| View previous topic :: View next topic |
| Author |
Message |
Shamus397
Apprentice
Joined: 03 Apr 2005
Posts: 218
Location: Ur-th
|
 Posted: Fri Jul 28, 2017 12:58 pm Post subject: |
 |
|
Congratulations to L. Poettering and friends, for their recent win of the Pwnie! You guys have worked hard to ensure that you won this prestigious award, and certainly deserve it! 
Getting back to politics, does anyone remember when this happened? Lots of ink and hot air were spilled over the ramifications of CentOS being "acquired" by Red Hat, but in hindsight it's easy to figure out why it was done—Red Hat had to make sure that CentOS swallowed the SystemD poison pill; they had to make sure CentOS stayed on the reservation. |
|
| Back to top |
|
 |
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Fri Jul 28, 2017 1:05 pm Post subject: |
|
|
Two points...
I just looked and saw L.P.'s award, and for some time I guess that's the only award it will get, because so far no technical sophistication is necessary to pwn systemd.
Second point, which I've thought about, but never pursued. "chattr +a /var/log/messages" as well as other files. The problem here is that of course root could then do a "chattr -a" and then change the files. A more complete fix would be to "chattr +a" any active logs, "chattr +i" rotated logs, and drop the capability to do the chattr command from the capability bounding set. Theoretically dropping CAP_LINUX_IMMUTABLE should do this, though I'm not sure how CAP_FOWNER, which I probably wouldn't want to drop system-wide interacts with that. The other problem is that once you've dropped the capability only our old friend PID1 can restore it, meaning that without some PID1 hacks or special-purpose rebooting, you can't rotate logs.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Fri Jul 28, 2017 2:03 pm Post subject: |
|
|
| Shamus397 wrote: | | Congratulations to L. Poettering and friends, for their recent win of the Pwnie! You guys have worked hard to ensure that you won this prestigious award, and certainly deserve it! . |
Something interesting has been revealed. While there has been much wailing and gnashing of teeth, flame wars, and the like, the security professionals have been completely absent. I suspect they've been the adults in the room, and we've all been kids. I'm sure they know the score with systemd, but they also know just how badly it's going to fall on its face, too. They're just letting the process work, no flames, no debates, just CVEs. We all know that systemd simply will not cut the mustard in the Enterprise situation, and they do to. Perhaps the Pwnies sound silly, but they're also part of a very serious process. I wonder how hard Microsoft is laughing, and if they've been laughing during the whole systemd flame-war, knowing that they will be big winners from it.
| Shamus397 wrote: |
Getting back to politics, does anyone remember when this happened? Lots of ink and hot air were spilled over the ramifications of CentOS being "acquired" by Red Hat, but in hindsight it's easy to figure out why it was done—Red Hat had to make sure that CentOS swallowed the SystemD poison pill; they had to make sure CentOS stayed on the reservation. |
I saw this as CentOS being a loss-leader for RedHat, and RedHat wanted to make sure that when someone was unhappy with CentOS service, they came to RedHat instead of somewhere else. Given that CentOS is essentially a RedHat clone, they had no choice but to go systemd. They didn't have the resources to do a Devuan.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
Shamus397
Apprentice
Joined: 03 Apr 2005
Posts: 218
Location: Ur-th
|
| Posted: Fri Jul 28, 2017 3:33 pm Post subject: |
|
|
Well, given the political nature of the whole thing (did the Debian TC morass remind anyone else of MS and their push to make OOXML an ISO standard?), it's not surprising that people (myself included) would engage in more than a bit of schadenfreude.  |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sat Jul 29, 2017 10:59 pm Post subject: |
|
|
| tld wrote: | | It's as if they think that some supposed "sanitizing" of input is a magic bullet, even if that's in fact causing and even hiding the problems. How are these people even employed? |
| Ant P. wrote: | | I was wondering where I'd seen bad code and bad attitudes like this before... and it suddenly clicked: amateur PHP jockeys in the mid-2000s. Pity other people are the ones who pay the price of running this incompetent code. |
| Zucca wrote: | It's our fault. :( We told them a million times to sanitize the input and now they have learned.
But more seriously. This case brought amateur PHP coders in my mind too. |
Yeah, exactly.
The post about "shotgun parsers" brought that to mind again. Lots of cargo-cult "input validation" intermingled with processing that presumes that everything's okey-dokey now (cos we passed it through a magic function.)
Note how Poeterring still keeps wittering on about the abstract rules in his head, 5 days after his own firm has had to override him and issue a CVE for what he has kept on insisting is "not-a-bug".
And OFC, all the work is on whoever thinks he's got it wrong, not his own responsibility: | Quote: | | before we [change our rules], please work with the POSIX, shadow-utils, libuser communities, as well with the other Linux distributions to come up with a single unified set of rules |
He's full of sh1t.
