Re: Add murmur.

[Hartmut Goebel]

Am 12.02.2017 um 18:54 schrieb David Craven:
> If an attacker already has the privileges required to start the software
> I don't think it's possible to gain any more privileges unless that software
> has the setuid bit set.

You are right. I implicitly made some assumptions like setuid bit set.

Nevertheless each additional piece of software already available eases
the attack since less work and less skills are required.

-- 
Regards
Hartmut Goebel

| Hartmut Goebel  | h.goe...@crazy-compilers.com   |
| www.crazy-compilers.com | compilers which you thought are impossible |

Re: Add murmur.

[ng0]

On 17-02-12 14:37:53, Ludovic Courtès wrote:
> ng0  skribis:
> 
> > On 17-02-11 15:31:15, Ludovic Courtès wrote:
> >> ng0  skribis:
> 
> [...]
> 
> >> > As far as I know right now, it does not have any graphical features or
> >> > dependencies.
> >> >
> >> > mumble:murmur -> total: 1072.6 MiB
> >> > mumble:out-> total: .2 MiB
> >> 
> >> And what about the total reported by
> >> 
> >>   guix size mumble:murmur mumble:out
> 
> [...]
> 
> > store item   total
> > self
> > /gnu/store/1zdk5x87ig5zvqcn5f8lllnmrywg9asa-mumble-1.2.19 .2
> >  5.6   0.5%
> > /gnu/store/l4as1725kds2rrpz2l1pcfz8bjn256qd-mumble-1.2.19-murmur  1072.6
> >  1.2   0.1%
> 
> [...]
> 
> > total: 1112.3 MiB
> 
> For 1.2 MiB, I’d say keep both in the same output.
> 
> Could you update the patch accordingly?
> 
> Thank you!
> 
> Ludo’.
> 

I will take the shortcut here and sent the updated patch with just "out"
as output (to the nex guix-patches@ list), but I want to continue
the discussion around client/server
separation as I think it's worth for some outcome. Even if it's just to
document why Guix is safe when everything is combined :)

-- 
ng0 -- https://www.inventati.org/patternsinthechaos/

Re: Add murmur.

[Ludovic Courtès]

"pelzflorian (Florian Pelz)"  skribis:

> On 02/12/2017 06:01 PM, Hartmut Goebel wrote:
>> Am 12.02.2017 um 15:37 schrieb David Craven:
>>> I think that it is a minor
>>> issue at best, since anything that isn't accessible over the network or 
>>> running
>>> with any sort of privileges is not very useful.
>> 
>> I strongly disagree!
>> 
>> Every piece of software available on the system may the intruder. The
>> server may not be running so it can not be attacked in the first place.
>> But if an intruder gains (unprivileged) access to the system, he might
>> be able to start that server software. Then he might use it for
>> privilege escalation (if the server software is vulnerable), as a
>> back-channel or for attacking further systems.
>> 
>
> An attacker with enough privileges to run Murmur has enough privileges
> to install Murmur anyway (perhaps but not necessarily by using Guix).

Definitely.  And they might just as well run software that’s more useful
for their purposes, like a botnet server.  :-)

Ludo’.

Re: Add murmur.

[David Craven]

> You read too much between the lines in my words.

> I'm not counting on the certifications of Harmut. I simply agree with
> the reasoning that no client and server should be combined if possible
> to limit the attack surface. That's all.

That may be true. It was my intention to back Ludo. I think that it is a minor
issue at best, since anything that isn't accessible over the network or running
with any sort of privileges is not very useful.

An attack usually involves exploiting a service for remote code
execution, followed
by privilege escalation and finally securing access to the system and
cleaning up
traces.

This is an unprivileged binary on a server, and it isn't even running.
Exploiting any
bugs in the client would require starting the client first. This means
that an attacker
has already gained physical access or is able to perform remote code execution.

This hypothetical attacker is trying to escalate privileges. I don't
see how starting
an unprivileged process would help with that.

But then again - I'm not an expert and don't have any credentials - so
I'd be interested
to know if there is a way of exploiting this.

Re: Add murmur.

