On Thu, Mar 28, 2024 at 1:11 AM tomas wrote: > > On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote: > > I just saw this advisory > > Escape sequence injection in util-linux wall (CVE-2024-28085) > > https://seclists.org/fulldisclosure/2024/Mar/35 > > where they're talking about grabbing other users sudo password. > > Are there any users logged in to your computer you dont't trust? > > Thought so. > > Relax. > > Security means first and foremost understanding the threat.
Which I don't. Hence the request for 'secure by default' instructions for Debian. Even better would be a secure by default installation option. To be clear, I'm not all that concerned about _this_ CVE. I've got the disable_mesg.sh file in /etc/profile.d so sending messages with control codes to other terminals should be disabled for all. My concern is all the other stuff that I don't even know about that could be configured in a more secure manner but isn't. For heavens sake, the man page says Traditionally, write access is allowed by default. However, as users become more conscious of various security risks, there is a trend to remove write access by default, at least for the primary login shell. To make sure your ttys are set the way you want them to be set, mesg should be executed in your login scripts. Clearly at least the man page writer realized there was a threat there _and chose not to remove the threat_ !? So what other goodies are there that I don't know about? Is there really nothing better than sudo find / <something to show files with uid or gid perms> and try to figure out which of those program are not necessary? And I'm still a bit surprised that needrestart isn't included as part of the default install. Or at least as part of the synaptic package manager install. I never guessed that I would _not_ be warned that I needed to reboot after updating software with the synaptic package manager -- that didn't happen until after I installed needrestart. > Randomly > reaching into the CVE box will most probably keep you from actually > working on your real issues. E.g. your browser. I think it's up to date: $ cat /etc/motd lee@spot ~ $ sudo crontab -l [sudo] password for lee: ... 47 4 * * * (apt update >> apt-update.log 2>/dev/null) && \ (apt list --upgradable 2>/dev/null |\ egrep -v '^Listing' >| /etc/motd) > Or your social media > account. I've never had one. > Cheers > > [1] https://xkcd.com/1200/ I like the quote I saved from the full disclosure mailing list back when it was fun & exploits were mailed out as attachments: And at some point, you really have to ask yourself "Is this really a plausible attack method, or did I forget to take my meds again?" -- Valdis Kletnieks Regards Lee