Like: | Quote: | | User=/Group= knew no counterpart in sysvinit |
which is only true in the narrowest, weasel sense (of the specifier, not the concept.)
The whole thing reminds me again of that quote: "The problem is not the problem. The problem is your attitude to the problem."
Poeterring's attitude is the problem, plain and simple.
Yet every time, we get bogged down in detail that is all about his learning process, and not about getting the result.
There are hundreds of corner-cases and weird nooks of both the C and POSIX standards; it's getting really tiresome to keep reading about the latest one he's stumbled into, and decided he knows better, and his logic must still and always apply (he worked it out in his head, and everything.)
"Social" media posting about the latest does not really move understanding forward, in the same way that patching source-code in collaboration with others does (the original meaning of the FLOSS movement.) IRC rooms and mailing-lists about code are far more interesting, and useful to learning.
Frankly, Poeterring is starting to read like someone having a breakdown: he keeps looping over the same nonsense, without any apparent ability to stop himself and step back. He needs a lie-down and a few weeks off, imo.
And preferably a "promotion" to where he can't do any more harm to codebases around the world; he'd truly make a great sales-executive. |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sat Jul 29, 2017 11:05 pm Post subject: |
|
|
| miket wrote: | | Do I care about multiple seats? |
| Zucca wrote: | | I think you can have them without systemd. |
This really winds me up. s/seat/display/g and oh look, X has had the "concept" since inception. |
|
| Back to top |
|
|
miket
Guru
Joined: 28 Apr 2007
Posts: 488
Location: Gainesville, FL, USA
|
| Posted: Sun Jul 30, 2017 12:16 am Post subject: |
|
|
| steveL wrote: | | miket wrote: | | Do I care about multiple seats? |
| Zucca wrote: | | I think you can have them without systemd. |
This really winds me up. s/seat/display/g and oh look, X has had the "concept" since inception. |
Ah, the sad fact is that they want is immensely more complicated than that. Think of the fairly sane model of multiple users logging into a computer: use ssh (or in the bad old days, telnet) to get a TTY session, or use an X display manager to get a graphical login. Next think of a computer lab where there is a room full of separate computers wired together on the LAN each having a monitor, keyboard, mouse, speakers, and USB ports. Now hit your head with a brick and mash these two concepts together.
A multiseat box, an instance of the unholy chimera that is the delight of its advocates, has multiple monitors plugged into it with matching keyboards, etc. They arrange sets of these devices at separate desks as in a normal computer lab. Users sitting at these separate desks (hence "seats") now work under the illusion that each set of monitor, keyboard, mouse, speakers, and what have you is plugged into its own separate computer. Just as such a user of a normal computer lab can insert her USB stick in the reader and have the expectation that others in the lab won't see popup windows for it and can't access it, the multiseat system has to be able to enforce that separation.
Do I have to tell you that 1) this is quite a complicated setup or 2) it would be better done with thin clients?
What they foist on us--and the reason that Polkit is so convoluted--is that they what every *kit-using system to have the potential to be a multiseat system. |
|
| Back to top |
|
|
proteusx
Guru
Joined: 21 Jan 2008
Posts: 338
|
| Posted: Sun Jul 30, 2017 12:30 am Post subject: |
|
|
| steveL wrote: | | he'd truly make a great sales-executive. |
When I first saw a video of LP talking about systemd,
"Not a programmer", I thought, "a salesman or a politico maybe, but definitely not a programmer". |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Jul 30, 2017 12:30 am Post subject: |
|
|
| Quote: | | Users sitting at these separate desks (hence "seats") now work under the illusion that each set of monitor, keyboard, mouse, speakers, and what have you is plugged into its own separate computer. |
Shades of 1970 and DEC mini-computers! This is what the cloud paradigm leads to. Somewhere the ghost of DEC smiles. |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Sun Jul 30, 2017 3:06 am Post subject: |
|
|
| miket wrote: |
A multiseat box, an instance of the unholy chimera that is the delight of its advocates, has multiple monitors plugged into it with matching keyboards, etc. |
Wait a minute... You left out the 3274 terminal control unit that sits between the computer and the displays.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2006
|
| Posted: Sun Jul 30, 2017 8:16 am Post subject: |
|
|
| depontius wrote: | | miket wrote: |
A multiseat box, an instance of the unholy chimera that is the delight of its advocates, has multiple monitors plugged into it with matching keyboards, etc. |
Wait a minute... You left out the 3274 terminal control unit that sits between the computer and the displays. |
Whoa! You can't possibly go back to the old 3270 days; current hardware isn't powerful enough to run all the *kits required
IIUC the trouble with the multiseat concept is that 99.999% of users don't need it, and the one user that does (a hacker or the NSA) don't want us to know their using it anyway.