[ng0]

On 17-02-12 14:57:05, David Craven wrote:
> > Okay. I prefer to wait for the outcome of the discussion around
> > server+client merging. I'm in favor of separating for the reasons Harmut
> > mentioned.
> 
> This is a free software community. Anyone that needs to assert his authority
> with external certifications rather than actions and sound reasoning is in the
> wrong place here.
> 

You read too much between the lines in my words.

I'm not counting on the certifications of Harmut. I simply agree with
the reasoning that no client and server should be combined if possible
to limit the attack surface. That's all.
-- 
ng0 -- https://www.inventati.org/patternsinthechaos/

Re: Add murmur.

[David Craven]

> Okay. I prefer to wait for the outcome of the discussion around
> server+client merging. I'm in favor of separating for the reasons Harmut
> mentioned.

This is a free software community. Anyone that needs to assert his authority
with external certifications rather than actions and sound reasoning is in the
wrong place here.

Re: Add murmur.

[ng0]

On 17-02-12 14:37:53, Ludovic Courtès wrote:
> ng0  skribis:
> 
> > On 17-02-11 15:31:15, Ludovic Courtès wrote:
> >> ng0  skribis:
> 
> [...]
> 
> >> > As far as I know right now, it does not have any graphical features or
> >> > dependencies.
> >> >
> >> > mumble:murmur -> total: 1072.6 MiB
> >> > mumble:out-> total: .2 MiB
> >> 
> >> And what about the total reported by
> >> 
> >>   guix size mumble:murmur mumble:out
> 
> [...]
> 
> > store item   total
> > self
> > /gnu/store/1zdk5x87ig5zvqcn5f8lllnmrywg9asa-mumble-1.2.19 .2
> >  5.6   0.5%
> > /gnu/store/l4as1725kds2rrpz2l1pcfz8bjn256qd-mumble-1.2.19-murmur  1072.6
> >  1.2   0.1%
> 
> [...]
> 
> > total: 1112.3 MiB
> 
> For 1.2 MiB, I’d say keep both in the same output.
> 
> Could you update the patch accordingly?
> 
> Thank you!
> 
> Ludo’.
> 

Okay. I prefer to wait for the outcome of the discussion around
server+client merging. I'm in favor of separating for the reasons Harmut
mentioned.

-- 
ng0 -- https://www.inventati.org/patternsinthechaos/

Re: Add murmur.

[Ludovic Courtès]

ng0  skribis:

> On 17-02-11 15:31:15, Ludovic Courtès wrote:
>> ng0  skribis:

[...]

>> > As far as I know right now, it does not have any graphical features or
>> > dependencies.
>> >
>> > mumble:murmur -> total: 1072.6 MiB
>> > mumble:out-> total: .2 MiB
>> 
>> And what about the total reported by
>> 
>>   guix size mumble:murmur mumble:out

[...]

> store item   totalself
> /gnu/store/1zdk5x87ig5zvqcn5f8lllnmrywg9asa-mumble-1.2.19 .2 
> 5.6   0.5%
> /gnu/store/l4as1725kds2rrpz2l1pcfz8bjn256qd-mumble-1.2.19-murmur  1072.6 
> 1.2   0.1%

[...]

> total: 1112.3 MiB

For 1.2 MiB, I’d say keep both in the same output.

Could you update the patch accordingly?

Thank you!

Ludo’.

Re: Add murmur.

[ng0]

