“Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

I expected to get my hands dirty, I had no problems with that. I actually enjoyed installing Arch the old way, I read and printed the beginners guide, and any problem that was googleable and solved within 10-15 minutes I was cool with that. Of course I had backup. But you can't stay away from systemd forever. Eventually old init system got pulled I think and you really have no choice.

But two major breakages that were due to this change it all! philosophy made me wary.
So what you're implying is that Arch is "better" now?

 

Where are you getting this info from? I've already told you at least 3 times that all you need to do is to do "pacman -Syu". Why do you think you need to re-configure the Kernel at all and do you think previous settings are lost? It's a ".pkg.tar.xz" package just like any package you download/install. You're not compiling anything, there's no need to reconfigure. You should know this.

 

Yeah, unfortunately more and more programs are dependant on systemd. I think at some point people will stop maintaining non-systemd distros and programs.

Two major breakages since 2001, that is for some people only. Not bad at all for a bleeding edge distro.

And yes, as I've stated many times, Arch is more stable than almost all popular distros you put on the table.

 

I meant the Grsecurity settings not the compiling. To make it clear; when I first install a kernel with grsecurity patch I need to decide if I want e.g. Chrome to be protected etc. Isn't this done by ncurses style where you tick on/off various options? Let's say I did this and install a kernel security update 3 months from now. So you're saying a kernel security update that I install Pacman -Syu will not touch the specific Grsecurity settings that I did first time? If so, that's great.

 

No, this is done with PaX.

 

That's exactly what I'm saying. You tick a PAX permission to whatever program you want, and then at the next Kernel update (which happens usually twice a week) the settings are still there. Pax permissions are not set by the Kernel.
You can either do permissions by "setfattr" or by editing /etc/paxd.conf.

EDIT: Summerheat beat me to it.

 

Ok that's cool. So it's a set once and forget system if you want to use Grsecurity.
I read the opposite on Insanitybit's blog that you have to do through all settings once you do an update but I probably got confused since they were talking about kernel compiling.

 

That's correct.

 

Thanks.

When I migrate to Debian (?) and need support I'll ask you guys.

 

Subgraph OS has that aside from not using a LTS kernel though it's not even in beta yet. They've said by December or January that Chromium will be available and without TOR being mandatory, which is what I'm waiting for. They use Chromium in house & it's debian based.

A secure operating system for non technical users, which is how it's being presented.

 

+1

@new2security- definitely keep an eye on Subgraph OS and possibly consider using that when you make the switch. Lot of really great focus on security in that project and I myself might switch eventually (if I can get something other than Gnome 3- preferably XFCE with openbox).

@AutoCascade- Im assuming they have Firefox implemented already? I certainly hope so because I wont be using anything made by Google (even though Chromium is open source). I dont want to support that sphere and would rather keep using FF. I do hope once e10s gets straightened out people will bring its marketshare back up.

 

Thanks for the suggestion!
I don't want TOR so it's exciting what they will release in Dec/Jan.

Their site writes:

"Package Security
Subgraph OS ships with a reduced set of packages to minimize the total attack surface."

But Debian repos are open for downloads? I hope.

 

It's almost like a fortress. All the best features all enabled by default.
TOR; I hope this can be disabled/uninstalled but perhaps it's deeply integrated into the system.
Also I like it's not a one-man-distro so longevity shouldn't be an immediate issue.

 

I think there is a huge possibility that you can download packages from a Debian repo and install on SubgraphOS. However, keep in mind two things:

• You MUST use the same version of Debian. If SubgraphOS is based off of Debian Stable, you must download the packages for Stable otherwise it's highly likely you'll break the system;
• You can even add the Debian repo to your sources.list file, but keep it's priority low (I don't remember, but I think 100 is a good number).

 

Thanks for the potential caveats. I'll keep those in mind.
I might first play around with Debian + grsecurity and if I find it too cumbersome I'll give Subgraph a try.
My plan is to keep W7 without network connection and add Linux+SSD as main system. Is Linux and SSD seamless nowadays or does it still require plentiful configurations?

 

To be honest, I don't know. I'm still on HD's

 

Pretty much seamless. There are a few flags you can set in /etc/fstab to reduce writes (like noatime) or for stuff like fstrim, but you dont even need those for it to work fine. It will work out of the box.

I was thinking about this though, and Im not sure that Subgraph will use Debian repos. If the employ package hardening (which Debian sadly does not currently), I would guess the packages would need to be rebuilt.

 

Thanks, I thought it would be easy.

That was my concern. If the build flags are different, they might conflict with one and another?

 

Ok, after having used Windows for couple of years I admit became really lazy. ^^ Want things to work, no sweating.
I added noatime flag for my hd years ago, thought it speeded up some.

A good point. Perhaps Subgraph is more suited for journalists active in dictator ridden countries.

 

Once you try SSD you never look back.

 

More info in the Arch wiki as usual

 

I did read that, though I wasn't sure if I was going to recommend it because sometimes there are tons os differences between what Debian and Arch have to offer

 

It's a bit more: https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/

 

How many red vulns are there? I can't see.

 

They post a lot of info in their twitter feed including features they are developing and they have a Githib page where someone may be able to gleam some info about how they are going to use Debian.

https://twitter.com/subgraph

https://github.com/subgraph

@Anonfame1, you had asked about Firefox & they do make a lot of references to Firefox in github - I don't usually shorten links but this one was so big I did this time. I found out about Chromium on github.

https://goo.gl/o3SrFH