Tag Archives: Developers

‘Serious’ Linux Sudo Bug’s Damage Potential Actually May Be Small | Developers


By Jack M. Germain

Oct 16, 2019 10:09 AM PT

Developers have patched a vulnerability in Sudo, a core command utility for Linux, that could allow a user to execute commands as a root user even if that root access was specifically disallowed.

The patch prevents potential serious consequences within Linux systems. However, the Sudo vulnerability posed a threat only to a narrow segment of the Linux user base, according to Todd Miller, software developer and senior engineer at
Quest Software and a maintainer of the open source
Sudo project.

“Most Sudo configurations are not affected by the bug. Non-enterprise home users are unlikely to be affected at all,” he told LinuxInsider.

Still, the vulnerability is considered serious. That is why Red Hat rated it almost 8/10 in terms of risk, said Jason David, CEO of
Software Portal.

“The only fix at this point is to install the patch in Sudo 1.8.28. In the meantime, you could temporarily remove all users from the sudoers (users) file and replace them after the patch has been installed,” he told LinuxInsider.

Developers released the Sudo patch several days ago. However, it must be packaged for each Linux distribution and distributed through the hundreds of Linux communities that maintain individual Linux operating systems.

What It Does

The Sudo bug is designated CVE-2019-14287 in the Common Vulnerabilities and Exposures database. Joe Vennix from Apple Information Security found and analyzed the bug.

Once the patch is installed, the Sudo bug will affect only Sudo versions prior to 1.8.28. Red Hat rated the flaw with a 7.8 severity score out of 10 on the CvSS scale.

Sudo stands for “superuser do.” Sudo commands are entered into a terminal command line application to carry out routine software management and other Linux system configurations and activities.

Sudo is a system command that allows a user to run applications or commands with the privileges of a different user — such as the system administrator — without switching environments. Most often, Sudo is used for running commands as the root user.

The bug allows users to bypass privilege restrictions to execute commands as root. Basically, it allows attackers to circumvent built-in security options to block root access for specified users.

How It Works

Attackers can use the Sudo exploit merely by specifying the user ID of the person executing commands to be “-1” or “4294967295.” The bug allows both of these user IDs to resolve automatically to the value “0” — the user ID for root access.

Sudo does not require a password to run commands in the context of another user. The exploitation level of difficulty is low, according to Red Hat.

Linux distributions that contain the “ALL” keyword in the RunAs specification in the /etc/sudoers configuration file are affected. The ALL keyword allows all users in a specific group to run any command as any valid user on the system, and usually is present in default configurations of Linux, according to Red Hat.

That bug scenario potentially could have impacted a large user segment, according to some software engineers, but others argued that the problem would not have affected most Linux users.

Pushing the Privilege

Privilege separation is one of the fundamental security paradigms in Linux. In an enterprise setting, administrators can configure a sudoers file to define which users can run what commands.

In a specific scenario in which a user is allowed to run a command as any other user except the root, the vulnerability could allow that user to bypass the security policy and take complete control over the system as root.

Otherwise, the user would have to know the password for root access in order to execute a sudo command. The addition of the parameters -u#-1 or -u#4294967295 to the sudo command is all it would take to gain the extra privileges of root, Miller explained in a
post on the Sudo website.

It is always good practice to stay up to date with your distro’s patches and packages. However, unless you have a sudoers file that uses the idiom described above, there is no need to rush to update your Sudo package, noted Miller.

“I am not aware of any vendors who ship a stock sudoers file that would be affected,” he said.

Unique Setup Required

The configuration of the Linux operating system is the critical factor determining whether the Sudo vulnerability can work. The Sudo bug affects only Linux computers that have been configured in a very non-standard way, emphasized Douglas Crawford, tech expert at
ProPrivacy.

“It does not affect most Linux systems, and no Linux system is vulnerable by default,” he told LinuxInsider.

The vulnerability affects only systems that have been configured to allow other authorized users to execute a limited set of sudo commands. By exploiting the bug these restricted-access sudoers can execute commands as if they have full sudo (administrator) privileges, Crawford explained.

