๐ Quick links thread
-
@Buddy said in ๐ Quick links thread:
@PleegWat if you use java, favor sshj over jsch. Sshj is newer and unproven, but jsch is fucking awful.
We use C. We've only got the bare minimum in java in the product and we want to keep it that way.
-
@Buddy said in ๐ Quick links thread:
But why in the fuck did they decide that 'exec' channels, that are literally just "run this command and redirect stdin and stdout to ssh" should be specified as a string to be parsed by the shell and not an executable name and array of args?
If you're going to Windows, you're effectively stuck with โto be parsed by the shellโ since command lines really are single strings that are passed to the subprocess, where they're usually pulled apart by the runtime library before launching your code. IOW, it's not the shell that's parsing the string, it's the subprocess. That would be not too big a deal, except each different runtime vendor does it differently. Thankfully, most code now uses the MS runtime โ that's definitely the sanest one โ but unfortunately,
cmd.exe
is one of the programs that doesn't use the MS runtime.This is an area where Unix happens to be a bit better; a difference of design decision long ago has had long-reaching consequences.
-
@flabdablet said in ๐ Quick links thread:
user's "login shell" is /bin/cat; those can't run any commands at all.
I believe the convention is to use /bin/false. I still don't see how that's less byzantine than just disabling certain ssh channels forthe user, but whatever.
-
@flabdablet said in ๐ Quick links thread:
The ability to invoke arbitrary executables without needing to know anything about the configuration of the server you're invoking them on is also not actually all that useful, mainly because each OS is going to have its own idiosyncratic selection of executables; even if you're restricting yourself to your own executables, those will typically have different naming and pathname placement conventions per OS. Unix, for example, doesn't require that executables' names end in .exe while Windows doesn't typically stuff all its executables into anything like /usr/bin.
Imagine if the ssh protocol gave you a way to access the rolemote computer's file system, making this entire paragraph invalid.
-
@PleegWat what's wrong with libssh?
-
@dkf well, how does ProcessBuilder do it then?
-
@Buddy Which ProcessBuilder is this? Give me a little more context, pleaseโฆ
-
@dkf java
-
@Buddy OK, that one I understand. :)
ProcessBuilder
is actually just a wrapper round the existing underlying capabilities ofRuntime.exec()
, which has many overloads. It works by using sensible defaults (heh!) and passing the work to the version ofexec
that takes arguments as an array of individual strings. On Unix, that's a very thin wrapper (almost one-to-one) over the OS system calls that create a process (fork
) and launch an program within that process (execve
). I'm not quite sure whether all the otherexec
variants use that route; there's a lot of options that are layered on top (and a whole load of stupid cargo cult BS by people who don't understand what's going on).On Windows, the underlying API is chunkier since it has to add in quotes and spit the result into the
CreateProcess
system call. It's a dastardly complicated API call, but it does in one call things that take several on Unix. The pattern of adding in of quotes is probably for the usual MS C++ runtime; it's the most common and the sanest, and it's the one that Java itself sits on top of (there's a very small core of the Java runtime that is written in C++; the subprocess launcher is in this bit, and so is the command line argument handler).
-
@flabdablet said in ๐ Quick links thread:
The shell that the ssh protocol passes all commands to is the one specified in /etc/passwd for the user you're connecting as, and there is absolutely no reason you can't create user accounts for access over ssh whose /etc/passwd entries contain something other than /bin/sh. For example, I have a bunch of ssh servers that exist primarily as port forwarders, for which the only ssh-accessible user's "login shell" is /bin/cat; those can't run any commands at all.
Why
/bin/cat
? I thought it was customary to use/bin/false
. What doescat
give you?
-
@cartman82 It may be a honeypot of sorts; /bin/false exits right away, and cat will happily sit there waiting for stuff to be piped over STDIN. Will take a while for bots or scripted attack to figure out the princess is in another castle.
But even so, it's dumb. Also, if you just happen to have a buffer overflow in your /bin/cat, hilarity would ensue.
-
@Buddy said in ๐ Quick links thread:
I believe the convention is to use /bin/false.
