so the keylogger virus on efi partition backdoors your FDE

or worse ACPI table virus..like lenovo did m-i-t-m foo.

ffects-products-from-other-vendors.html

grr...

correction

3rd time is the charm

award,ami,phoenix.insyde can't even trust the bios vendors..

independent BIOS vendors (IBVs) who lenovo blamed it on..supply chain attack.

mfsbsd.vx.sk boot iso readonly, into ram/in-memory os. the local hd,ssd, or das,nas,san is nothing but data. how i would use freebsd.

i would bake in x11/bhyve into the iso.

cosmic rays and virus cant change .iso image..i know i can trust that.

how can i trust disk based os, that could have bit-flips on ls,grep,awk..you run tripwire/aide each time on os?

static-os image.iso, stable i know if shit starts crashing, its not software must be hardware. another bonus

patch Tuesday is stupid in production

en.wikipedia.org/wiki/SmartOS went that route

i been doing it since like 2007 or so with linux/vmware-vmx unionfs/aufs/overlayfs and squashfs before squashfs was in linux kernel.

en.wikipedia.org/wiki/SquashFS 3x compression

size / 3 = good guess..from what i see.

In 2009 Squashfs was merged into Linux mainline as part of Linux 2.6.29.

yeah no more tainted kernels

mfsbsd and Squashfs would rock.

imgur.com/PN1wOYI 2024 597MB.iso vs imgur.com/9H8EV5S 2021 350MB.iso

kernel,userland,X11/vmware-vmx. enough to run all other os's.

done beating this dead-horse.

imgur.com/02D6W7G stable 100days

thats low value craptop from hp..like $500 bucks

100 day uptime on craptop..

no ECC ram

Who is rennj talking to?

thumbs: you obviously

I was just lurking

SponiX: No, he's not talking to me.

Bo Burnham - Welcome To The Internet

thumbs are you the same thumbs from..... maybe #php or #mysql or i forget where

cause /whois nick fail!

learn irc perhaps

you could tell the channels nick logged into

how about the time /ctcp nick time

how about the time /ctcp GoSox time

GoSox: Maybe.

Frank Gingras

thumbs thaewrapt that_lurker thekingo- thisbe Thorne thorre whats that about

Bo Burnham - Welcome To The Internet

hey frank, you want to argue with me?

Can you just stop flooding this channel with nonsense?

cause zfs,gbde,geli,secure boot is nonsense?

When you're talking to yourself for hours, yes, it is.

says you?

the arbitrator

i think en.wikipedia.org/wiki/SmartOS was on to something. but hey figure it out.

oxide computer

it's all just spam?

rennj: SmartOS is still around: tritondatacenter.com/smartos

o_o i dont think rennj flooding. he is talking about nice topic, i guess.. without him, i dont know anything

Hmhm. I did "reboot" in my local console, and now the server is not rebooted but powered off

This is not the wanted behaviour. Anything I can do to change this?

Hrm, even a ctrl-alt-del in the console makes FreeBSD power off instead of rebooting

freebsd-update fetch && freebsd-update install all your systems asap

If sshd(8) cannot be updated, this signal handler race condition can be

mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and

restarting sshd(8). This makes sshd(8) vulnerable to a denial of service

(the exhaustion of all MaxStartups connections), but makes it safe from the

remote code execution presented in this advisory

okay thank you

please don't paste into the channel

13.3-RELEASE-p4 is fixed isn't it?

souji: yes. `echo | nc localhost 22 | grep 20240701`

ridcully: Ok, thank you!

time for pkgbase to catch up ;)

Successful exploitation of the sshd RCE should be made harder by ASLR, but Linux' implementation appears to only be as random as a toin-coss, according to qualys. Would FreeBSD:s ASLR provide a larger distribution of possible memory addresses?

I'm on root

sysctl: kern.securelevel=-1: Operation not permitted

How to fix

I dont want to "-1", but " 0"

_al1r4d: securelevel can't be downgraded when running the OS, only at boot

debdrup: sorry but it seemed crucial to provide that extra info

should have removed the nextlines

vortexx: for a rce in such a central component, i'd say you did the right call posting quickly

vortexx: that's what the SA is for

|cos|: it's not up for debate.

|cos|: the "toin-coss" is on 32-bit aslr

leah2: ...which is the only architecture the exploit is known to actually work on. beating the odds on 2^19 (linux amd64) requires "a few" more attempts, i guess.

or a better approach ;)

i wonder if the lock in syslog() forfeits these attacks into deadlocks however...

maybe this is drifting off-topic, but i'm bit confused about syslog() vs. syslog_r(). the problem is that the former is not reentrant when called from a signal handler, right?

syslog_r is an openbsd thing

i remember comparing them in the past, and getting confused since linux syslog() says it's thread safe. guess i never even got around to consider calling it from a signal.

but yes, that is the problem

glibc syslog is not thread safe, as the exploit shows

the manpage on claims "Thread safe" "MT-Safe"

yes, but not AS-Safe

(it's thread safe, but that doesn't matter here)

nice job by the security team in responding to the regreSSHion bug so quickly!