On 17-02-11 15:31:15, Ludovic Courtès wrote:
> ng0  skribis:
> 
> > On 17-02-10 22:54:21, Marius Bakke wrote:
> >> ng0  writes:
> >> 
> >> > On 17-02-09 23:50:02, Ludovic Courtès wrote:
> >> >> ng0  skribis:
> >> >> 
> >> >> > On 17-02-09 17:50:04, Ludovic Courtès wrote:
> >> >> >> Hi ng0!
> >> >> >> 
> >> >> >> contact@cryptolab.net skribis:
> >> >> >> 
> >> >> >> > This patch adds an proposed change to mumble, murmur as an output.
> >> >> >> 
> >> >> >> I’m reluctant to “non-standard” outputs like this.  The reason for
> >> >> >> multiple outputs should be to reduce the closure size for standards
> >> >> >> uses.  What do we gain by not included murmurd in “out” in this case?
> >> >> >> 
> >> >> >> Thanks,
> >> >> >> Ludo’.
> >> >> >
> >> >> > We remove the server component (murmurd) from the client component
> >> >> > (mumble).  I imagine that if you run murmurd, you will not want mumble
> >> >> > in the same user profile.  And if you run mumble, you probably don't
> >> >> > want murmurd.  The default is a client, adding murmur output is 
> >> >> > logical.
> >> >> > But this is just my view.. I would not want a server unless I 
> >> >> > explicitly
> >> >> > expressed my intention to have it
> >> >> >
> >> >> > What do you think?
> >> >> 
> >> >> I think the only reason to separate things usually is size, not
> >> >> “aesthetics.”  So I’d be in favor of keeping both in the same output if
> >> >> there’s no size problem.
> >> >>
> >> >
> >> > Of course this is a theoretic issue, but the separation of server+client
> >> > where applicable when the nature of an application allows it makes sense
> >> > to me.
> >> 
> >> What does `guix size` say about mumble:murmur compared to mumble:out? If
> >> the server does not depend on any graphical features, I think a separate
> >> output makes sense. mumble alone is ~1GiB.
> >
> > As far as I know right now, it does not have any graphical features or
> > dependencies.
> >
> > mumble:murmur -> total: 1072.6 MiB
> > mumble:out-> total: .2 MiB
> 
> And what about the total reported by
> 
>   guix size mumble:murmur mumble:out


store item   totalself
/gnu/store/1zdk5x87ig5zvqcn5f8lllnmrywg9asa-mumble-1.2.19 .2 
5.6   0.5%
/gnu/store/l4as1725kds2rrpz2l1pcfz8bjn256qd-mumble-1.2.19-murmur  1072.6 
1.2   0.1%
/gnu/store/gz1hpl2qpjyddczx1pwriwxgd5rdwbxf-qt-4.8.7  1062.7   
123.7  11.1%
/gnu/store/b11lvv9x75jgiiw7rpyb53vj8j57jrw6-mysql-5.7.17   561.0   
209.2  18.8%
/gnu/store/13cbg5pg4qvgf55qlvi0h1grffr7gfkk-mesa-13.0.3227.9   
128.3  11.5%
/gnu/store/awmx27f02la7sc4s63jxsdczclsf63gj-postgresql-9.5.5   200.5
20.0   1.8%
/gnu/store/nfg59rims86f87q5hasj8ngad3cd9dpa-boost-1.61.0   181.4   
120.1  10.8%
/gnu/store/bwjph363njn5nssi0m7klcs17si2zyib-pulseaudio-9.0 161.8 
8.3   0.7%
/gnu/store/c7lm5innppxm53bf5w7i99d59kjdyx27-ld-wrapper-0   152.8 
0.0   0.0%
/gnu/store/9kmlcadkj7y1ag0lc2jl9dajlq3m90zr-perl-5.24.0142.2
51.0   4.6%
/gnu/store/y1g6991kxvdk4vxhsq07r5saww30v8dq-gcc-4.9.4  138.6
77.2   6.9%
/gnu/store/wvfi95c1r66k5d2rnin090gy3301x7p9-avahi-0.6.31   130.1 
2.4   0.2%
/gnu/store/dcsfk23iwhhsix5icr9lxdcwrd2qb8ks-icu4c-55.1 126.1
34.9   3.1%
/gnu/store/zq2ynjp1hln0jbcwaibyra45p3dxshn1-speech-dispatcher-0.8.5   123.2 
1.1   0.1%
/gnu/store/8fabvxy5jgsad1ipn5j420nk5haaj80y-glib-2.50.2114.6
13.7   1.2%
/gnu/store/v8b2smkb9l4080jnq5m60f700liww3fl-libmng-2.0.3   111.1 
1.3   0.1%
/gnu/store/6r1klkng76ssw40c4kv47aib2rbmdssv-lcms-2.6   109.8 
1.2   0.1%
/gnu/store/60hvdp3cxn8nr3v1h92vjzv2hfrmfd4q-libtiff-4.0.7  107.8 
2.0   0.2%
/gnu/store/6slzn4ixcjlhy3av3biglqfli9pwxcn9-guile-2.0.12   103.4
12.7   1.1%
/gnu/store/ji6b6zhk7l3y7vbjhx7kpnb9v7hlbc6v-eudev-3.2   99.1 
7.1   0.6%
/gnu/store/601j6j3fa9nf37vyzy8adcaxcfddw4m1-libsm-1.2.2 91.5 
0.3   0.0%
/gnu/store/8b5ffm91zlmm1k5i4kq5qix59v7jm9ln-util-linux-2.28.1   90.6
11.2   1.0%
/gnu/store/4xxd00drj8gjcr84xdfna44qak2vhwmf-binutils-2.27   87.6
49.3   4.4%
/gnu/store/iy28nhsbbfjm1mjksz429zr0r8q8imsz-wayland-1.11.0  87.0 
1.4   0.1%
/gnu/store/cgr9z8n3i7kzpsjxnsljby5spvzq836v-libxml2-2.9.4   84.9
10.0   0.9%
/gnu/store/pkv2qqgprp4zxcqfspwwx81qm9lng0da-fontconfig-2.12.1   84.4 
2.0   0.2%
/gnu/store/9xfn6q7cxqxaxsv6kgiic9iygl2iv2ci-coreutils-8.25  78.8
14.4   1.3%
/gnu/store/hmc1jiyr29mk9cl2d9j0jwf0dim1q76g-freetype-2.6.3  77.3 
2.7   0.2%
/gnu/store/9ylbphjcj07s98srnbq41i2hrz8qwqm1-fftwf-3.3.5 77.0 
3.6   0.3%
/gnu/store/9l52vcmb1ambc3ypf7nxn38ac0976yyf-tar-1.2976.0 
2.6   0.2%

