Brutkey

Fritz Adalis
@FritzAdalis@infosec.exchange

Infosec Lurker | Technical Debt Collector

It's not for fun, or any sense of community.
It's just trying to dull the pain.

I have friends everywhere.


Notes
24714
Following
0
Followers
0
Pronouns
he/him
Fritz Adalis
@FritzAdalis@infosec.exchange

So why doesn't everyone just run Forgejo in a Githib ci/cd worker?

Fritz Adalis
@FritzAdalis@infosec.exchange

Am I like the only person who sorts Taco Bell sauce packets?

Six piles of sauce packets, sorted by the printed phrase on the package.
Fritz Adalis
@FritzAdalis@infosec.exchange

#sleepysunday #BlackCat

Mojo Jojo sleeps with his paw blocking out the light. He awakens! Not worth waking up for, back to sleep.
Fritz Adalis
@FritzAdalis@infosec.exchange

Okay, if you're using #Proxmox , make sure you just use the defaults. I tried upgrading my cluster to 9.0, and apparently you can't do that if you didn't format the drive with zfs. I used btrfs because I figured why waste the ram on zfs when I'm not storing vms on the local disk?

Can't even boot into rescue mode -- it doesn't have the logic for btrfs. I could probably fix it, but I don't want to learn that much about grub. I already know far more about grub than I want to. It's easier to just reformat new.

Fritz Adalis
@FritzAdalis@infosec.exchange

Linux is broken AF

Linux >=6.9; broken AF
Fritz Adalis
@FritzAdalis@infosec.exchange

So ISC DHCP is apparently end of life, replaced by #Kea. Looks neat on the surface, I figured let's take a look.
My gateway runs #OpenBSD, but the Kea port is a little bit old. How hard could it be to roll a couple of version numbers? So I set up a vm to build and test.

Okay, so it turns out they completely changed the build process between 2.x and 3.0, to Meson. It seems to do both configure and make. Gotta update the port and learn how to deal with Meson. I'm sure it's wonderful.

Only ran into one real porting issue. Apparently OpenBSD does something different with bpf_timeval, and it's a different type? And Boost doesn't know how to convert it. Fortunately this was already a problem in nmap and worked around, so I copied the workaround.

Wait. Bpf? Nmap? Why does a dhcp server have its own network stack?!

Anyway I get it to compile and start to look at the installation part. That's when it dawns on me: THEY RUN EVERYTHING AS ROOT IN THE YEAR OF OUR LORD TWENTY TWENTY-FIVE.

They split each section of the server into its own process, it'd be perfect for a least-privilege bind-ports-and-drop-privs model with everything as a different user. They do fuzzing as part of the build! They set LIBCPP_HARDENING_MODE! Well, they set it to FAST which only does like two checks but at least they set it!

And how about that, they recently posted a couple of LPE vulnerabilities that wouldn't have worked without root. (Should have checked that first...) I suspect there will be more.

Note: I did see their instructions for running as non-root. It's a completely manual process that only works on Linux (by assigning capabilities). Everything still runs as the same user, and that user has CAP_BIND_RAW. It's also not the default and literally zero people will do this.

/rant

Fritz Adalis
@FritzAdalis@infosec.exchange

Okay, one question.

What's wrong with you people?

Screen clipping showing 500 followers