pam-python: local root escalation (CVE-2019-16729)
Last week the openSUSE Security Team spent some time to check and review the PAM module from the pam-python project. Main reason for that – to make sure that the source code of the project is secure enough and bug free of course. Badly implemented PAM modules may cause user authentication to always succeed or otherwise badly influence security.
The audit process was done by Malte Kraus. He found the local root exploit in version 1.0.6, which was the last stable one since August 2016. Reaction from the upstream comes immediately: Russell Stuart, who is author of pam-python, released the new official version – 1.0.7.
PAM module from version 1.0.7 is whitelisted by openSUSE Security Team. I rebuild the new packages of pam-python and made it available for all openSUSE users.
I’m going to LinuxDay in Dornbirn, Austria
This weekend I am going to LinuxDay, the German-specking Free Software one-day event. It takes place in the higher technical school in Dornbirn, Austria.
Organized by Linux User Group Vorarlberg, it scheduled two timelines of presentations/talks and stands of the many Free Software projects including openSUSE, Debian, Devuan, etc. It looks a bit like a LinuxTag or FOSDEM. Here you can find photos from the last years.
This time it celebrates 20 years, so I think it is a good reason to visit this event now. And not just this. It is very beauty there in this time of the year. For sure I will take my family there and continue to enjoy the traveling on Sunday 🙂
Libre Linux (GNU Kernel) on openSUSE
As we known, openSUSE project doesn’t provide official packages for Linux Libre kernel. There is a simple reason for that: default openSUSE kernel doesn’t include some proprietary modules; it’s free. All proprietary parts of the kernel could be found in a separate package kernel-firmware. But anyway there are users who want to use exactly GNU version. So, why not? This short tutorial describes how to build and install Libre Linux on openSUSE Leap 15.1 (openSUSE TW needs the same instructions).
Right now in the Leap 15.1 repository the kernel version is 4.12.14.
> uname -r 4.12.14-lp151.16-default
Let’s check the latest available 4.x kernel on the FSF server. Right now the latest avaliable kernel there is version 4.18. Its size is less then 100 Mb. Download it:
> wget -c \ https://linux-libre.fsfla.org/pub/linux-libre/releases/LATEST-4.N/linux-libre-4.18-gnu.tar.xz
Before we continue, I will recommend to verify file integrity. The .sign files can be used to verify that the downloaded files were not corrupted or tampered with. The steps shown here are adapted from the Linux Kernel Archive, see the linked page for more details about the process.
wget -c \ https://linux-libre.fsfla.org/pub/linux-libre/releases/LATEST-4.N/linux-libre-4.18-gnu.tar.xz.sign
Having downloaded the keys, you can now verify the sources. You can use gpg2 to verify the .tar archives. Here is an example of a correct output:
> gpg2 --verify linux-libre-4.18-gnu.tar.xz.sign gpg: assuming signed data in 'linux-libre-4.18-gnu.tar.xz' gpg: Signature made Mon 13 Aug 2018 01:25:14 AM CEST gpg: using DSA key 474402C8C582DAFBE389C427BCB7CF877E7D47A7 gpg: Can't check signature: No public key > gpg2 --keyserver hkp://keys.gnupg.net --recv-keys \ 474402C8C582DAFBE389C427BCB7CF877E7D47A7 key BCB7CF877E7D47A7: 12 signatures not checked due to missing keys gpg: key BCB7CF877E7D47A7: \ public key "linux-libre (Alexandre Oliva) " imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 > gpg2 --verify linux-libre-4.18-gnu.tar.xz.sign gpg: assuming signed data in 'linux-libre-4.18-gnu.tar.xz' gpg: Signature made Mon 13 Aug 2018 01:25:14 AM CEST gpg: using DSA key 474402C8C582DAFBE389C427BCB7CF877E7D47A7 gpg: Good signature from "linux-libre (Alexandre Oliva) " [unknown] gpg: aka "[jpeg image of size 5511]" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4744 02C8 C582 DAFB E389 C427 BCB7 CF87 7E7D 47A7
The primary key fingerprint looks good.