Re: Add murmur.

[Ludovic Courtès]

ng0  skribis:

> On 17-02-10 22:54:21, Marius Bakke wrote:
>> ng0  writes:
>> 
>> > On 17-02-09 23:50:02, Ludovic Courtès wrote:
>> >> ng0  skribis:
>> >> 
>> >> > On 17-02-09 17:50:04, Ludovic Courtès wrote:
>> >> >> Hi ng0!
>> >> >> 
>> >> >> contact@cryptolab.net skribis:
>> >> >> 
>> >> >> > This patch adds an proposed change to mumble, murmur as an output.
>> >> >> 
>> >> >> I’m reluctant to “non-standard” outputs like this.  The reason for
>> >> >> multiple outputs should be to reduce the closure size for standards
>> >> >> uses.  What do we gain by not included murmurd in “out” in this case?
>> >> >> 
>> >> >> Thanks,
>> >> >> Ludo’.
>> >> >
>> >> > We remove the server component (murmurd) from the client component
>> >> > (mumble).  I imagine that if you run murmurd, you will not want mumble
>> >> > in the same user profile.  And if you run mumble, you probably don't
>> >> > want murmurd.  The default is a client, adding murmur output is logical.
>> >> > But this is just my view.. I would not want a server unless I explicitly
>> >> > expressed my intention to have it
>> >> >
>> >> > What do you think?
>> >> 
>> >> I think the only reason to separate things usually is size, not
>> >> “aesthetics.”  So I’d be in favor of keeping both in the same output if
>> >> there’s no size problem.
>> >>
>> >
>> > Of course this is a theoretic issue, but the separation of server+client
>> > where applicable when the nature of an application allows it makes sense
>> > to me.
>> 
>> What does `guix size` say about mumble:murmur compared to mumble:out? If
>> the server does not depend on any graphical features, I think a separate
>> output makes sense. mumble alone is ~1GiB.
>
> As far as I know right now, it does not have any graphical features or
> dependencies.
>
> mumble:murmur -> total: 1072.6 MiB
> mumble:out-> total: .2 MiB

And what about the total reported by

  guix size mumble:murmur mumble:out

?

Ludo’.

Re: Add murmur.