_________________
Greybeard |
|
| Back to top |
|
|
Fitzcarraldo
Advocate
Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom
|
| Posted: Sun Jul 30, 2017 9:30 am Post subject: |
|
|
| Goverp wrote: | | IIUC the trouble with the multiseat concept is that 99.999% of users don't need it, and the one user that does (a hacker or the NSA) don't want us to know their using it anyway. |
Seems the concept is more attractive in third-world countries with limited education budgets:
https://en.wikipedia.org/wiki/Multiseat_configuration#Case_studies
If the Brazilian Ministry of Education is providing four seats per machine in the same way as was done for the Paraná State project, it would be interesting to know the comparative cost of those 356,800 seats versus thin clients:
89,200 (356,800/4) machines capable of supporting four monitors and four keyboards
+ 356,800 monitors
+ 356,000 keyboards
versus
45,000 schools x N servers per school (N would probably be more than one server per school)
+ 356,800 thin clients
+ 356,800 monitors
+ 356,800 keyboards
Looks to me like multiseat computer deployment could be cheaper in that situation.
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sun Jul 30, 2017 4:32 pm Post subject: |
|
|
| steveL wrote: | | This really winds me up. s/seat/display/g and oh look, X has had the "concept" since inception. |
| miket wrote: | | Ah, the sad fact is that they want is immensely more complicated than that. Think of the fairly sane model of multiple users logging into a computer: use ssh (or in the bad old days, telnet) to get a TTY session, or use an X display manager to get a graphical login. Next think of a computer lab where there is a room full of separate computers wired together on the LAN each having a monitor, keyboard, mouse, speakers, and USB ports. Now hit your head with a brick and mash these two concepts together. |
Lul; that pretty much sums it up. ;)
| Quote: | | A multiseat box, an instance of the unholy chimera that is the delight of its advocates, has multiple monitors plugged into it with matching keyboards, etc. |
Yes, but this is what X has always called multi-display (vs multi-screen); if we think in those terms it's much easier, since we're not using a neologism that only confuses the issue.
(It's hard enough dealing with the odd inversion in role, from the user perspective, of the words "server" -- on the user's machine -- and "client", which are better when more precise: "display server" and "client program". I just think "X" and "program", and keep in mind that they talk via a network protocol.)
The DISPLAY is central to X, and always has been; to the extent that the standard way to tell you're running under X from shell, is: [ -n "$DISPLAY" ], and has been so for decades.
YTF would an "expert desktop programmer" want to call it something else? It makes no sense.
I find it painful to follow such convolution of thought; rebranding of a wheel and calling it something else, only obfuscates.
And ofc provides "justification" for looney-tunes ideas and dismissal of real-world experience. | Quote: | | Do I have to tell you that 1) this is quite a complicated setup or 2) it would be better done with thin clients? |
Hehe, nope; I agree entirely.
LTSP has been delivering low-cost, high-quality thin client installations for decades.
IF there were any scope to use "fat" multiple-display client machines, each with their own X server, to save money across an installation, then that would have been best-explored in collaboration with LTSP.
ISTR they told them it wasn't worth it, though (LANs are only getting faster, after all); and as usual Poeterring decided that the domain-experts telling them that, simply meant they had to go ahead.
Examples to back up "as usual": discussions with pro-audio folks prior to pulsefail; with kernel networking folks prior to kdbust; with dhcp implementors prior to the systemdbust dhcpcd failfest; with every UNIX programmer who bothered to state an opinion, prior to systemdbust itself, never mind the "gentle Putsch".
| Quote: | | What they foist on us--and the reason that Polkit is so convoluted--is that they what every *kit-using system to have the potential to be a multiseat system. |
Yeah, that's the pretext; flawed reasoning is par for the course, as is a crippling inability to backtrack on clearly dud implementations.
There is a technical issue with running "client" programs which need to blit to the display; ofc the answer there is to run your games etc, on your own machine, which everyone does anyway. And for other programs, we separate out the UI part from the rest; quassel is a good example, with the core running remotely, when configured. This is just MVC. So, the whole thing seems a kerfuffle about not much.
(Even if there are low-level changes to how toolkits blit, it will still be X; just like ethernet is still called "ethernet", despite changes in the type of cable used.)
Younger coders will grow up used to network separation in the context of websites. The browser is the display, view logic and handling goes there, but the controller (app or "business" logic) and the model (database) are on a remote machine.
It'll be interesting to see what the self-motivated ones come up with; especially if, or once, they grok the power of simplicity. |
|
| Back to top |
|
|
AJM
Apprentice
Joined: 25 Sep 2002
Posts: 189
Location: Aberdeen, Scotland
|
| Posted: Mon Jul 31, 2017 2:02 pm Post subject: |
|
|
| Fitzcarraldo wrote: |
If the Brazilian Ministry of Education is providing four seats per machine in the same way as was done for the Paraná State project, it would be interesting to know the comparative cost of those 356,800 seats versus thin clients:
Looks to me like multiseat computer deployment could be cheaper in that situation. |
A few years ago, maybe, but I'm not so sure now. Even a fairly basic server is capable of serving up a large number of remote desktops - definitely multiple tens, anyway. Thin clients used to be expensive for what the were but now you can use a really cheap off the shelf device like the Raspberry Pi.