If everything goes well, untar downloaded kernel:
> tar xfv linux-libre-4.18-gnu.tar.xz > cd linux-4.18
Well… now comes the personal part of the installation process, i.e. you know better what’s you should to care about during creating the config file, what’s hardware do you have and your kernel should support, what kind of optimization do you want to have, etc. That’s the most important step of this entire tutorial. For example, good configured kernel could save few seconds of boot time, bad configured kernel will doesn’t boot at all 🙂
To prepare the configuration file, you will need a base kernel configuration, it’s a plain text file calling .config. The are many ways to create .config file. It’s the same like for official Linux Kernel.
Before we can configure our new kernel we will need to install all needed dependencies.
# zypper in gcc make ncurses-devel bison flex libelf-devel libopenssl-devel bc # make menuconfig # make -j4 # make modules_install # make install
If you newer built a linux kernel before and it makes you scary, you can just make make menuconfig and just close it without to change anything. It will scan your hardware and generate a default config. This configuration will include much more then you will really need, but it guarantees that the new kernel will boot.
After installing we can still find the native openSUSE default-kernel in the GRUB menu. I think, this is the default behavior today in the most GNU/Linux systems. Thus, if something goes wrong and, for example, your new self-configured kernel will not boot, don’t worry.
> uname -r 4.18.0-gnu-lp151.16-default
I think, if it’s your first experience with the kernel compilation process and you will get new kernel that will boot and it will be smaller then default openSUSE kernel, you can be proud of yourself.
Whatever you will get, don’t forget to have a lot of fun 🙂
More info about Linux kernel for beginners could be found on the https://kernelnewbies.org/. More info about GNU Libre Linux could be found on the https://www.fsfla.org/ikiwiki/selibre/linux-libre/index.en.html. And, finally, if you interested in the openSUSE Linux kernel development process, you are always welcome to visit openSUSE wiki portal 😉
FOSDEM 2K18
The Free Open Source Developers European Meeting (FOSDEM) 2018 happened over the weekend. FOSDEM is a fantastic conference where Free Software enthusiasts from all over Europe can meet together at once a year (more than 17000 MAC addresses were registered this time). I really like its clearly unique atmosphere. As usual, 2 amazing days in Brussels, Belgium…
The reason why I visit it again and again. It charges you. When you see all these developers, visit these talks/presentations, have so many conversation with contributors, get innovation ideas that are shared there. It motivates you to get a copy of The Linux Programming Interface & TCP/IP Guide and hack away your amazing Linux software 🙂
Most of the talks were recorded. That’s nice, but by watching it online you just get information, by visiting these talks in person and taking part in discussions, you get much much more.
This time I was there together with my LiMux colleagues from Landeshauptstadt München. By the way, as you maybe know, we’re going to share as much as we can until Munich migrates to Windows (unfortunately, because of bureaucratic reasons making software freely (share it) sometimes is not so easy as we want).
Like in last year FOSDEM was held in so-called “developer rooms”. First I planned to visit devrooms such as debugging tools, DNS/DNSSEC and security + encryption. That was my target when I planned my program. But as I noticed later I was not the only one who had the same plans to visit the same talks, hacking sessions and open discussions 🙂 That led to the free-places-problem in the devrooms and it made my program a bit more dynamic than I planned first 🙂 But get it right – that was absolutely no problem for me. Outside we also had very interesting conversations. I met ex-colleges, friends whom I knew from mailing lists and IRC only and of course a lot of openSUSE contributers.
I would like to thank FOSDEM’s staff, everyone who made it happen, who helped to organize it (I’m definitely going to send a feedback to you guys). Thanks GitHub for free coffee. Keep it going 🙂 I also have to say thanks for openSUSE’s Travel Support Program. It supports me to visit this amazing event (and not for the first time!). I’m going to visit FOSDEM again next year. My photos can be found here. See you next time 😉
pam-python is avaliable for openSUSE
Last week I came across pam_python, a PAM module that lets you write PAM modules in Python. It seems interesting to play in this direction, but I had to install it manually. It seems that there was no official packages for openSUSE until now…
Yesterday I built version 1.0.6 for Tumbleweed. Please test it. It’s in our security repo. Feel free to send submit requests.
After installing it we will get /lib64/security/pam_python.so PAM modul. It’s just an interface between PAM and your own plugin (that you have to implement). To test it, you will need to add PATH of your plugin to the /etc/pam.d/login file (in case of getty-access test, for example), like described here.