[ng0]

On 17-02-10 22:54:21, Marius Bakke wrote:
> ng0  writes:
> 
> > On 17-02-09 23:50:02, Ludovic Courtès wrote:
> >> ng0  skribis:
> >> 
> >> > On 17-02-09 17:50:04, Ludovic Courtès wrote:
> >> >> Hi ng0!
> >> >> 
> >> >> contact@cryptolab.net skribis:
> >> >> 
> >> >> > This patch adds an proposed change to mumble, murmur as an output.
> >> >> 
> >> >> I’m reluctant to “non-standard” outputs like this.  The reason for
> >> >> multiple outputs should be to reduce the closure size for standards
> >> >> uses.  What do we gain by not included murmurd in “out” in this case?
> >> >> 
> >> >> Thanks,
> >> >> Ludo’.
> >> >
> >> > We remove the server component (murmurd) from the client component
> >> > (mumble).  I imagine that if you run murmurd, you will not want mumble
> >> > in the same user profile.  And if you run mumble, you probably don't
> >> > want murmurd.  The default is a client, adding murmur output is logical.
> >> > But this is just my view.. I would not want a server unless I explicitly
> >> > expressed my intention to have it
> >> >
> >> > What do you think?
> >> 
> >> I think the only reason to separate things usually is size, not
> >> “aesthetics.”  So I’d be in favor of keeping both in the same output if
> >> there’s no size problem.
> >>
> >
> > Of course this is a theoretic issue, but the separation of server+client
> > where applicable when the nature of an application allows it makes sense
> > to me.
> 
> What does `guix size` say about mumble:murmur compared to mumble:out? If
> the server does not depend on any graphical features, I think a separate
> output makes sense. mumble alone is ~1GiB.

As far as I know right now, it does not have any graphical features or
dependencies.

mumble:murmur -> total: 1072.6 MiB
mumble:out-> total: .2 MiB

So there is a size difference which would justify this output in my
(currently very sleepy and jet-lagged) opinion.

-- 
ng0 -- https://www.inventati.org/patternsinthechaos/

Re: Add murmur.

[Marius Bakke]

ng0  writes:

> On 17-02-09 23:50:02, Ludovic Courtès wrote:
>> ng0  skribis:
>> 
>> > On 17-02-09 17:50:04, Ludovic Courtès wrote:
>> >> Hi ng0!
>> >> 
>> >> contact@cryptolab.net skribis:
>> >> 
>> >> > This patch adds an proposed change to mumble, murmur as an output.
>> >> 
>> >> I’m reluctant to “non-standard” outputs like this.  The reason for
>> >> multiple outputs should be to reduce the closure size for standards
>> >> uses.  What do we gain by not included murmurd in “out” in this case?
>> >> 
>> >> Thanks,
>> >> Ludo’.
>> >
>> > We remove the server component (murmurd) from the client component
>> > (mumble).  I imagine that if you run murmurd, you will not want mumble
>> > in the same user profile.  And if you run mumble, you probably don't
>> > want murmurd.  The default is a client, adding murmur output is logical.
>> > But this is just my view.. I would not want a server unless I explicitly
>> > expressed my intention to have it
>> >
>> > What do you think?
>> 
>> I think the only reason to separate things usually is size, not
>> “aesthetics.”  So I’d be in favor of keeping both in the same output if
>> there’s no size problem.
>>
>
> Of course this is a theoretic issue, but the separation of server+client
> where applicable when the nature of an application allows it makes sense
> to me.

What does `guix size` say about mumble:murmur compared to mumble:out? If
the server does not depend on any graphical features, I think a separate
output makes sense. mumble alone is ~1GiB.


signature.asc
Description: PGP signature

Re: Add murmur.

