S2464 (K7 Thunder) hangs -- some lessons learned

S2464 (K7 Thunder) hangs -- some lessons learned

[Eric S. Raymond]

Alas, the 2.4.8+ emu10k1 driver does not completely banish the K7 Thunder
lockups problem.  It makes them a lot rarer, though, and enabled us to get to
the next level of diagnosis.

More from the article in progress:

<para>But as it turned out, the story didn't end there.  The 2.4.8+ driver
doesn't completely banish the hangs; early in the morning of the third day,
while I was asleep, Gary tripped over a way to re-induce them by logging
into the machine via <command>ssh</command> while an X build is running.  I
didn't yet know this when I next read my mail and saw a report from Jeffrey
Ingber of the linux-kernel list that he had continued to see emu10k1
lockups after installing 2.4.8 -- but that they were banished by the ALSA
drivers.</para>

<para>Further testing proved, in fact, that the presence of the SB Live!
in the machine can make it vulnerable to lockups triggered by network 
activity even when the emul10k1 support is not configured in at all!  This
takes the operating system out of the picture and suggests a hardware-
or BIOS-level problem. Our suspicions were immediately directed to PCI
IRQ sharing, a well-known source of lossage.</para>

<para>Upon investigation (via <filename>/proc/pci</filename>), we
discovered that the IRQ assignments looked distinctly dubious.  IRQs
shared between on-board devices didn't bother us; we presumed the board
designers had been smart enough to avoid conflicts.  But IRQs shared
between on-board and daughtercard devices looked like they might be
part of the problem.</para>

<para>Unlike some other PCI BIOSes, the S2464's doesn't give you the
capability to wire IRQs to specific card slots.  While looking for this,
however, we found a BIOS setting that seemed relevant -- "Use PCI Interrupt
Entries In MP Table".  When we switched it to `Yes', rebooted, and looked at
<filename>/proc/pci</filename>, the IRQ assignments looked a lot saner --
and when we tested, the <command>ssh</command> hang was gone!</para>

OK, so the lessons here are:

1. The S2464 needs to be configured with "Use PCI Interrupt Entries In MP 
   Table" for sanity to prevail, and

2. When you see a box hang that's clearly related to a daughtercard, *run*
   (do not walk) to your local /proc directory, cat /proc/pci and check out
   the IRQ assignments.

I'm not certain we've nailed the entire problem yet -- we still need to test
with the emu10k1 sound driver linked in.  But it's looking pretty good.

BTW, somebody mailed me an explanation of that BIOS setting ("Use PCI 
Interrupt Entries In MP Table") but I managed to lose it.  Whoever you
are, could you remail?  I want to include some sort of explanation in
the article.
-- 
		<a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>

The people cannot delegate to government the power to do anything
which would be unlawful for them to do themselves.
	-- John Locke, "A Treatise Concerning Civil Government"

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Paul G. Allen]

(Small note. The K7 Thunder is S2462, unless there is another, possibly
newer, version released?)

"Eric S. Raymond" wrote:
> 

[SNIP]
> 
> OK, so the lessons here are:
> 
> 1. The S2464 needs to be configured with "Use PCI Interrupt Entries In MP
>    Table" for sanity to prevail, and

I have been running my K7 in this mode since purchase. Could this be why
I see no SB Live!/ EMU10K problems (though I am running 2.4.7 kernels
now)?

> 
> 2. When you see a box hang that's clearly related to a daughtercard, *run*
>    (do not walk) to your local /proc directory, cat /proc/pci and check out
>    the IRQ assignments.

Problem is, when it does hang, I can't get there as the system is
completely locked, including ssh and telnet.

PGA

-- 
Paul G. Allen
UNIX Admin II/Network Security
Akamai Technologies, Inc.
www.akamai.com

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Christopher Abbey]

Yesterday, Paul G. Allen wrote:
> > 2. When you see a box hang that's clearly related to a daughtercard, *run*
> >    (do not walk) to your local /proc directory, cat /proc/pci and check out
> >    the IRQ assignments.

lspci -vvv is also usefull.

> Problem is, when it does hang, I can't get there as the system is
> completely locked, including ssh and telnet.

But the point is to go look at the pci interrupt assignments *before*
the hang occurs. I've seen the same situation, where two devices are
sharing an interupt, one on the mobo, the other in a PCI slot... it's
never been a good thing in my experience. As Eric pointed out if they're
both on the mobo you have to hope the designers built the hardware to
handle that, or if they're both in pci slots you can usually expect
the cards will play well with others. It's the third case that's
trouble, and then it's time to do as Eric did - get into the bios and
change the assignements (or in this case something that would cuase a
change to happen).

-- 
now the forces of openness have a powerful and
  unexpected new ally - http://ibm.com/linux

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Alan Cox]

> Alas, the 2.4.8+ emu10k1 driver does not completely banish the K7 Thunder
> lockups problem.  It makes them a lot rarer, though, and enabled us to get to
> the next level of diagnosis.