“Not only is this a very unusual setup, but it is very much not recommended, even without taking the bug into account. It is also only of concern if for some reason you do not trust your restricted-access sudoers not to exploit the situation,” he added. “And if you do not trust your sudoers, then why did you give them any admin privileges in the first place?”

Limited Impact at Worst

The bark seems worse than the bite with this particular Linux vulnerability. It is not really a very critical vulnerability, suggested Chris Morales, head of security analytics at
Vectra.

“The system configuration of allowing a user to run a command as any user except does not seem normal to me. This would impact a very specific system with a specific need for that type of configuration,” he told LinuxInsider.

In an enterprise environment, system administrators — and for that matter, other users — can run a quick check to verify if their computers are at risk for the Sudo bug, said Mehul Revankar, senior product manager at
SaltStack.

Check sudoers configuration for vulnerable entries by running this command in a terminal:

# grep -r ‘!s*root>’ /etc/sudoers /etc/sudoers.d/ | grep -v ‘^s*#’

If this command produces no output, then the system is not vulnerable, otherwise configuration needs to be reviewed, Revankar told LinuxInsider. Vulnerable configuration entries will look similar to the following:

alice myhost = (ALL, !root) /usr/bin/vi

If present, these should be disabled or changed to list allowed target user names explicitly and avoid the “!” syntax.


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link

GNU Project developers object to Richard M Stallman’s continued leadership





Richard M Stallman (RMS) recently put his foot in his mouth by defending a sexual abuser and was pressured into resigning from the Free Software Foundation (FSF). So, was that his end as a free software leader and public figure? Nope. He’s still head of the GNU Project and appears to have no intention of leaving. But some GNU developers would like to see him stand down. While they haven’t explicitly asked Stallman to resign, 18 GNU programmers have said: “We believe that Richard Stallman cannot represent all of GNU. We think it is now time for GNU maintainers to collectively decide about the organization of the project.” (ZDNet)




Previous articleMaking the IoT More Open: A Common Framework for IoT Edge Computing with EdgeX Foundry

Swapnil Bhartiya has decades of experience covering emerging technologies and enterprise open source. His stories have appeared in a multitude of leading publications including CIO, InfoWorld, Network World, The New Stack, Linux Pro Magazine, ADMIN Magazine, HPE Insights, Raspberry Pi Geek Magazine, SweetCode, Linux For You, Electronics For You and more. He is also a science fiction writer and founder of TFiR.io.

How Software-Define Storage can Empower Developers to Increase Business Value | IT Infrastructure Advice, Discussion, Community


Software developers are now among the most strategic assets of any organization. In today’s fast-paced world, the speed at which one can develop new applications and microservices can dictate whether a company gets to market first or can respond effectively to a sudden competitive move or market shift. In other words, developers are having an unprecedented and direct impact on companies’ – and industries’ – fortunes.

This reality is supported by a 2018 Stripe and Harris Poll study, which predicts software developers’ skillsets alone could add $3 trillion to global GDP over the next decade. Accordingly, 61 percent of C-suite respondents to that study believe access to developer talent is a threat to the success of their business.

Freeing developers to work faster and be more productive

Not surprisingly, organizations aren’t just trying to keep developers focused on what they do best: creating, solving problems, and innovating – they’re also trying to increase their productivity.

Yet, despite the evolving appreciation for developers’ talents, the same study found that many companies are misusing their most important resource. A significant proportion of developers’ time is spent maintaining aging, legacy systems and patching bad software – to the tune of approximately $300 billion per year, with nearly $85 billion being spent addressing bad code alone.

As such, the role of the application architect has emerged in this new world of hybrid platforms to ensure developers’ code runs smoothly, interacts with other services, and makes efficient use of data, regardless of where it is created or consumed.

Meanwhile, development teams are gaining more authority from their line of business managers who realize that their organizations need to harness the immense amount of data they’re collecting and use it for competitive advantage. They want to give developers the ability to provision, and deprovision, resources as they need them, and to develop applications faster than ever before. These managers are prepared to invest in tools that can enable their teams’ success.

