Linux

65097 readers

944 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

nooter692@lemmy.ml

AgreeableLandscape@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Dirty Frag: Universal Linux LPE - allows any unprivileged local user to gain root access on a vulnerable Linux system - no patch available (github.com)

submitted 8 hours ago by rabber@lemmy.ca to c/linux@lemmy.ml

33 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] CodenameDarlen@lemmy.world 1 points 6 hours ago (4 children)

What's up with all these vulnerabilities?

Kind of worried to be honest, two in like a week? Pretty scary.

I'm very dumb about Linux technical stuff but I feel like root access is way too easy to be accessed.

Is there any way to make it harder? I mean let's say similar to Android, you need to unlock the boot loader first, flash a recovery and flash Magisk or something, that's a good layer before root access.

At least for Linux Desktop, maybe make it so we can get root access only via a bootable USB with a correct password? Just for sporadic system changes.

Is there anything like that?

[–] wampus@lemmy.ca 1 points 2 hours ago

With AI enabled bug hunting, you're likely to see a blitz of vulnerabilities, followed by a significant reduction in vulnerabilities.

Yes, malicious folks are usin em -- heck, Kali's had AI integrations for a while on a bunch of its tools even, for pen testing. But devs writing code get em too, and those are the people we need to see using these sorts of workflows as it lets them clip a bunch of zero days.

I think Mozilla, as an example, had a recent patch that cleaned up something like 271 zero days? Anthropic taking their Mythos stuff to banks/govt was largely just a publicity thing to try and shut people up who were mocking claudes code, but also potentially because it'd found govt-placed backdoors that they wanted the gov to know were about to be exposed / patched. The USA's alleged ability to "shut off" tech assets during raids in Venezuela and Iran, gets trickier if AI is exposing their back doors. Likely also why the US Administration is now saying they want to review AIs before they get released. Mythos definitely isn't the only game in town for this sort of stuff -- but the general idea that the dev teams will be shifting to using these tools for QA / writing more secure apps in the near future, is fairly valid. So I wouldn't go too tinfoil hat-y on that front... though it is a period where we'll see a need to patch aggressively, and to double check security configs etc.

[–] superglue@lemmy.dbzer0.com 8 points 5 hours ago (2 children)

This exploit appears to be inspired by the copy fail.

Should you be worried? Nah, You should not be installing untrusted software on your device. This isnt even the type of exploit that scares me. Your device gas to already be compromised for this exploit to succeed.

Supply chain attacks are what scare me.

[–] corsicanguppy@lemmy.ca 2 points 3 hours ago

Supply chain attacks are what scare me.

As a former OS security pro, this is the right answer. Not because of the exploit itself, but because young (unmentored) coders readily trust some really bad patterns of pulling in random junk from the web and running it. THIS is how the LPE becomes essentially an RCE-level problem.

[–] AnAmericanPotato@programming.dev 1 points 3 hours ago

There are two types of users: those who run untrusted software, and those who are way too trusting.

[–] favoredponcho@lemmy.zip 1 points 3 hours ago

There is an LLM called mythos from Anthropic that is very good at finding vulnerabilities.

[–] idriss@lemmy.ml 1 points 6 hours ago (1 children)

if somebody has user access to your computer, they are already 95% there, so I am not worried about these priv escalation part of the last 5%

[–] CodenameDarlen@lemmy.world 3 points 5 hours ago* (last edited 5 hours ago) (1 children)

If you refer to physical access I wouldn't say that, I've encrypted partition.

But if you're saying just access to my main user inside the OS, then I'd really like if you could elaborate with real examples how can user access do any harm to my system without root access.

[–] Corngood@lemmy.ml 2 points 4 hours ago

For me the scariest thing someone could do on my pc is exfiltrate all the data from my home directory which is readable by my user account.

Maybe I'm misunderstanding you, but that's harm to me without root access.