erictape1 has joined #nixos-security
erictapen has quit [Ping timeout: 258 seconds]
erictape1 has quit [Ping timeout: 258 seconds]
labancle has joined #nixos-security
labancle has quit [Quit: ERC (IRC client for Emacs 25.2.2)]
labancle has joined #nixos-security
labancle has left #nixos-security [#nixos-security]
lassulus_ has joined #nixos-security
lassulus has quit [Ping timeout: 268 seconds]
lassulus_ is now known as lassulus
pie__ has joined #nixos-security
pie_ has quit [Ping timeout: 258 seconds]
erictapen has joined #nixos-security
MichaelRaskin has joined #nixos-security
erictapen has quit [Quit: leaving]
<samueldr> >> TLDR: scp doesn't check that the files it receives are the files it requests. If, for instance, you scp something into your home directory, the ssh server might maliciously send .bashrc instead, overwriting your local file. More
<andi-> O.O
<MichaelRaskin> Erm. Can the server also send ../ ?
<MichaelRaskin> (maybe I should consider scp a browser from now on…)
<gchristensen> should probably assume all software is bad
<MichaelRaskin> I mean, I need to sort by badness, like socat can be used as a tool to give specific ports to a sandbox, etc…
<gchristensen> :)
<MichaelRaskin> If nsjail is worse than browsers, for example, sandboxing with nsjail is unwise
<andi-> samueldr: nice catch, where did you find that? :-)
<samueldr> reddit
* andi- shoudl continue jailing more software... lets start with ls
<MichaelRaskin> Definitely goes into read-only sandbox!
<gchristensen> «thinking guy emoji» can't do any damage if you don't have any files
<samueldr> /dev/nullfs as $HOME?
<pie__> tfw sandboxing itself is vulnerable
<ekleog> hello firejail
<andi-> We should just stop using interconnected computers (and no external inputs)
<pie__> when can we microkernels
<gchristensen> samueldr: I was thinking about more datalake approach, where our computers live at the bottom of the nearest lake.
<samueldr> andi-: you want a resistor?
<andi-> samueldr: I am alreayd a human resistor
* ekleog more and more thinking about starting writing a seL4 userspace because time is plentiful
<ekleog> :sarcasm:
<andi-> Anyone applying the patch for that bug yet? Otherwise I'll try to get that done now.
<MichaelRaskin> What the. Upstream didn't bother to cut a release in two months since they applied the fix?
<Foxboron> MichaelRaskin: thats common
<MichaelRaskin> I mean, that's OpenSSH, of all people. Not glibc or something
<Foxboron> I think patch has fixed 2-3 very nasty CVEs. I'm not expecting a release for the next couple of....*checks the repository* years
<andi-> running the tests locally.. recompiling *everything* (not really)
<samueldr> andi-: any reason to use a patch from another project than upstream?
<samueldr> oops
<samueldr> it's our upstream
<samueldr> hm, no, it's not, there's the `hpnSupport` one from another user's fork?
<samueldr> sure it's the same fix and all, just curious
<andi-> samueldr: was the first one that I had at hand
<samueldr> right
<andi-> (that looked turstworthy)
<andi-> Now the patch doesn't apply on 18.09 since the CVS header doesn't match -,-
pie__ has quit [Ping timeout: 250 seconds]
pie_ has joined #nixos-security
<gchristensen> andi-: the secure-boot bootloader , right now, signs every NixOS system profile's bootloader if it is previously unsigned. does that make sense? or should it only sign the most recent for some reason
<andi-> gchristensen: secure-boot bootloader? You mean your module/changes? I would argue that you should only signe the curren ones.. Sure you can probably not boot any of the olders ones so that might be of value..
<andi-> I would default it to only signing newer versions and add an option to also sing older ones..
<gchristensen> so on this `nixos-rebuild boot` which will create generation 29, only sign the bootloader for generation 29?
<andi-> Imagine people changing keys, initial rollout (from a redhat/debian signed kernel/bootloader) to a self-signed keyring
<andi-> I would do that as default
<andi-> so yes
<gchristensen> makes sense
<andi-> I would want gradual "rollout" of the new signatures. Verify with newest generation. If that works flip the switch for all of them.
<gchristensen> although there is the problem that, as it stands, my code wipes out any other entries you have and replaces them with signed efi versions :P
<gchristensen> I'll play and experiment. I'm still not sure it makes sense to upstream.
<andi-> I would really like to see something like that in the (distant) future :-) but not pressure from my side. Maybe just open a WIP PR once you are "done" so we can take it from there in the future.
<gchristensen> that is a good idea
erictapen has joined #nixos-security
<gchristensen> it turns out systemd-boot deletes all the loader and .efi files on every reinstall anyway :D
<samueldr> eek
<gchristensen> ok WIP PR in
<andi-> \o/ I spent the last hour re-reading grub code... While I feel urged to move away from it I might be able to close that little hole with the resuce shell with just 1 line of additional C code..