The strategic role of storage in agile development

The reality is that developers don’t have time to wait for traditional IT anymore. They need tools and technologies that allow them to work at speed, in an agile manner – supporting, for example, rapid experimentation or the deployment of artificial intelligence (AI), machine learning (ML), and deep learning within their applications.

New methods of accelerating value through application development have emerged in the past few years. While pure public cloud strategies can be quick to deploy, they often lack the performance or governance requirements of other specialized deployments. Hybrid cloud strategies that focus on architecting applications to make the best use of resources, from multicloud, on-premises, remote sites, and even at the device edge, are enabling organizations to enact on data streams at every point in the workflow, greatly optimizing time to value.

Cloud-native application development has grown from largely stateless apps to more stateful applications within distributed systems, requiring the ability to rebalance data, auto-scale, and perform seamless upgrades — all of which can become infinitely easier with persistent, reliable storage.

Exploiting data for competitive advantage

In addition to the flexibility it offers, software-defined storage can help organizations to better harness the value of data, including the continual stream of information and insights gleaned through their applications. Developers and data scientists need to be able to constantly extract, analyze, and react to data to maintain agility, and they can do that more easily with software-defined storage.

Whereas the siloed nature of traditional storage arrays and appliances can inhibit access to data, containerized, open source storage environments facilitate access, regardless of whether data is stored on-premises, at a remote site, at the edge, or in a public or multicloud.

Choosing an IT environment conducive to innovation

This raises a related but important point: many organizations believe the silver bullet to enterprise agility lies in the public cloud. In some cases, this is true, but the public cloud can pose a series of challenges itself. The sum of the “fixes” for these challenges can be costly.

It’s no coincidence that there has been an upsurge in open source container-orchestration systems for application deployment, scaling, and management. Embracing hybrid cloud architecture enables organizations to create flexible infrastructure that suits their diverse business and governance requirements – helping them control costs without sacrificing agility.

Developers must differentiate themselves to stay competitive

Today’s developers are being given unfettered access to the tools and technologies they need to drive innovation and are visibly pushing their organizations and industries forward.

Attracted by growing career opportunities in software and application development, newcomers are flocking into the field – further increasing the pressure on the developer community.

Survival in this highly competitive environment is no small feat. Learning how to differentiate oneself and drive industry disruption consistently takes a high level of skill and determination. Equally, a successful developer needs infrastructure, services, and storage-native solutions that can match the speed of development.



Source link

How Software-Define Storage can Empower Developers to Increase Business Value | IT Infrastructure Advice, Discussion, Community


Software developers are now among the most strategic assets of any organization. In today’s fast-paced world, the speed at which one can develop new applications and microservices can dictate whether a company gets to market first or can respond effectively to a sudden competitive move or market shift. In other words, developers are having an unprecedented and direct impact on companies’ – and industries’ – fortunes.

This reality is supported by a 2018 Stripe and Harris Poll study, which predicts software developers’ skillsets alone could add $3 trillion to global GDP over the next decade. Accordingly, 61 percent of C-suite respondents to that study believe access to developer talent is a threat to the success of their business.

Freeing developers to work faster and be more productive

Not surprisingly, organizations aren’t just trying to keep developers focused on what they do best: creating, solving problems, and innovating – they’re also trying to increase their productivity.

Yet, despite the evolving appreciation for developers’ talents, the same study found that many companies are misusing their most important resource. A significant proportion of developers’ time is spent maintaining aging, legacy systems and patching bad software – to the tune of approximately $300 billion per year, with nearly $85 billion being spent addressing bad code alone.

As such, the role of the application architect has emerged in this new world of hybrid platforms to ensure developers’ code runs smoothly, interacts with other services, and makes efficient use of data, regardless of where it is created or consumed.

Meanwhile, development teams are gaining more authority from their line of business managers who realize that their organizations need to harness the immense amount of data they’re collecting and use it for competitive advantage. They want to give developers the ability to provision, and deprovision, resources as they need them, and to develop applications faster than ever before. These managers are prepared to invest in tools that can enable their teams’ success.

The strategic role of storage in agile development

The reality is that developers don’t have time to wait for traditional IT anymore. They need tools and technologies that allow them to work at speed, in an agile manner – supporting, for example, rapid experimentation or the deployment of artificial intelligence (AI), machine learning (ML), and deep learning within their applications.

