Another failure due to success
-
I know we see a lot of these. This one is from booting the Debian rescue image.
-
@corgimonster said:
Artifacts in image are from the WTFy Java-based KVM
Probably due to rescaling of an antialiased or sub-pixel-rendered font; those look (very) good on their target system but poor in a rescaled screencap.
-
@dkf said:
@corgimonster said:
Artifacts in image are from the WTFy Java-based KVM
Probably due to rescaling of an antialiased or sub-pixel-rendered font; those look (very) good on their target system but poor in a rescaled screencap.He's talking about the jpeg artifacts around the letters, not the shitty AA. The cap's not rescaled.
-
@dhromed said:
He's talking about the jpeg artifacts around the letters, not the shitty AA. The cap's not rescaled.
Deliberately using JPEG for a screencap and then apologising for it immediately afterwards would be TRWTF.
-
@dkf said:
Deliberately using JPEG for a screencap and then apologising for it immediately afterwards would be TRWTF.
True, but the image is a png, and the little bit of window border is unaffected*, so I believe the artifacts were already in the console output, created by the VM.
*) jpeg compresses with blocks of 8x8 pixels, and the artifacts only lined up when I removed the border.
-
I love how it suggests that you change the permissions on the file so that it is readable by root (who's UID is 0).
-
@DrPepper said:
so that it is readable by root
Can a file be given permissions so that even root can't read it?
-
@dhromed said:
@DrPepper said:
so that it is readable by root
Can a file be given permissions so that even root can't read it?
Can God create a stone so heavy even He can't lift it?
-
@joe.edwards said:
@dhromed said:
Can God create a stone so heavy even He can't lift it?@DrPepper said:
so that it is readable by root
Can a file be given permissions so that even root can't read it?
If your god is running on a universe protected by NSA donated security systems, yes, quite possibly.
-
@RangerNS said:
Worse, my god is running on Ubuntu.@joe.edwards said:
@dhromed said:
@DrPepper said:
so that it is readable by root
Can a file be given permissions so that even root can't read it?
Can God create a stone so heavy even He can't lift it?If your god is running on a universe protected by NSA donated security systems, yes, quite possibly.
-
@joe.edwards said:
Can God create a stone so heavy even He can't lift it?
Isn't that literally what I asked?
-
@dhromed said:
@DrPepper said:
so that it is readable by root
Can a file be given permissions so that even root can't read it?
FUSE mount points, by default, are readable only by the user who mounted them; other users have no access, not even root.
-
@SamC said:
FUSE mount points, by default, are readable only by the user who mounted them; other users have no access, not even root.
Also, NFS mounts often squash root. They are only accessible to any other user, but not root. There is the SE Linux that somebody alreadytalked about... And well, the kernel is open, if you want to lock root out of some file, just write your own FS.
-
@Mcoder said:
@SamC said:
FUSE mount points, by default, are readable only by the user who mounted them; other users have no access, not even root.
Also, NFS mounts often squash root. They are only accessible to any other user, but not root. There is the SE Linux that somebody alreadytalked about... And well, the kernel is open, if you want to lock root out of some file, just write your own FS.
Of course, as root, you have rights to modify the kernel or FS driver to unlock access.
-
Which came first, the root user or the kernel?
-
@dhromed said:
Can a file be given permissions so that even root can't read it?
It depends on the filesystem, but yes. For example, AFS won't let you read a file at all unless you've got a suitable cryptographic security token and are either the owner of the file or granted suitable permission via its ACL; you better believe that root can't read your data in such a situation. (It's very useful too; it allows standing up a web server where even breaking in via some shitty PHP exploit won't help you do damage.)
-
Today I learned.
-
@dkf said:
@dhromed said:
Can a file be given permissions so that even root can't read it?
It depends on the filesystem, but yes. For example, AFS won't let you read a file at all unless you've got a suitable cryptographic security token and are either the owner of the file or granted suitable permission via its ACL; you better believe that root can't read your data in such a situation. (It's very useful too; it allows standing up a web server where even breaking in via some shitty PHP exploit won't help you do damage.)
The thing is - root has access to the su command. So if ANYONE on the computer can read a file, root can read that file. They just might need to put on a fake moustache.
-
-
-
@Ben L. said:
The thing is - root has access to the su command. So if ANYONE on the computer can read a file, root can read that file. They just might need to put on a fake moustache.
That doesn't work. (It wouldn't be nearly as good a defence if it did.) The access isn't tied to the account, but rather to the security token andsu
can't grant that as that's a full cryptographic operation to get access to (which I believe is then inherited between processes). I'm not sure if having root access on the file servers or the authentication server would let you see the files; I've not looked into that side of things, and I know we're rather careful with who has access to them in our deployment anyway.
-
To add on to the SELinux point, there are open proof-of-concept machines on the internet such as advertised here that let you login as root in an unbreakable sandbox. Of course that includes files and (I presume) the su command.
-
That's TRWTF. Isn't the point of having a superuser account to have full unrestricted access to the system? Otherwise it's just a moderatelypowerfuluser account.
-
@anonymous235 said:
Isn't the point of having a superuser account to have full unrestricted access to the system?
You can have full access to the local system without having access to the other machines around. This is meaningful and useful; you can install complex software locally, but can't look at everyone else's files on the shared filestore.
-
@Ben L. said:
@SamC said:
;
WHAT IS THIS MAGIC
Let's put Harry Crumb and his typewriter expertise on the case.