You would end up with far fewer machines needing active administration too - just a few servers, the thin clients shouldn't be running much by way of vulnerable / accessible services and being identical one image suits all of them - a simple no-skill-needed SD card swap if you want a real belt-and-braces approach. |
|
| Back to top |
|
|
Amity88
Apprentice
Joined: 03 Jul 2010
Posts: 260
Location: Third planet from the Sun
|
| Posted: Mon Jul 31, 2017 2:03 pm Post subject: |
|
|
Does anyone know if there are any internet facing servers out there that are on SystemD? It's there is both SLES 12 as well as RHEL 7. So, shouldn't we be hearing about many attacks on these servers? are we missing something.. doesn't add up.
_________________
| Ant P. wrote: | | The enterprise distros sell their binaries. Canonical sells their users. |
Also... Be ignorant... Be happy!  |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Mon Jul 31, 2017 2:31 pm Post subject: |
|
|
| Amity88 wrote: | | Does anyone know if there are any internet facing servers out there that are on SystemD? It's there is both SLES 12 as well as RHEL 7. So, shouldn't we be hearing about many attacks on these servers? are we missing something.. doesn't add up. |
I have spoken with people in two "server maintenance" organizations, and neither shop likes systemd. My former employer is moving Linux clients to RH7.x, but their servers as well as my current employer's servers are at RH6.x. I suspect that the delay in moving servers to systemd is related to the maintenance shops preferences, and to the fact that the entire server industry is quite conservative.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
Fitzcarraldo
Advocate
Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom
|
| Posted: Mon Jul 31, 2017 2:59 pm Post subject: |
|
|
| Amity88 wrote: | | It's there is both SLES 12 as well as RHEL 7. |
And Ubuntu, since Ubuntu 15.04. Ubuntu Server is popular in commercial installations too.
I know someone with an Internet-facing server running Ubuntu Server 16.04 and he gets much the same attacks as my non-systemd Internet-facing server (i.e. a hell of a lot of attacks, whatever the init system). Providing an Internet-facing server is properly protected with a good firewall and a good NIPS with frequently updated rules sets, as we both are, I don't see why there would be any significant difference in the number and success of attacks on Internet-facing servers using systemd and those not using systemd.
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Jul 31, 2017 3:31 pm Post subject: |
|
|
I think the whole multiseat farce really sums up how out of touch with reality RedHat is.
Like most normal human beings, I occupy one seat and use several computers. RH is utterly oblivious to the fact that anyone could have a combination of more than one PC, laptop, phone, personal server/VPS, etc. They have not a single product for making the most common use case easier or simpler, only harder. To them, human beings are mathematically perfectly spherical employees that exist in a frictionless vacuum whose lives can be pigeonholed neatly into a NFS homedir share on a RHEL server, sitting at dumb fat terminals running Containerized Gnome 3 Apps written by a clique of sanctimonious FDO e-celebs running Fedora on their new Macbooks.
They've been pushing this delusion for years and constantly try to offload the burden of this web 2.0 mainframe fantasy on the rest of the Linux-using world, all so they can increase their own margins selling support for this pile of incomprehensible manufactured bullshit nobody needs. The only thing that'll put an end to the insanity is seeing them go bankrupt. But we're stuck with the damage for decades to come if we wait for that to happen. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Mon Jul 31, 2017 4:01 pm Post subject: |
|
|
| Ant P., They are targeting corporate development shops. Individuals get the leftovers/ are used by fedora as unpaid guinea pigs. |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Mon Jul 31, 2017 4:27 pm Post subject: |
|
|
| Fitzcarraldo wrote: | | Looks to me like multiseat computer deployment could be cheaper in that situation. |
Coulda-woulda-shoulda. | AJM wrote: | | A few years ago, maybe, but I'm not so sure now. Even a fairly basic server is capable of serving up a large number of remote desktops - definitely multiple tens, anyway. Thin clients used to be expensive for what the were but now you can use a really cheap off the shelf device like the Raspberry Pi. |
Yeah, devices are only getting cheaper; the trend is toward more and more individual devices, rather than toward "let's share a PC between 4 of us at the same time."
| Quote: | | You would end up with far fewer machines needing active administration too - just a few servers, the thin clients shouldn't be running much by way of vulnerable / accessible services and being identical one image suits all of them |
Yup; though the same can apply to a fat client over BOOTP (or PXE nowadays.)
Still, thin clients save money on power, which is one of the major costs, as well as easier administration as you say; much less to tftp to the clients, and the Xsession servers gain much more efficiency in terms of effective use of shared software: one copy of libreoffice between 25-30 clients, rather than one every 4. Again, easier to adminster, and lower RAM usage overall (meaning you don't have to pump up 89,200 desktops to make them into effective desktop-servers.)