New methods of accelerating value through application development have emerged in the past few years. While pure public cloud strategies can be quick to deploy, they often lack the performance or governance requirements of other specialized deployments. Hybrid cloud strategies that focus on architecting applications to make the best use of resources, from multicloud, on-premises, remote sites, and even at the device edge, are enabling organizations to enact on data streams at every point in the workflow, greatly optimizing time to value.

Cloud-native application development has grown from largely stateless apps to more stateful applications within distributed systems, requiring the ability to rebalance data, auto-scale, and perform seamless upgrades — all of which can become infinitely easier with persistent, reliable storage.

Exploiting data for competitive advantage

In addition to the flexibility it offers, software-defined storage can help organizations to better harness the value of data, including the continual stream of information and insights gleaned through their applications. Developers and data scientists need to be able to constantly extract, analyze, and react to data to maintain agility, and they can do that more easily with software-defined storage.

Whereas the siloed nature of traditional storage arrays and appliances can inhibit access to data, containerized, open source storage environments facilitate access, regardless of whether data is stored on-premises, at a remote site, at the edge, or in a public or multicloud.

Choosing an IT environment conducive to innovation

This raises a related but important point: many organizations believe the silver bullet to enterprise agility lies in the public cloud. In some cases, this is true, but the public cloud can pose a series of challenges itself. The sum of the “fixes” for these challenges can be costly.

It’s no coincidence that there has been an upsurge in open source container-orchestration systems for application deployment, scaling, and management. Embracing hybrid cloud architecture enables organizations to create flexible infrastructure that suits their diverse business and governance requirements – helping them control costs without sacrificing agility.

Developers must differentiate themselves to stay competitive

Today’s developers are being given unfettered access to the tools and technologies they need to drive innovation and are visibly pushing their organizations and industries forward.

Attracted by growing career opportunities in software and application development, newcomers are flocking into the field – further increasing the pressure on the developer community.

Survival in this highly competitive environment is no small feat. Learning how to differentiate oneself and drive industry disruption consistently takes a high level of skill and determination. Equally, a successful developer needs infrastructure, services, and storage-native solutions that can match the speed of development.



Source link

Intel’s Linux Graphics Driver Developers Discover 3~20% Boost For Current-Gen Hardware


INTEL --

Last week was the Intel Gallium driver one line patch to boost performance by 1%. Today’s code churn within Mesa for Intel’s open-source Linux graphics drivers were larger but also with a more profound performance impact with some workloads now being faster by around 20%. Making this more exciting is that today’s round of driver optimizations apply to the very common and mature “Gen 9” graphics hardware.

Francisco Jerez, a longtime member of the Intel open-source Linux graphics team and former Nouveau contributor, landed patches he’s been working on the past month to optimize slice/sub-slice load balancing behavior for Gen9 graphics. He discovered that the current behavior was sub-optimal and for the top-tier Gen9 GT4 (Iris Pro) graphics the performance problem is in particularly bad shape.

With Skylake GT4 graphics this tweaking of the slice/sub-slice load balancing behavior led up to around a 20% performance boost while in other cases was less severe but still noticeable like Unigine Valley running 3.4% faster, Gfxbench around 4%, some GpuTest scenes around 8%, and the SynMark tests yielding 15~22% boosts in performance.

The behavior change also helps the lower-tier Gen9 parts but to a lesser extent. Francisco is interested in hearing more feedback from performance testing with Intel hardware from Skylake through Whiskey Lake, Comet Lake, Amber Lake, and other Gen9-using generations.

Following that change to the i965 Mesa driver, Francisco also applied it to the Iris Gallium3D driver too, which is Intel’s next-gen open-source OpenGL driver.

Just minutes ago this optimization was also ported to the Intel Vulkan (ANV) driver within Mesa but at least from the testing there is increasing performance by just ~3%.

These Intel Gen9 performance optimizations will be part of the Mesa 19.2 release that should be out by early September and found in the likes of Fedora 31 and Ubuntu 19.10. I’ll be working on some fresh Intel Linux graphics benchmarks shortly.