#nixos-security on 2019-01-13

00:48 erictape1 has joined #nixos-security

00:51 erictapen has quit [Ping timeout: 258 seconds]

01:18 erictape1 has quit [Ping timeout: 258 seconds]

01:19 labancle has joined #nixos-security

02:00 labancle has quit [Quit: ERC (IRC client for Emacs 25.2.2)]

02:20 labancle has joined #nixos-security

02:21 labancle has left #nixos-security [#nixos-security]

03:42 lassulus_ has joined #nixos-security

03:44 lassulus has quit [Ping timeout: 268 seconds]

03:44 lassulus_ is now known as lassulus

04:40 pie__ has joined #nixos-security

04:44 pie_ has quit [Ping timeout: 258 seconds]

10:57 erictapen has joined #nixos-security

15:26 MichaelRaskin has joined #nixos-security

15:30 erictapen has quit [Quit: leaving]

19:14 <samueldr> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919101

19:14 <samueldr> >> TLDR: scp doesn't check that the files it receives are the files it requests. If, for instance, you scp something into your home directory, the ssh server might maliciously send .bashrc instead, overwriting your local file. More

19:32 <andi-> O.O

19:33 <gchristensen> ...lol.

19:34 <MichaelRaskin> Erm. Can the server also send ../ ?

19:35 <MichaelRaskin> (maybe I should consider scp a browser from now on…)

19:36 <gchristensen> should probably assume all software is bad

19:37 <MichaelRaskin> I mean, I need to sort by badness, like socat can be used as a tool to give specific ports to a sandbox, etc…

19:37 <gchristensen> :)

19:37 <MichaelRaskin> If nsjail is worse than browsers, for example, sandboxing with nsjail is unwise

19:39 <andi-> samueldr: nice catch, where did you find that? :-)

19:39 <samueldr> reddit

19:39 * andi- shoudl continue jailing more software... lets start with ls

19:40 <MichaelRaskin> Definitely goes into read-only sandbox!

19:41 <gchristensen> «thinking guy emoji» can't do any damage if you don't have any files

19:41 <samueldr> /dev/nullfs as $HOME?

19:42 <pie__> tfw sandboxing itself is vulnerable

19:42 <ekleog> hello firejail

19:42 <andi-> We should just stop using interconnected computers (and no external inputs)

19:42 <pie__> when can we microkernels

19:42 <gchristensen> samueldr: I was thinking about more datalake approach, where our computers live at the bottom of the nearest lake.

19:42 <samueldr> andi-: you want a resistor?

19:42 <andi-> samueldr: I am alreayd a human resistor

19:42 * ekleog more and more thinking about starting writing a seL4 userspace because time is plentiful

19:43 <ekleog> :sarcasm:

19:50 <andi-> Anyone applying the patch for that bug yet? Otherwise I'll try to get that done now.

19:58 <MichaelRaskin> What the. Upstream didn't bother to cut a release in two months since they applied the fix?

20:00 <Foxboron> MichaelRaskin: thats common

20:00 <MichaelRaskin> I mean, that's OpenSSH, of all people. Not glibc or something

20:01 <Foxboron> I think patch has fixed 2-3 very nasty CVEs. I'm not expecting a release for the next couple of....*checks the repository* years

20:03 <andi-> running the tests locally.. recompiling *everything* (not really)

20:58 <samueldr> andi-: any reason to use a patch from another project than upstream?

20:58 <samueldr> oops

20:58 <samueldr> it's our upstream

20:59 <samueldr> hm, no, it's not, there's the `hpnSupport` one from another user's fork?

20:59 <samueldr> (here I'm thinking about https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.197&r2=1.198 )

21:00 <samueldr> sure it's the same fix and all, just curious

21:00 <andi-> samueldr: was the first one that I had at hand

21:00 <samueldr> right

21:00 <andi-> (that looked turstworthy)

21:28 <andi-> Now the patch doesn't apply on 18.09 since the CVS header doesn't match -,-

21:31 pie__ has quit [Ping timeout: 250 seconds]

21:32 pie_ has joined #nixos-security

21:46 <gchristensen> andi-: the secure-boot bootloader , right now, signs every NixOS system profile's bootloader if it is previously unsigned. does that make sense? or should it only sign the most recent for some reason

21:50 <andi-> gchristensen: secure-boot bootloader? You mean your module/changes? I would argue that you should only signe the curren ones.. Sure you can probably not boot any of the olders ones so that might be of value..

21:50 <andi-> I would default it to only signing newer versions and add an option to also sing older ones..

21:50 <gchristensen> so on this `nixos-rebuild boot` which will create generation 29, only sign the bootloader for generation 29?

21:50 <andi-> Imagine people changing keys, initial rollout (from a redhat/debian signed kernel/bootloader) to a self-signed keyring

21:51 <andi-> I would do that as default

21:51 <andi-> so yes

21:51 <gchristensen> makes sense

21:51 <andi-> I would want gradual "rollout" of the new signatures. Verify with newest generation. If that works flip the switch for all of them.

21:51 <gchristensen> although there is the problem that, as it stands, my code wipes out any other entries you have and replaces them with signed efi versions :P

21:53 <gchristensen> I'll play and experiment. I'm still not sure it makes sense to upstream.

21:56 <andi-> I would really like to see something like that in the (distant) future :-) but not pressure from my side. Maybe just open a WIP PR once you are "done" so we can take it from there in the future.

21:57 <gchristensen> that is a good idea

22:02 erictapen has joined #nixos-security

22:32 <gchristensen> it turns out systemd-boot deletes all the loader and .efi files on every reinstall anyway :D

22:50 <samueldr> eek

23:05 <gchristensen> ok WIP PR in

23:48 <andi-> \o/ I spent the last hour re-reading grub code... While I feel urged to move away from it I might be able to close that little hole with the resuce shell with just 1 line of additional C code..