In the shared-PC case, you have one Xserver shared between 4 people; in the thin-client case they're all running their own individual X display server.
I know which one I'd prefer as a user: don't kludge my GUI with whatever some bod sitting next to me is doing in hers.
Then you get to all the contortions required to share a PC effectively, according to the nubs; which the network admins showed Poeterring over 5 years ago, was a busted flush.
Individual devices are cheap, and have been getting cheaper for decades. Labour is not.
The whole thing is a dead-end, afaic.
It was never based on need; or there'd be mailing-lists with people asking for exactly this facility, before it was conceived.
This was mentioned before, but no-one could point to any sysadmin ever asking, nor any mailing-list with users pining wistfully for the ability to share their PC and graphics-card with another user, if only they could.
In fact the trend had always been the other way round, with KVM switches becoming cheaper, and more popular in the home.
It was always based solely on "hey look, we could do blah from here" considered as "therefore we should". (it sounds "kewl", especially if what you're talking about is an excuse for taking over machines with unneeded crap.)
If we're talking about the trend for "modern" desktop apps (or more likely the toolkits) to blit directly to the screen or a canvas, then sharing the X display server between 4 users at the client end, can only be counter-productive.
The "thin" client will actually be much more capable as a modern desktop than the nubskool-recommended shared machine, despite costing much less both initially and in usage, for power drain and admin costs, as well as network bandwidth (don't bog your LAN down if you don't need to: or your LAN will run less smoothly overall.)
And ofc you can use your old desktop machines, that certainly can't run Winbloze, and are unlikely to be powerful enough to serve as shared desktops (4 users, 2 multi-display graphics cards, and much RAM required as we're going to hold all those bloated apps in our RAM as well as the X server and user data), as thin clients in the meantime. In fact, you can even use your phone, or a browser, etc.
Effectively you've gone to 89,200 Xsession servers, with one X display server contending 4 users, instead of 2/15 of that number, and an X display server per-user.
All on the notional basis that buying all that upscale hardware for 89,200 Xserver machines is cheaper than centralising your resource-usage for non-GUI computation. Which seems to be arguing with history.
But hey, if it's worked for some bods in Brazil, great. I'm just a bit tired of that always being the quoted "case story"; is it even current any more? Where are the other installations from people who've realized that clearly there's money to be saved, based on the case story everyone always quotes.
Checking the given link, we find the userful press release from February 17, 2009 (listed on wikipedia as retrieved one year before then) since after all: "The chosen companies to implement this project were the Canadian multiseat Linux software company Userful Corporation, and its Brazilian IT partner ThinNetworks."
Another link on wikipedia, related to: "Userful offers a commercially supported multiseat Linux solution called Userful Multiplier", is in fact broken; so if we s/www2/www/ we get this address about multiseat-linux and this in fact redirects to a page on Desktop Virtualization:
| Quote: | | Userful Multiplatform, a virtual desktop software, delivers a choice of customized Microsoft™ Windows, Linux and a free, integrated cloud desktop simultaneously to multiple displays within a local area network. With a dramatic reduction of hardware, software and electricity requirements, Userful Multiplatform enables anyone to save money and still enhance computing power. |
Sounds good. This must be the page that shows how useful this multiseat hoopla is.. and what do you know? | Quote: | | Unlike traditional thin client devices, the Userful hardware endpoint device is the thinnest possible thin client. As a true zero client, it is essentially a network graphics card, sound card and USB hub. Much of the encoding, decoding and compression traditionally needed for a one PC per seat solution is completely eliminated. This creates a much more efficient computing architecture with two to three times the multimedia performance of a conventional thin clients, at about 25-50% the cost. Zero clients are available from many leading hardware brands. |
So much for fat, multiseat client-machines; the company supposedly backing all this multiseat on linux hoopla declared it a dead-end years ago, and is going in entirely the opposite direction.
I'm hopeful, but not optimistic, that this is the last time we need to discuss "multiseat" on a technical level.
The socio-political aspects (like how people still keep posting that "case study" without checking the background, and why wikipedia remains so inaccurate, and indeed partisan, on this issue) are ofc what this thread is about. |
|
| Back to top |
|
|
Amity88
Apprentice
Joined: 03 Jul 2010
Posts: 260
Location: Third planet from the Sun
|
| Posted: Tue Aug 01, 2017 3:29 pm Post subject: |
|
|
| Fitzcarraldo wrote: | | Amity88 wrote: | | It's there is both SLES 12 as well as RHEL 7. |
And Ubuntu, since Ubuntu 15.04. Ubuntu Server is popular in commercial installations too.
