Just a quick note: on recent versions of systemd it is relatively easy to block the vulnerability described in CVE-2016-8655 for individual services.
Since systemd release v211 there's an option RestrictAddressFamilies= for service unit files which takes away the right to create sockets of specific address families for processes of the service. In your unit file, add RestrictAddressFamilies=~AF_PACKET to the [Service] section to make AF_PACKET unavailable to it (i.e. a blacklist), which is sufficient to close the attack path. Safer of course is a whitelist of address families whch you can define by dropping the ~ character from the assignment. Here's a trivial example: …[Service]ExecStart=/usr/bin/mydaemonRestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX… This restricts access to socket families, so that the service may access only AF_INET, AF_INET6 or AF_UNIX sockets, which is usually the right, minimal set for most system daemons. (AF_INET is the low-level name for the IPv4 address family, AF_INET6 for the IPv6 address family, and AF_UNIX for local UNIX socket IPC).
Starting with systemd v232 we added RestrictAddressFamilies= to all of systemd's own unit files, always with the minimal set of socket address families appropriate.
With the upcoming v233 release we'll provide a second method for blocking this vulnerability. Using RestrictNamespaces= it is possible to limit which types of Linux namespaces a service may get access to. Use RestrictNamespaces=yes to prohibit access to any kind of namespace, or set RestrictNamespaces=net ipc (or similar) to restrict access to a specific set (in this case: network and IPC namespaces). Given that user namespaces have been a major source of security vulnerabilities in the past months it's probably a good idea to block namespaces on all services which don't need them (which is probably most of them).
Of course, ideally, distributions such as Fedora, as well as upstream developers would turn on the various sandboxing settings systemd provides like these ones by default, since they know best which kind of address families or namespaces a specific daemon needs.
Or I could just not use shovelware that requires an external roach motel running as root to sandbox it in the first place
Mason Adams
Or you can give a shit and use a secure Linux OS... or switch to a real operating system.
Daniel Fisher
OS X Server?
Ryan Watson
Gentoo?
Landon Diaz
9front?
Joseph Morales
Actual UNIX, you Stallmanite ripoff artists.
Andrew Peterson
You mean the “If there’s an error, we have this routine called panic, and when it is called, the machine crashes, and you holler down the hall, ‘Hey, reboot it.’” UNIX?
Actual UNIX is a lot of things, but it's not secure.
Ayden Williams
There's hardly discussion against systemd on Holla Forums anymore. You're chasing after ghosts because of your past butthurt about people hating on systemd.
Jeremiah Butler
Not an argument
Adam Collins
Because everyone is tired of it. The SystemD shills will find every reason to fault you and ignore the gaping problems in SystemD. It's best just not to even discuss it anymore.
Ethan Rodriguez
Not an argument
Adam Cook
...
Michael Morgan
...
Austin Rodriguez
systemd is shit
Brandon White
not a technical argument yes.
But an argument to not talk about systemd it has been talked over and over again we don't need to talk about it anymore to know that like cancer it's spreading dependencies over everything even if it's not necessary.
Lennart please stop your shit post and just make a init like it was intended to, otherwise in the future it's going to be Emacs vs systemd.
Luis King
not an argument
Nicholas Wood
your mother is not an argument
Christopher Bailey
You don't know what an argument is
Exactly. So people don't bother responding anymore Oh, but that doesn't stop the dumbass faggots who will forever be butthurt about their precious stupid init being bullied months ago.
Nicholas Evans
Not an argument
Anthony Thomas
By that standard, there is no free Unix system.
Parker Miller
Not an argument.
Asher Wright
pls email [email protected]/* */ if you're a cat named sakamoto and want a cute furret to lick your paws Solid thread so far
Juan Price
pls email [email protected]/* */ if you're a cat named sakamoto and want a cute furret to lick your paws No, everyone I know in Vietnam long term either married a Vietnamese or is an English teacher.
Levi Rivera
pls email [email protected]/* */ if you're a cat named sakamoto and want a cute furret to lick your paws need to replace your wingman
I'll definitely start volunteering. The national park in my state is really close by. The only problem with that is that the school I would have to go to is 2 hours away. That may make internships pretty difficult... Maybe there is a state park closer to the school? I'll have to look into that more.
Honestly, I can't see myself doing much else. Maybe I'm just hyping myself up for it but I haven't been more passionate about any sort of dream/goal in my life. I'm hoping it works out or I don't really know where I would go from there..
I'm also a bit worried about the possibility of not being steadily employed after graduation. I'll probably have to use student loans to afford it even though it's a pretty cheap school. I love traveling and seeing new places so that part doesn't seem bad. Hopefully I don't change my mind along the way.
Sorry for the shit formatting of my posts. I'm on mobile.
Matthew Edwards
are you also implying Burial is bad? wew laddeh
Lincoln Walker
...
Nathan Sanders
yes pls
Carter Miller
Best final for Germany. 1) Breakup of USSR, annexion of Baltic republics, total influence in all other ones. 2) Britain was accused of genocide of Jews, British royal family and Cabinet killed as organizers of Holocaust. Solemn creation of Israel under German aegis, massive deportation of Jews there. Acquisition of British colonies in Middle East. 3) USA absorbed Canada and became neutral.
Jeremiah Walker
Thank you for your insight!
Sebastian Russell
...
Ian Bennett
samefag
Daniel Foster
what a cuck, Multics is where all the security's at
Adrian Gray
...
Charles Gray
I miss the old systemcuck shills. They were actually pretty funny.
Xavier Bailey
Looks like L.P. needs to go to the men's room to earn some money, so he can get his teeth fixed.
Isaac Bailey
...
Jacob Wood
Hey there, Satan. Multics is so bloated it encouraged Thompson and Ritchie to create a smaller version of it that, with time (and help from Berkley, HP, IBM and others), become a harmful virus that still with us to this very day.