That means a normal
ssh
is closed immediately, requiring the user to pass an extra flag to the client to not open the normal shell session.@Buddy said in ๐ Quick links thread:
Imagine if the ssh protocol gave you a way to access the rolemote computer's file system, making this entire paragraph invalid.
I think that can be turned off separately.
@Buddy said in ๐ Quick links thread:
@PleegWat what's wrong with libssh?
RHEL5 doesn't ship it.
-
@PleegWat said in ๐ Quick links thread:
I think that can be turned off separately
No, what I mean is that its possible to use sshfs or sftp or whatever to allow the user to find the file that they want to execute, but then it is as good as impossible to execute that file with an array of arguments supplied by the user.
My goal in this would be to manage remote machines without needing to setup a remote session at all. I like to configure whatever environment I use in a way that makes sense to me, and it annoys me that unix is architected in a way that makes that impossible.
-
@cartman82 said in ๐ Quick links thread:
What does cat give you?
Connection stays up until you kill ssh or send an eof on input, even if port forwarding hasn't started yet. If you're using
ssh -L
to set up a local listener that will forward a connection request over the channel, it doesn't actually do that until your local client connects; to keep the channel open until that happens, you need a far-end "shell" that won't exit immediately.
-
@wft said in ๐ Quick links thread:
if you just happen to have a buffer overflow in your /bin/cat, hilarity would ensue
True. But /bin/cat does so little that there are relatively few places for buffer overflows to hide.
-
@Buddy said in ๐ Quick links thread:
it is as good as impossible to execute that file with an array of arguments supplied by the user
Only if sshd is configured to launch your stuff using a truly fucked-up shell. Yes, cmd.exe is a truly fucked-up shell; so much so that setting up sshd to rely on it counts as in my book.
-
-
@flabdablet said in ๐ Quick links thread:
in my book
Unfortunately, the designers of ssh wrote a different book.
-
@Buddy Which ssh daemon are you using on Windows that forces you to use cmd.exe as the sshd-invoked shell?
-
@flabdablet ever seen GNU cat sources?
-
@flabdablet said in ๐ Quick links thread:
True. But /bin/cat does so little that there are relatively few places for buffer overflows to hide.
$ cat --help Usage: cat [OPTION] [FILE]... Concatenate FILE(s), or standard input, to standard output. -A, --show-all equivalent to -vET -b, --number-nonblank number nonblank output lines -e equivalent to -vE -E, --show-ends display $ at end of each line -n, --number number all output lines -s, --squeeze-blank never more than one single blank line -t equivalent to -vT -T, --show-tabs display TAB characters as ^I -u (ignored) -v, --show-nonprinting use ^ and M- notation, except for LFD and TAB --help display this help and exit --version output version information and exit With no FILE, or when FILE is -, read standard input. Examples: cat f - g Output f's contents, then standard input, then g's contents. cat Copy standard input to standard output. Report bugs to <bug-coreutils@gnu.org>.
-
@PleegWat When you're using
cat
as asshd
"shell", it will only ever get invoked with either- no arguments, which eliminates all of the above complexities
- a
-c
argument followed by another that's the concatenation of any command and arguments supplied on the ssh command line, which will make it abort immediately withcat: invalid option -- 'c'
Even if some of the more tricksy processing has flaws,
sshd
will never invokecat
in a way that exercises any tricksy features. I think it's pretty safe.
-
@wft said in ๐ Quick links thread:
@flabdablet ever seen GNU cat sources?
Yes.
The only part of GNU
cat
that will ever be running while it's in use as asshd
shell is this bit:/* Plain cat. Copies the file behind 'input_desc' to STDOUT_FILENO. Return true if successful. */ static bool simple_cat ( /* Pointer to the buffer, used by reads and writes. */ char *buf, /* Number of characters preferably read or written by each read and write call. */ size_t bufsize) { /* Actual number of characters read, and therefore written. */ size_t n_read; /* Loop until the end of the file. */ while (true) { /* Read a block of input. */ n_read = safe_read (input_desc, buf, bufsize); if (n_read == SAFE_READ_ERROR) { error (0, errno, "%s", quotef (infile)); return false; } /* End of this file? */ if (n_read == 0) return true; /* Write this block out. */ { /* The following is ok, since we know that 0 < n_read. */ size_t n = n_read; if (full_write (STDOUT_FILENO, buf, n) != n) error (EXIT_FAILURE, errno, _("write error")); } } }
That looks pretty safe and sound to me.