I know someone with an Internet-facing server running Ubuntu Server 16.04 and he gets much the same attacks as my non-systemd Internet-facing server (i.e. a hell of a lot of attacks, whatever the init system). Providing an Internet-facing server is properly protected with a good firewall and a good NIPS with frequently updated rules sets, as we both are, I don't see why there would be any significant difference in the number and success of attacks on Internet-facing servers using systemd and those not using systemd. |
I dunno much about NIPS. I take that they're kinda like an antivirus package on the hardware level which works with packets?
Out of curiosity, what do you think of this (typical?) scenario ?:
1. You have a program listening on a port on the server (e.g. HTTPD on a web server)
2. Say the firewall closes all other ports except for this one.
3. An attacker exploits a vulnerability in this program and gets local restricted access (the firewall would be bypassed)
4. Say he eventually manages to break out of any containers that this program runs in. (I recently heard of a vulnerability in Xen that allowed guests VMs to modify stuff on the host)
5. NOW at this stage, wouldn't it make things worse for us if the server happens to run SystemD? I mean with all the silly holes, it might be trivial to get root and own the system, wouldn't it?
_________________
| Ant P. wrote: | | The enterprise distros sell their binaries. Canonical sells their users. |
Also... Be ignorant... Be happy! |
|
| Back to top |
|
|
tld
Veteran
Joined: 09 Dec 2003
Posts: 1816
|
| Posted: Tue Aug 01, 2017 3:47 pm Post subject: |
|
|
| Amity88 wrote: | | 5. NOW at this stage, wouldn't it make things worse for us if the server happens to run SystemD? I mean with all the silly holes, it might be trivial to get root and own the system, wouldn't it? |
I'd certainly think so. Given the inept stuff we've all seen, plus all the desktop related crap going on in the systemd PID1 that has NO place on a server, plus the way they love to screw with the once-simple unix security model...I'd think the odds of having some means of privilege escalation would almost surely be much higher. I still strongly believe that there are hackers out there that are just not "showing their cards" until more companies fall for this mess.
Tom |
|
| Back to top |
|
|
miket
Guru
Joined: 28 Apr 2007
Posts: 488
Location: Gainesville, FL, USA
|
| Posted: Tue Aug 01, 2017 4:08 pm Post subject: |
|
|
| Amity88 wrote: | Out of curiosity, what do you think of this (typical?) scenario ?:
1. You have a program listening on a port on the server (e.g. HTTPD on a web server)
2. Say the firewall closes all other ports except for this one.
3. An attacker exploits a vulnerability in this program and gets local restricted access (the firewall would be bypassed)
4. Say he eventually manages to break out of any containers that this program runs in. (I recently heard of a vulnerability in Xen that allowed guests VMs to modify stuff on the host)
5. NOW at this stage, wouldn't it make things worse for us if the server happens to run SystemD? I mean with all the silly holes, it might be trivial to get root and own the system, wouldn't it? |
At step 4 you refer to a vulnerability in Xen. Though running the web server inside a hypervisor like Xen or LVM would be safer than running in a chroot or a container, a solution like that requires that the guest have a full kernel and a separate root file system. This make the Xen-like solution more resource-intensive and less convenient for the host to modify the guest's files. The solution in vogue today, containers, is a lot more light weight.
So yes, an exploit in Xen that lets you break into dom0 would be a bad one, but it would not let you into a number of servers that are running today. You said "break out of any containers that this program runs in". Let's look there.
One of the myriad features of systemd is systemd-nspawn, a program that starts the systemd flavor of containers. Of course, they want you to use that. This makes the attack surface even bigger since there is part of systemd inside the container also. It happily communicates with the container's host over D-Bus.
Now if you started your containers in some other way (LXC, libvirt, docker, or whatever else) you're not in the clear either. Evidently you can talk over D-Bus with any of those also. Since they want surely your guest systems to bring systemd to the party, they'd be in the guest anyway.
The firewall indeed mitigates the threat but does not eliminate it. |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Tue Aug 01, 2017 4:34 pm Post subject: |
|
|
| miket wrote: | | The firewall indeed mitigates the threat but does not eliminate it. |
The issue is defense in depth. Plan on any of your layers failing, at some point. You'd clearly prefer to not have multiple layers failing. Having one (or two) layer(s) be particularly fail-prone is bad.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
Fitzcarraldo
Advocate
Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom
|
| Posted: Thu Aug 03, 2017 4:23 am Post subject: |
|
|
| steveL wrote: | | But hey, if it's worked for some bods in Brazil, great. I'm just a bit tired of that always being the quoted "case story"; is it even current any more? |
steveL, just for information (I have no axe to grind and am not an advocate either way), the Brazilian nationwide project ('ProInfo') did and does exist, funded by the Federal Government, although much of the information on the Web is obviously in Portuguese. You are right that Userful and its Brazilian representative ThinNetworks have since moved to promoting thin clients instead of multiseat in the X.Org fashion. Their page on the ProInfo project is:
http://www.thinnetworks.com.br/casos-de-sucesso/ministerio-da-educacao/
| ThinNetworks (translated) wrote: | Results
800 thousand workstations installed in schools all over Brazil during recent years. |
However, to confuse matters, in Brazil the term 'multiterminal' in Portuguese is used for multiseat systems with multi-head graphics cards, as well as for multiseat systems with USB docking stations (similar concept to DisplayLink), as well as for systems using zero-clients or thin-clients.