[ng0]

On 17-02-09 23:50:02, Ludovic Courtès wrote:
> ng0  skribis:
> 
> > On 17-02-09 17:50:04, Ludovic Courtès wrote:
> >> Hi ng0!
> >> 
> >> contact@cryptolab.net skribis:
> >> 
> >> > This patch adds an proposed change to mumble, murmur as an output.
> >> 
> >> I’m reluctant to “non-standard” outputs like this.  The reason for
> >> multiple outputs should be to reduce the closure size for standards
> >> uses.  What do we gain by not included murmurd in “out” in this case?
> >> 
> >> Thanks,
> >> Ludo’.
> >
> > We remove the server component (murmurd) from the client component
> > (mumble).  I imagine that if you run murmurd, you will not want mumble
> > in the same user profile.  And if you run mumble, you probably don't
> > want murmurd.  The default is a client, adding murmur output is logical.
> > But this is just my view.. I would not want a server unless I explicitly
> > expressed my intention to have it
> >
> > What do you think?
> 
> I think the only reason to separate things usually is size, not
> “aesthetics.”  So I’d be in favor of keeping both in the same output if
> there’s no size problem.
>

I don't see my description as aesthetics, but maybe I wasn't clear. It
could theoretically be an security issue, keeping both separated gives
the user a choice of what should be present.

Of course this is a theoretic issue, but the separation of server+client
where applicable when the nature of an application allows it makes sense
to me.

If you don't agree, I can send an updated patch which just adds murmur
to the 'out'.
 
> How does that sound?
> 
> Ludo’.
> 

-- 
ng0 -- https://www.inventati.org/patternsinthechaos/

Re: Add murmur.

[Ludovic Courtès]

ng0  skribis:

> On 17-02-09 17:50:04, Ludovic Courtès wrote:
>> Hi ng0!
>> 
>> contact@cryptolab.net skribis:
>> 
>> > This patch adds an proposed change to mumble, murmur as an output.
>> 
>> I’m reluctant to “non-standard” outputs like this.  The reason for
>> multiple outputs should be to reduce the closure size for standards
>> uses.  What do we gain by not included murmurd in “out” in this case?
>> 
>> Thanks,
>> Ludo’.
>
> We remove the server component (murmurd) from the client component
> (mumble).  I imagine that if you run murmurd, you will not want mumble
> in the same user profile.  And if you run mumble, you probably don't
> want murmurd.  The default is a client, adding murmur output is logical.
> But this is just my view.. I would not want a server unless I explicitly
> expressed my intention to have it
>
> What do you think?

I think the only reason to separate things usually is size, not
“aesthetics.”  So I’d be in favor of keeping both in the same output if
there’s no size problem.

How does that sound?

Ludo’.

Re: Add murmur.

[ng0]

On 17-02-09 17:50:04, Ludovic Courtès wrote:
> Hi ng0!
> 
> contact@cryptolab.net skribis:
> 
> > This patch adds an proposed change to mumble, murmur as an output.
> 
> I’m reluctant to “non-standard” outputs like this.  The reason for
> multiple outputs should be to reduce the closure size for standards
> uses.  What do we gain by not included murmurd in “out” in this case?
> 
> Thanks,
> Ludo’.

We remove the server component (murmurd) from the client component
(mumble).  I imagine that if you run murmurd, you will not want mumble
in the same user profile.  And if you run mumble, you probably don't
want murmurd.  The default is a client, adding murmur output is logical.
But this is just my view.. I would not want a server unless I explicitly
expressed my intention to have it

What do you think?


I would even separate the sshd from openssh client part, but that's
another topic.


-- 
ng0 -- https://www.inventati.org/patternsinthechaos/

Re: Add murmur.

[Ludovic Courtès]

Hi ng0!

contact@cryptolab.net skribis:

> This patch adds an proposed change to mumble, murmur as an output.

I’m reluctant to “non-standard” outputs like this.  The reason for
multiple outputs should be to reduce the closure size for standards
uses.  What do we gain by not included murmurd in “out” in this case?

Thanks,
Ludo’.

Re: Add murmur.

[ng0]

contact@cryptolab.net writes:

> This patch adds an proposed change to mumble, murmur as an output.
> Murmur is the server of mumble. I tried to use an inherit package first, but 
> the amount of code for the minor difference between mumble and murmur is not 
> worth the length of a new package.
> I'm not sure it murmurd needs the "/lib" of output:out (mumble) at runtime,
> in the absence of a possibility to test this, we can onl figure out once a
> service for murmur is written.

Update:
I just ran murmurd and connected to myself (127.0.0.1) and
neither murmurd nor mumble client threw errors at me.
-- 
ng0 . https://www.inventati.org/patternsinthechaos/