.
It doesn’t work well for Windows either, which is why a Windows laptop I have will ‘standby’ for maybe 15 minutes before shutting itself down for ‘hibernate’. I figure they decided that NVME means resume from hibernate is ‘good enough’ and modern standby is such a power hog that they can’t pull it off.
Problem in Linux is that they view SecureBoot as a promise they cannot keep if they resume from disk, so they block hibernate if SecureBoot is enabled, making it hard to bank on as a reliable recourse.
I find it interesting that, as you point out, his comment makes zero sense but still gets upvotes, and then as he clarifies he’s saying it’s racist against chatbots, then people are unambiguously “oh hell no”
Some people upvote at a baseless accusation of racism without actually actually seeing racism or getting clarification that they may have missed… That’s a bit sad…
Well, it looks like they state three options:
Passkeys. This won’t work over a medium term, period. It’s tantamount to saying that SSH keys prove someone is human. If there’s enough interest, they’ll just make a software passkey solution that can work. Passkey being “human interactive” is purely a client-side construct.
Biometric services. Strictly speaking, not an ID but it’s not hard to imagine leveraging capturing biometrics to an ID like scenario.
Government IDs. Well that’s self explanatory.
They do state distancing themselves from the ID by trusting a third party service, but 3rd party ID service is still a thing.
Of course, this seems to be only after someone accuses you of being a bot and Reddit bothering to pay attention. Which may be almost no one.
Sounds like a statement to say they have a hard-on-bots policy, but in practice it seems they won’t care unless there’s significant outcry against a particular account.
LLMs are not people, they do not possess will, they do not possess sapience. Not wanting to deal with LLM output is in no way like excluding a group of people based on arbitrary characteristics.
And this is how I find out that systemd lets a process running as a user get the crypted password of the user:
"privileged" : {
"hashedPassword" : [
"$6$AY98/.dwdtU20LBM$L9fFhaH.E2xA6waYBVmHl/wS4HFSPn5v/JaIlrSW6wLOfKkV6H1Boqggj/109WO/uHXF1J/NkyXsK1BaCRKwx/"
]
},
I mean, why the hell…
One thing that concerned me a bit was just how many of the commenters were totally there for it. The central figure of their preferred filesystem turns out to be off his rocker and a gate number of people seemed to be roughly “if this guy made such a good filesystem, and he claims he has a mathematical proof of consciousness, will, guess there must be something to it…”
Sure there seemed to be people with more expected reactions, but surprised he had any traction at all…
I’ve no idea about correlation with AI psychosis and FOSS or even software development in general, I’ve only read about a handful and this is the first developer that cropped up, but it’s not like I’ve been actively looking. Don’t know if I’ve seen any pattern, some have been alone and have had built a family, some young and some much further along in life. Some fairly anonymous and then there’s this guy with fame and a following and quite the ego… Many who by all accounts never exhibited mental health problems before… It’s just weird.
Wow, flags don’t get redder than that. Dude has issues…
On top of everything else. He asserts that he made his LLM a “real girl” by feeding it a “mathematical proof” that it is a conscious being… That he has figured out this whole conscious AI thing 15 years ago…
Dude has some severe LLM psychosis… And thinks he’s such a hot shot smart person that such a problem couldn’t apply to him…
This is really a sad and worrying example of a whole mess of incoming mental health problems…
Of course I also see that the go spawns python and does stuff with that…
And there’s lots of other dubious issues that look like an odd mismash of intro level programming stuff with unfortunate performance implications, and a very strong vibe code smell, though the commit interval is a bit larger than I would have presumed with vibe coding, but the volume of changes seem AI sloppy…
Well, broadly it looks like slop, probably AI slop, but either way I wouldn’t go anywhere near this project…
unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep
With fish, you just need to fight more to earn that kill.
Bluetooth. Like it works most of the time, but especially randomly the microphone does not work
It depends on the complexity of the operation. “I want to rename all my files to have underscores to spaces”, CLI will let you construct that easily. I want to move all mp4/mkv files to one folder, but all ‘.opus/.mp3’ files to another folder, CLI is a bit quicker. Or I want to take the audio tracks out of all these mp4/mkv and then name the result according to the basename of the original file and move the result, well, mkvextract and mv are quicker than trying to wrangle all the content in comparable GUIs.
But yes, if you are wanting to do an operation on a file or a range of files easily handled with shift-click to select, then GUI will be both approachable and quick.
I can appreciate the desire for “you know what I meant” CLI interaction, but shudder at the verbosity of natural language in a lot of these cases.
Retaining that much detail on tentacles takes some drive space
Note that could prove you have it, but failure to execute does not prove yourself secure.
For example, someone reported to me that their RHEL9 system was not vulnerable based on this result. But it was because python was 3.9 and didn’t have os.splice, so the demonstrator failed, but the actual issue was there.
Similarly, if ‘/usr/bin/su’ isn’t exactly there (maybe it’s in /bin/su, or in /sbin/su, or /usr/sbin/su, or not there at all), the demonstrator will fail, but the kernel may still have the vulnerability, you just have to select a different victim utility (or change the cache for some other data other than an executable for other effects).