ThinNetworks supply (supplied?) their own models of multi-head video cards for their multiseat installations:
8-head (PCI):
http://www.thinnetworks.com.br/multiterminal/placa-de-video-tn-502/
2-head (PCI-e):
http://www.thinnetworks.com.br/multiterminal/placa-de-video-tn-750/
The problem with the ThinNetworks systems is vendor lock-in (the ThinNetworks bespoke hardware, drivers and customised Ubuntu requiring ThinNetwork licences to use the system). See e.g. the YouTube video Configurando o Linux Educacional 5.0 no Multiterminal in which a frustrated guy (IT support) in 2016 showed how to install Educational Linux 5.0 and the ThinNetworks licences on a school’s multiseat system (ProInfo procurement auction 83/2008) and curses the support, the software installation and Linux generally (he wishes he could wipe it and install Windows). Some teachers in Brazil don't like Linux at all and complain they cannot install the Microsoft Windows applications they want to use. But that's another story. Also, as you will read in the article linked below, the Ministry of Education does not take out a support contract with ThinNetworks at the end of the initial support period. It's a different world.
There is currently a debate on how to support the existing ThinNetworks multiseat systems and how to change to a different technology for future installations. Coincidentally, three weeks ago C3SL (the Centre of Scientific Computing and Free Software, IT Department, Federal University of Paraná), the developers of 'Paraná Digital' (the project that provided the multiseat systems in all state schools in Paraná State), posted the following article on the Web site for Educational Linux (Ubuntu-based distribution developed by C3SL for the Federal Government):
https://linuxeducacional.c3sl.ufpr.br/2017/07/10/multiterminais-limitacoes-e-a-busca-por-solucoes/
I have gone to the trouble of translating it below (no big deal, as I speak the language):
| C3SL (translated from the Portuguese) wrote: |
Multiseat, limitations and the search for solutions
[10 July 2017]
C3SL (Centre of Scientific Computing and Free Software, IT Department, Federal University of Paraná)
The history:
The use of multiseat in education began in the IT laboratory of DINF/UFPR (IT Department of the Federal University of Paraná), in 2005. Soon after, came the first mass implementation in 'Paraná Digital', consisting of more than 40 thousand work places. The solution adopted was based on use of more than one standard video card and the availability of motherboards with a sufficient number of PCI slots for these. The solution's software was totally free thanks to local development in conjunction with the Linux graphics community (X.org). Remote processing was another assumption adopted, that way the processing capacity and memory necessary for each terminal could be considered low and a single CPU offered sufficient computational resources to provide a pleasant use experience to the user.
After, with the release of Educational Linux 3, FNDE/MEC (National Fund for the Development of Education / Ministry of Education) adopted similar principles and began to deliver multiseat equipment to Brazilian schools. However, some years after the appearance of multiseat, some technology changes began. Firstly, the evolution in integrated circuits enabled computer motherboards to begin to offer in an integrated manner resources that previously were only available via expansion cards connected to the input/output bus. With this integration, the number of available PCI slots on motherboards began to decrease.
At the same time, graphics adapters moved to being also graphics accelerators, and the manufacture of low-cost graphics adapters was discontinued. The advent of graphics accelerators increases the speed demand on the bus leading to the creation of new standards, resulting in the technical impossibility of building an adequate number of slots on motherboards to have several video cards connected simultaneously. Further, the ample availability of graphics accelerators lead to a transformation in graphical interfaces, which moved to rely on these resources to implement interfaces with advanced 3D resources. At an accelerated pace the GNOME and KDE graphical environments discontinued the development of the 2D interfaces and the main Linux distributions passed to having the new 3D interfaces as standard.
Finally, the appearance of advanced applications on the Internet, including Flash, videos, javascripts and other plugins, increased the processing and memory demand necessary for navigation on the majority of pages.
The problems:
The principal limitations that restrict current multiseat technology are:
– Non-existence of standard hardware for its construction, creating dependency on proprietary hardware and maintenance difficulties. New versions of hardware, even small changes, often impede the working of complete [IT] laboratories, making it necessary for tests and development of solutions to circumvent the current problems.
– Non-existence of open-source software solutions for the drivers of devices for multiseat, creating technology dependency and difficulties updating software and for management of licences.
– Lack of graphics acceleration for rendering in video hardware of the video interfaces. The acceleration via software is very expensive computationally and present compatibility problems.