This code can be used as an example. It will close access for all getty.
> cat /lib64/security/access.py
def pam_sm_authenticate(pamh, flags, argv):
if str(pamh.service) == "login":
return pamh.PAM_AUTH_ERR
You will also need to add this line to the /etc/pam.d/login file:
auth required pam_python.so access.py
This is just an example with login service or getty. Pam-python supports also, for example, ssh- and kdm-services. It supports many other interesting things. For more info look at documentation page.
GNU Screen v.4.5.0
I’m proud to announce the release of GNU Screen v.4.5. This time it’s mostly a bugfix release. We added just one new feature: now it’s possible to specify logfile name by using parameter -L (default name stays screenlog.0). Myself also spent some time to make source code a bit cleaner.
As you probably noticed we were going to release 4.5 until Christmas. Unfortunately, we could not do it because of some internal GNU problems. I apologise for that.
As usual, we merged some community patches from our bug tracing system (small patches also were presented in IRC) and I would like to thank everyone who contribute to Screen and helps us to test development git-version!
For openSUSE users: I updated our devel-package already. It’s soon in factory and, as usual, after openQA routine new package will be available in Tumbleweed.
Battleship – Sinclair ZX Spectrum
The first computer, which was in my family, was ZX Spectrum. I think, I was about 6 when my father bought the first computer. This computer I used for gaming of course. I started programming later and on PC. I will never forget the sound of loaded games on Spectrum (software was distributed on audio cassette tapes and loading into memory was a sound (perceived by the human ear), interpreted as a sequence of bytes)…
Last weekend I played with my 5 years old son in Battleship. I showed him this game first time and we used pencil and paper. He teaches the alphabet and I think this could be a good experience for him. You know that feeling when you have something to show your children, do you remember your childhood. I don’t know why, but I remembered not a “paper version”, but our first computer and how I with my older brother played in Battleship on Spectrum against the computer.
I thought about this until evening and at the same evening found this game in net. I found a lot of different information about this game, the most important of which was the fact that this game can be installed on any PC running GNU/Linux. Yaaay… I can’t remember what I planed to do on this night, but until I went to sleep I installed spectrum’s Battleship on my x86_64 openSUSE and plunged into childhood for few hours 🙂
To install spectrum’s programs on UNIX/Linux you need to install emulator. In case of openSUSE, you need to add Emulators project first. After that install FUSE package. It just works. Just start fuse-binary with game-file-name as a parameter.
I would like to thank FUSE developers and openSUSE FUSE mainainers. I don’t play in “today’s” games, but time-to-time can spend a bit time for games of my childhood.
Linux Presentation Day + Leap 42.1 release party in Munich
On Saturday we had the openSUSE Leap 42.1 release party in Munich, which I announced a couple of days ago. We had around 20 participants there: about 10 openSUSE users and also about 10 GNU/Linux users from the Linux Presentation Day – people that just started using Free Software and wanted to know more about openSUSE, GNU project, Open Source in general and of course celebrate with us the new release 🙂
But at the beginning I had no idea where we can meet in Munich. On Wednesday I asked in our German ML about location and Marcus advised Linux Presentation Day. Two minutes later I sent email to Linux Presentation Day event’s organizers and asked about separate room with beamer and power sockets. We got everything what we asked about. Thanks a lot for collaboration!
After that, on Friday (when I was sure about location and room was reserved for us) I come to Nuremberg to take openSUSE promotion material like USB flash sticks, DVDs, stickers, green “Leap” T-shirts and openSUSE beer. It’s not so far away from Munich. I think, about half of eighth I was at SUSE Office and Richard gave all “release party stuff” (last time, when I organized openSUSE 12.1 release party in Göttingen, I got all these stuff via post, with the exception of beer of course).
I had a talk about openSUSE project in general: the talk was targeted primarily for those who never heard about OBS, Leap or openQA. I tried emphasized the role of the community in openSUSE project.
I got many questions about systemd, SUSE impact on the openSUSE and quality of the “Enterprise Core” part which will be used in the Leap. I enjoyed talking with many that showed up and received as main feedback from many of those that I talked with.