-
@flabdablet whatever the person who created the vm image installed, I guess. Maybe freesshd?
You haven't solved my problem, but at least you've illustrated two things:
- setting it (ssh on windows) up requires CLI dickery that nobody understands
- using the user's default shell as the ssh command runner is a bad idea
-
Guy recreates Prodigy's "Smack My Bitch Up" from the original samples. Using Windows XP for some reason.
-
@Buddy said in ๐ Quick links thread:
@flabdablet whatever the person who created the vm image installed, I guess. Maybe freesshd?
You haven't solved my problem, but at least you've illustrated two things:
- setting it (ssh on windows) up requires CLI dickery that nobody understands
Right, because there couldn't possibly be a GUI-accessible setting on freesshd that lets you pick whatever non-insane shell you want it to use. Complete with a browser button so you don't even need to get your fingers dirty typing one of those icky pathname things.
http://www.freesshd.com/Images/scrs2_large.jpg
- using the user's default shell as the ssh command runner is a bad idea
Using cmd.exe for any purpose is a choice requiring experience, patience, caution and an ability to cope with disproportionate amounts of frustration.
-
@cartman82 said in ๐ Quick links thread:
Using Windows XP
for some reasonbecause the cobweb-and-ash-saturated workstation running Ableton has never had anything on it backed up ever, and attempting to upgrade its Pirate Bay XP might well trigger total loss of the results of ten years of creative work.Why yes, I have done PC support work for musicians. Why do you ask?
-
-
@Jarry said in ๐ Quick links thread:
Are you a web developer? Come for work Adult Swim.
Yeah, I'm a webdev, I opened up the devtools, unhid the "Congrats" div, and found a link that redirects to http://jobsatturner.com/atlanta/digital-media-jobs , which surprisingly is a mere search page (luckily searching for Adult Swim works fine).
Do I win a cookie?
-
@Tsaukpaetra said in ๐ Quick links thread:
opened up the devtools, unhid the "Congrats" div
Clicking the first radio button or typing an x into every text box works too.
-
@Tsaukpaetra
yup
document.cookie = "username=Tsaukpaetra;flavour=chocolate; expires=Thu, 05 May 2016 12:00:00 UTC";
-
@Jarry said in ๐ Quick links thread:
flavour=chocolate
Awe, I don't normally consume chocolate things, but I try not to refuse food when freely given!
@flabdablet said in ๐ Quick links thread:
Clicking the first radio button or typing an x into every text box works too.
Ah, but that requires more effort....
-
Stack Overflow: How We Do Deployment - 2016 Edition
Nick Craver goes into nitty gritty details of Stack Overflow's deploy process. An amazing article.
-
[America Has Never Been So Ripe for Tyranny](http://nymag.com/daily/intelligencer/2016/04/america-tyranny-donald-trump.html#)
Long-winded article discussing how democracies may fail, and how decisive the masses supporting Trump could be looking at it from a historical perspective.
-
yay, our code is live! Now weโre free to deploy again for that bug we probably just sent out.
yay, modern web development!
-
@JBert We survived Wilson and FDR. I image we'd survive Trump, too, though I doubt we'll need to.
-
https://www.youtube.com/watch?v=nb9sLxt-sA0
Height: 55 meters
Length: 255 meters
Weight: 8410 metric tonnes
Distance to travel: About 400 meters.Live tonight - there'll be a timelapse tomorrow.
-
-
@PleegWat That's baby tiny compared to this:
-
@blakeyrat Well, yes, but that wasn't moved into place in one piece was it?
-
@PleegWat No, the pieces had to fit through the locks.
-
@blakeyrat
https://www.youtube.com/watch?v=xmWmRQ1_uAECinematic on how it's been built - go to 1m40. Audio is all Dutch and I don't know of an English version.
-
Time lapse of the Bay bridge construction
-
@PleegWat
Nice, but couldn't help but notice a Belgian company doing the move.
I just hope you don't drop it like the last time.
-
@Luhmann It was a Belgian company making the parts too.