– Difficulty in migration to new versions of Linux distribution due to the lack of the necessary graphics support. This limitation imposes downgrade of the software, impacting simple tasks such as mere navigation on the Internet.
– The amount of necessary resources for a good user experience to support four simultaneous users is not easily found in the more common computers on sale in the marketplace.
The search for resolution of the problem:
The system of multi-terminals used currently in the country is developed by the company Userful, whose Brazilian representative is ThinNetworks. This system has its [source] code closed, making it impossible to improve it, implying the necessity to create a new system. The system in use also presents some problems, principally related to the need for licences, that are not recognised by many of the legitimate computers of the procurement auction by the MEC (Ministry of Education), and result in a screen interrupting its use temporarily or disabling one of the terminals. These problems are not resolved by the company, as it does not provide assistance after the end of the contract and the Ministry of Education laid down that it would not buy new licences for this end.
Thus, with each new version of Educational Linux, we try to develop and implement a multiseat system with free software. Our objective in this search is not to lose the existing installed computing base, that depends on multiseat for complete functioning. Professor Laércio de Sousa and the Centre of Scientific Computing and Free Software (C3SL) of the Federal University of Paraná have worked together in the search for a multiseat system with free software. Laércio, IT advisor in the Education Secretariat of the municipality of Mogi das Cruzes - São Paulo State, identified the feasibility, came up with the existing solution and studies the compatibility with the existing hardware in the schools for the production of this new system. C3SL, at the Federal University of Paraná, has the role of packaging, adapting and automating the processes of installation and configuration of multiseat, as well as ratifying the solution in the procurement auctions of the Ministry of Education as of 2010.
But why have we not solved this problem yet?
Despite combined efforts, various obstacles exist to the solution of this problem. And they are described by Laércio de Sousa himself as follows:
"The principal obstacle for a 100% free solution for multiseat in Educational Linux 6 is the maintenance of the drivers for the ThinNetworks video cards. The only open-source driver actually available for Ubuntu 16.04 and derivatives (xf86-video-siliconmotion) is only compatible with the TN-502 cards, making unviable the solution for the computers of the [Ministry of Education] procurement auctions 69/2008, 68/2009 1st batch (with ATI Rage XL Quad cards) and 23/2012 (with TN-750 cards). Additionally, even for the TN-502 cards, the support of the standard video driver is only 99% reliable, still remaining subject to what we call the 'stripy screen bug'. To circumvent this bug, we resort to an ISO with a minimal installation of Ubuntu 12.04 with Userful Multiseat activated, just to bring the video back to normal.
Another delicate question is that this standard video driver has not been maintained for some time, becoming subject to breaking compatibility with future versions of X.Org X11 Server. Additionally, this driver is not compatible with new graphics technologies for Linux, such as Wayland. For the computers of the procurement auctions 23/2012 and later, it is possible, in principle, to substitute the TN-750 video cards with others with better Linux support, like those of AMD or NVIDIA, and thus guarantees better support to the multiseat terminals. In the procurement auctions 71/2010 e earlier, this is not possible, due to the limitations of the processor and motherboard used.
If nobody takes up the development of the drivers for the video cards based on the Silicon Motion chips (such as the models of ThinNetworks), the future of multiseat with the current ProInfo hardware is seriously threatened."
To sum up, the standard Ubuntu driver:
– is only compatible with the TN-502 cards (aside from procurement auctions 23/2012, 68/2009 1st batch and 69/2008),
– it is subject to what we call "stripy screen bug" (to solve it, we resort to a special ISO that we created, with a minimal installation of Ubuntu 12.04 + Userful Multiseat, just to 'clean' the video outputs and after restart back to the main system).
– it has not received official maintenance for some time, becoming subject to not working in the next updates to the X.Org X11 Server.
– it is not compatible with new graphics technologies for Linux, such as Wayland.
Conclusions according to C3SL:
In a technical note sent to the National Education Fund, C3SL left it clear that:
"Based on the considerations put, the C3SL/UFPR team believes that the multiseat system, in its current technology, should no longer be used in Brazilian state schools. It is also recommended that modern alternative technologies that make feasible the provision of workstations in the [IT] laboratories of the schools at a reduced cost, with a view to filling the gap left by the non-adoption of the current multiseat system."
Apart from not recommending the use of the technology at this time, C3SL acting with Laércio de Sousa, is trying to develop a new technology to enable survival of the computational installations already existing, as stated previously. |
I won't bother translating the readers' comments at the bottom of the article but they also make interesting reading, such as a link to Laércio de Sousa's explanation how to install Ubuntu 16.04 on the existing ProInfo equipment and his advocacy of moving to docking stations using DisplayLink technology, which I think might be a different can of worms.
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog
Last edited by Fitzcarraldo on Thu Aug 03, 2017 10:26 am; edited 1 time in total |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Gentoo Chat
