Fanbois huh?  vi or emacs?

I'm going to be critical here - it is rare that you have personal choice over the tools your system uses. Do the job in front of you. If that means you support windows ME as a security portal(!), that's what you do... at least until you find a better job.



On Thu, Sep 29, 2016 at 12:21 PM, Russell Coker via luv-main <luv-main@luv.asn.au> wrote:
On Thursday, 29 September 2016 11:08:00 AM AEST Tim Connors via luv-main
wrote:
> Stop using it!  And that part is easy, just run
>
> NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""
>
> in a while 1 loop as an ordinary user.
>
> https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet

(user_t:SystemLow-s0:c0.c100)root@play:~# NOTIFY_SOCKET=/run/systemd/notify
systemd-notify ""
-bash: systemd-notify: command not found
(user_t:SystemLow-s0:c0.c100)root@play:~# ls -l /bin/systemd-notify
ls: cannot access /bin/systemd-notify: Permission denied
(user_t:SystemLow-s0:c0.c100)root@play:~#

The Jessie SE Linux policy doesn't permit this.  So my SE Linux Play Machine
would be resistant to this attack even if it had a /run/systemd/notify socket.

A system configured as a test Play Machine running Debian/Unstable has /run/
systemd/notify but unprivileged users (even as root) are not permitted to
access it.  So even if a hostile user compiled their own systemd-notify
program or copied it in from another system it still wouldn't do any good.

The "targeted" policy (the default) would permit this though.

--
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

_______________________________________________
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main



--
Dr Paul van den Bergen