If you’re going to invite “everybody” to your release party, you don’t need to talk so much about infrastructure or development model of openSUSE, I guess. That’s important and interesting for developers and Free Software evangelists maybe, but not for users, who are still not sure about contributing. For such users it’s more important how good this version as a desktop system than how easy to use submit request in OBS or which programming language should they use for implementation of tests for openQA or something like this.
By the way, at Linux Presentation Day we met one journalist from linux-user.de. So, I think my post will not be the only one about this event 🙂
I want to thank Richard and Doug for openSUSE stuff, Linux Presentation Day organizers for hosting us in the VHS building and… thanks to all who joined us! See you next time and have a lot of fun 🙂
openSUSE 42.1 Leap :: Release Party in Munich
openSUSE 42.1 Leap was released about week ago and it is looking good. Now we have community enterprise system. I would like to thank everyone who contribute to openSUSE project and help to make it better.
Of course, we should have openSUSE release party! openSUSE community haven’t had release parties in Munich for a while (since I live in Munich I think we never had it here).
So, what is release party about? Well… like usual: Linux geeks meet together, speak about features in new openSUSE version, news in Free Software world, drink beer and… of course have a lot of fun 😉
A few days ago I started discussion about release party with Linux Presentation Day organizers and it seems that problem with location is solved now. We will get small meeting room with power sockets and beamer there. That is exactly what we need. I also asked Doug and Robert about some “promotional material”, openSUSE beer and TShirts. Tomorrow (Friday) I’m going to go to SUSE office in Nuremberg to take it (beer can not be trusted to anybody).
Do you want be a part of it?
* November 14, Saturday
* I start my presentation at 12:00 AM. I’m going to talk (presentation) about OBS, Leap and openSUSE project in general.
* vhs-Zentrum, Münchner Str. 72, Eingang rechts, 85774 Unterföhring
* Don’t forget to bring your good mood and friends 😉
Everybody are very welcome! If you have any questions about openSUSE, GNU project or Free Software, feel free to come and ask.
openSUSE factory :: dumpe2fs
# dumpe2fs
dumpe2fs 1.42.12 (29-Aug-2014)
Segmentation fault
# echo $?
139
# dumpe2fs -h
dumpe2fs 1.42.12 (29-Aug-2014)
Segmentation fault
> rpm -qf `which dumpe2fs`
e2fsprogs-1.42.12-1.2.x86_64
> cat /etc/SuSE-release
openSUSE 20140909 (x86_64)
VERSION = 20140909
CODENAME = Harlequin
# /etc/SuSE-release is deprecated and will be removed in the future,
use /etc/os-release instead
# ltrace dumpe2fs
__libc_start_main([ "dumpe2fs" ]
setlocale(LC_MESSAGES, "") = "en_US.UTF-8"
setlocale(LC_CTYPE,"") = "en_US.UTF-8"
bindtextdomain("e2fsprogs", "/usr/share/locale") = "/usr/share/locale"
textdomain("e2fsprogs") = "e2fsprogs"
set_com_err_gettext(0x401a00, 1, 1, 0x73676f72707366) = 0
add_error_table(0x605260, 1, 1, 0x73676f72707366) = 0
__fprintf_chk(0x7f4fcb90f060, 1, 0x403b42, 0x403b3adumpe2fs 1.42.12 (29-Aug-2014)) = 31
getopt(1, 0x7fff9f754798, "bfhixVo:") = -1
ext2fs_open(0, 0x29000, 0, 0 < no return ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
Perl party :)
#!/usr/bin/perl
''=~( '(?{' .('`' |'%') .('[' ^'-')
.('`' |'!') .('`' |',') .'"'. '\\$'
.'==' .('[' ^'+') .('`' |'/') .('['
^'+') .'||' .(';' &'=') .(';' &'=')
.';-' .'-'. '\\$' .'=;' .('[' ^'(')
.('[' ^'.') .('`' |'"') .('!' ^'+')
.'_\\{' .'(\\$' .';=('. '\\$=|' ."\|".( '`'^'.'
).(('`')| '/').').' .'\\"'.+( '{'^'['). ('`'|'"') .('`'|'/'
).('['^'/') .('['^'/'). ('`'|',').( '`'|('%')). '\\".\\"'.( '['^('(')).