-
Well, Back to Smoking: FDA Bans 99 Percent of E-Cigarettes
A 2009 law says all tobacco equipment made after 2007 needs to go through a compliance process. They've (if I'm reading this correctly) just published the details of this compliance process, and it's going ro be so costly that 99% of current brands aren't worth it. If past generations knew that โvapeโ would be colloquial in 201X, they would have assumed it to mean vaporize (with a raygun).
-
@PleegWat said in ๐ Quick links thread:
a Belgian company
My stepfather used to work at Buyck and yes the company literally is called belly.
Currently no big bridges under construction around here. I guess the A11 is the only thing that counts as a big project but the actual moving bridge part is rather small.
-
@JBert said in ๐ Quick links thread:
[America Has Never Been So Ripe for Tyranny](http://nymag.com/daily/intelligencer/2016/04/america-tyranny-donald-trump.html#)
Long-winded article discussing how democracies may fail, and how decisive the masses supporting Trump could be looking at it from a historical perspective.
I finally read this article. Pretty good, if a bit alarmist (I think).
Some quotes.
Mass movements, he notes (as did Tocqueville centuries before him), rarely arise when oppression or misery is at its worst (say, 2009); they tend to appear when the worst is behind us but the future seems not so much better (say, 2016). It is when a recovery finally gathers speed and some improvement is tangible but not yet widespread that the anger begins to rise. After the suffering of recession or unemployment, and despite hard work with stagnant or dwindling pay, the future stretches ahead with relief just out of reach. When those who helped create the last recession face no consequences but renewed fabulous wealth, the anger reaches a crescendo.
For the white working class, having had their morals roundly mocked, their religion deemed primitive, and their economic prospects decimated, now find their very gender and race, indeed the very way they talk about reality, described as a kind of problem for the nation to overcome. This is just one aspect of what Trump has masterfully signaled as โpolitical correctnessโ run amok, or what might be better described as the newly rigid progressive passion for racial and sexual equality of outcome, rather than the liberal aspiration to mere equality of opportunity.
And though Trumpโs unfavorables are extraordinarily high (around 65 percent), he is already showing signs of changing his tune, pivoting (fitfully) to the more presidential mode he envisages deploying in the general election. I suspect this will, to some fools on the fence, come as a kind of relief, and may open their minds to him once more. Tyrants, like mob bosses, know the value of a smile: Precisely because of the fear heโs already generated, you desperately want to believe in his new warmth. Itโs part of the good-cop-bad-cop routine that will be familiar to anyone who has studied the presidency of Vladimir Putin.
With his appeal to his own base locked up, Trump may well also shift to more moderate stances on social issues like abortion (he already wants to amend the GOP platform to a less draconian position) or gay and even transgender rights. He is consistent in his inconsistency, because, for him, winning is what counts.
If you like America as it is, vote Clinton. After all, she has been a member of the American political elite for a quarter-century. Clinton, moreover, has shown no ability to inspire or rally anyone but her longtime loyalists. She is lost in the new media and has struggled to put away a 74-year-old socialist who is barely a member of her party. Her own unfavorables are only 11 points lower than Trumpโs (far higher than Obamaโs, John Kerryโs, or Al Goreโs were at this point in the race), and the more she campaigns, the higher her unfavorables go (including in her own party). She has a Gore problem. The idea of welcoming her into your living room for the next four years can seem, at times, positively masochistic.
-
@Luhmann This bridge is part of a larger project to widen the Dutch A9, A1, and A6. The project also includes a land tunnel at Amsterdam-Zuidoost, a new bridge over the Amsterdam-Rhine channel, an aquaduct in the Vecht river (unusual because the aquaduct will contain not just the river, but also the old river dikes, roads, and an eco-passage), and a second bridge over the Gooimeer.
-
Video game designer Daniel Vรกvra is called racist by an SJW for not putting black people in a videogame about medieval Czech kingdom. Explains that this is because there were none.
Another instance of SJW-s expecting slavic game designers to add "racial diversity" in their representations of Medieval Europe.
BONUS: The butthurt idiot then goes and tries to get Varva fired, not realizing he's the owner of the game studio.
Funny.