+1

Hi. How do I use the new cloud-init support in 14.1? When I set an SSH key for a new instance in OpenStack, nothing seems to happen in FreeBSD.

...and the logs from the first boot say: "/etc/rc: ERROR: Impossible to find a cloud init provider"

tunedal: you need this image download.freebsd.org/releases/CI-IMAGES/14.1-RELEASE/amd64/Latest

it should work out of the box

at least it worked with sysutils/vm-bhyve

Hmm, I think I used the BASIC-CLOUDINIT image, not the BASIC-CI one. Shouldn't that work?

tunedal: you are right, I probably misled you

it should have worked

I mean, it works in the sense that it boots, but it's not getting configuration from OpenStack to set up the SSH keys. The error message seems to be /etc/rc.d/nuageinit looking for a disk with configuration – but shouldn't OpenStack provide that somehow?

is this true? wiki.freebsd.org/PkgBase#Status I don't see any updates for today yet, and it's 13:30 UTC

good morning from California party people. I see the buzz is already going about today's news x_x

it should show you a diff

rtyler in terms of ssh?

aye

yeah recompiling - looks rushed, the commit message should have been p2 - cgit.freebsd.org/src/commit/?h=rele…59e2f689d4014136048a8e470e852bdc69b

Probably better to inform the commiter via email.

folks, any idea what is the impact of the new opensshd remote code execution to freebsd? It looks openbsd is not impacted, but no idea with freebsd

lets not have any misinformation

here is the official security advisory

thanks, that is what I was looking for

if you like to use a newsreader, here is the feed:

There is interesting discussion of the issue here: news.ycombinator.com/item?id=40843778

thx

that is interesting discussion, thanks!

agreed, that was helpful

I'd like to create an user just to pull backups from a server, since that user wouldn't have any login privileges where would be the bsd way to store its keys? /var/ids/user ?

you can make that user's home directory whatever* you want

but /var/ids doesn't make quite as much sense as /home/user

if you're following hier

Just don't put them in /tmp

vkarlsen: that's what the * was for

:)

rtprio so nologin but /home/user, ok.

that's what i would do

s2r: you can't use the user that pushes the backups to the backup server?

rtprio I would rather do a pull from the server.

s2r, I wonder what is happening when one "pulls backups from the server"? I either have the server pull a backup from a client. Or... I have the client push a backup to the server.

In order to restore a backup almost certainly it needs to be the root user to restore owner:group:mode of files.

In order to push backups almost certainly it would need to be local root and remote storage might be unpriviledged blob storage.

In order to pull a backup onto a server the server would almost certainly need root access to the client in order to perform the backup pull. And then locally they would already be root but perhaps might be a non-privileged user locally storing backup blobs.

syncoid privileges for non-root user, fwiw: github.com/jimsalterjrs/sanoid/wiki/Syncoid#running-without-root

i do pulls, whether scp or sanoid/zfs

As I read that root has bestowed specific feature permissions send,hold,mount,snapshot,destroy for datasets to the non-root user elevating that user to an equiv-for-dataset-access for backup for that user. It's a reduced privilege set.

But it does include destroy in the set. So not completely without teeth to bite with.

And there is still the need for ssh access (I presume ssh is being used for access) and therefore the user credentials for ssh authorization still need to be managed. Which is at the point of the question from s2r asking "I'd like to create an user just to pull backups from a server, since that user wouldn't have any login privileges where would be the bsd way to store its keys?"

If I ignore my question clarifying "pull backups" then the keys would normally go in $HOME/.ssh/authorized_keys normally. However the sshd_config may be modified to have the authorized_keys file located elsewhere. Anywhere else. And as far as I know there is no BSD standard other location for it. It would be a local decision to locate it where it is thought best to locate it.

I've added a HDD to my server, and running "zpool attach zhdd raidz2-0 /dev/da0" but I get "cannot attach /dev/da0 to raidz2-0: can only attach to mirrors and top-level disks". What am I missing?

FreeBSD 14.1-RELEASE with updated ZFS on pools

The zhdd pool consists of disks da1 through da6 atm

not being able to add disks to a raidz, its there in the message

Yes, I know. But that should be able to do now

What? It's possible to expand raidz2 VDEVs now?

Are you sure that is available in 14.1R?

I thought it was added with 14.0, but tbh I can't find it now of course

I see some preparation for it in cgit.freebsd.org/src/commit/?id=78c9d8f1ce65 but not that it is all there yet.

Well clearly I don't know anything so... Good luck! It's a feature we would all love to have available!

yup. My pool is getting to close to full. want to add another 12TB disk to it

The steady state of disks is full.

?

spare disk space is like socks. Always close to none left

s2r, rwp, what I do is i have a $script_user and an $scp_user. the script_user has rights to run backup scripts to prepare the things to be transferred. then the scp_user has the right to scp from a specific location. and each of their authorized_keys files specifies various restrictions, such as a specific command (script) for the script_user to run, and scp_user has no-pty