'\\"'.('['^ '#').'!!--' .'\\$=.\\"' .('{'^'['). ('`'|'/').( '`'|"\&").(
'{'^"\[").( '`'|"\"").( '`'|"\%").( '`'|"\%").( '['^(')')). '\\").\\"'.
('{'^'[').( '`'|"\/").( '`'|"\.").( '{'^"\[").( '['^"\/").( '`'|"\(").(
'`'|"\%").( '{'^"\[").( '['^"\,").( '`'|"\!").( '`'|"\,").( '`'|(',')).
'\\"\\}'.+( '['^"\+").( '['^"\)").( '`'|"\)").( '`'|"\.").( '['^('/')).
'+_,\\",'.( '{'^('[')). ('\\$;!').( '!'^"\+").( '{'^"\/").( '`'|"\!").(
'`'|"\+").( '`'|"\%").( '{'^"\[").( '`'|"\/").( '`'|"\.").( '`'|"\%").(
'{'^"\[").( '`'|"\$").( '`'|"\/").( '['^"\,").( '`'|('.')). ','.(('{')^
'[').("\["^ '+').("\`"| '!').("\["^ '(').("\["^ '(').("\{"^ '[').("\`"|
')').("\["^ '/').("\{"^ '[').("\`"| '!').("\["^ ')').("\`"| '/').("\["^
'.').("\`"| '.').("\`"| '$')."\,".( '!'^('+')). '\\",_,\\"' .'!'.("\!"^
'+').("\!"^ '+').'\\"'. ('['^',').( '`'|"\(").( '`'|"\)").( '`'|"\,").(
'`'|('%')). '++\\$="})' );$:=('.')^ '~';$~='@'| '(';$^=')'^ '[';$/='`';
openSUSE :: stumpWM
When you think about GNU/Linux, you probably think about servers or data storage systems. It could be also development machines or maybe desktops (but probably not). For me GNU/Linux was always place for different experiments and also platform on which I can implement my ideas (which often break system). So, today I would like to tell a bit about the Stump Window Manager.
Let’s start by saying that stumpWM is a tiling, keyboard driven X11 Window Manager written entirely in Common Lisp, and Common Lisp is a one of dialects of the Lisp – a family of a multi-paradigm programming languages (supports a combination of procedural, functional, and object-oriented programming paradigms). There are many reasons to use stumpWM. For example, you would like to have benefits of tiling window managers (its tiling windows to use the whole screen and focus on a user experience which is highly keyboard driven operation), or maybe you just want to learn Common Lisp (as we all know, reading the source code of a big professional project is a good idea when you learn a new programming language).
Keep reading this post…
Merry Christmas and Happy New Year
If you read this, it means that you somehow miraculously have survived after an apocalypse, that was scheduled for yesterday. Of course you know that in spite of the end of the world, the role of the Open and Free Software stay the same. Hm… this is the most likely reason that you came to my blog, I guess 🙂
And you should be happy not just because have survived this “sad event”, but also because it is only 2 days until Christmas, and Christmas – it’s time for gifts! But again, as we all know, we will receive gifts, only if, first: Santa has also survived after an apocalypse; and second: only those of us who well conducted itself:
In any case, I would like to thank all those with whom we have done some work on Open Source projects. A lot of stuff was done at this year and it was great to work together with you guys. In the next 2 months I’m going to move to Munich where I found a new job and will keep work for the benefit of Free and Open Source Software.
Merry Christmas and Happy New Year! Stay crazy like you are. Never be satisfied, and always push yourself forwards. Belive in yourself. Keep doing the things people say can’t be done (or it makes no sense or something like this). Be ready to try new things. Keep doing Free Software better than before… and don’t forget to have a lot of fun of course 😉
openSUSE :: wrong checksums for Milestone1
Just keep in mind, that we have broken md5 and sha1 checksums for our milestone 1 images right now (openSUSE 12.3).
So, don’t use md5 and sha1 files to verify your ISO images. We also have MD5SUMS- and SHA1SUMS-files and they are correct (use they to verify your images).
I remind you that you can check ISO images with md5sum and sha1sum tools.
Happy testing 😉
⌨ Labor omnia vincit ☮ 
2 comments