What version of the chipset do you have. The current ones can hang the PCI bus
during IDE transfers if you have IDE read/write prefetch enabled in the bios
setup.

It also has problems with the APIC implementation where an IRQ masked in
the APIC re-occurs which can hang the system. Worrying this one is marked
'nofix'. You might want to trying running "noapic"

Alan

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Eric S. Raymond]

Alan Cox <alan@lxorguk.ukuu.org.uk>:
> > Alas, the 2.4.8+ emu10k1 driver does not completely banish the K7 Thunder
> > lockups problem.  It makes them a lot rarer, though, and enabled us to get
> > to the next level of diagnosis.
> 
> What version of the chipset do you have. The current ones can hang
> the PCI bus during IDE transfers if you have IDE read/write prefetch
> enabled in the bios setup.

I don't know what version we have.  Is there a way to query it through /proc?

We have IDE disabled in the BIOS, so we're not likely to see this bug.

> It also has problems with the APIC implementation where an IRQ masked in
> the APIC re-occurs which can hang the system. Worrying this one is marked
> 'nofix'. You might want to trying running "noapic"

I'll bear that in mind if the lockups recur.  I'll copy this to Gary, who
might find himself building IDE systems around this board.
-- 
		<a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>

"America is at that awkward stage.  It's too late to work within the system,
but too early to shoot the bastards."
	-- Claire Wolfe

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Alan Cox]

> I don't know what version we have.  Is there a way to query it through /proc?

You need to look at the lspci hex data. There's an errata document for the
MP chipset on www.amd.com if you realyl want to scare yourself 8)

Alan
--
  "Have you noticed the way people's intelligence capabilities decline
   sharply the minute they start waving guns around?"
 		-- Dr. Who

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Eric S. Raymond]

Alan Cox <alan@lxorguk.ukuu.org.uk>:
> You need to look at the lspci hex data. There's an errata document for the
> MP chipset on www.amd.com if you realyl want to scare yourself 8)

Is there a more formal name for the chipset than just "760"?
 
>   "Have you noticed the way people's intelligence capabilities decline
>    sharply the minute they start waving guns around?"
>  		-- Dr. Who

People who wave guns around to coerce others don't think they *have* to
be intelligent, so they stop thinking.  Unfortunately, they're right in the
short term often enough to make it almost useless that they're always wrong
in the long term.  Sigh...
-- 
		<a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>

Everything you know is wrong.  But some of it is a useful first approximation.

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Alan Cox]

> Alan Cox <alan@lxorguk.ukuu.org.uk>:
> > You need to look at the lspci hex data. There's an errata document for the
> > MP chipset on www.amd.com if you realyl want to scare yourself 8)
> 
> Is there a more formal name for the chipset than just "760"?

http://www.amd.com/products/cpg/athlon/techdocs/index.html#chipset

Its the AMD760tm MP - really

Is there something that can be done against this ???

[Mircea Ciocan]

[-- Attachment #1: Type: text/plain, Size: 675 bytes --]

	The attached piece of script kiddie shit is the first one that worked
flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
instant root access !!!.
	I was stunned, and it seem that is the beginning of a Linux Code Red
lookalike worm :(((( using that exploit, probably this is not the most
apropriate place to send this, but I'm not subscribed to the glibc
mailing list and I just hope that some glibc hackers are on linux kernel
list also and they see that and do something before we join the ranks of
M$.

		Dead worried,

		Mircea C.

P.S. Please tell me that I'm just being parnoid and that crap didn't
work on your systems with a lookalike configuration.

[-- Attachment #2: smile.sh --]
[-- Type: application/x-sh, Size: 1773 bytes --]

Re: Is there something that can be done against this ???

[Jakob Østergaard]

On Mon, Aug 13, 2001 at 09:56:37PM +0300, Mircea Ciocan wrote:
> 	The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.

Try echo "gotcha" > /etc/passwd

It will fail.

Because you don't have root - it just *looks* like it.

The "malicious" code is:
#include <stdio.h>
#include <stdlib.h>
int getuid() { return(0); }
int geteuid() { return(0); }
int getgid() { return(0); }
int getegid() { return(0); }
int getgroups(int size, int list[]) { list = (int *)malloc(sizeof(int)); return(1); }

The script spawns a new bash using LD_PRELOAD to override the glibc functions
with the above ones.

This does not compromise kernel security in any way what so ever.  Not even
close.  You *may* be able to trick a naive user, but he won't be able to do
anything bad, because he is not root.  Even though he may think he is.  And
even though bash may think it is.

> 	I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.
> 
> 		Dead worried,

Don't worry.

> 
> 		Mircea C.
> 
> P.S. Please tell me that I'm just being parnoid and that crap didn't
> work on your systems with a lookalike configuration.

You're just being paranoid and that crap didn't work on your system either  :)

-- 
................................................................
:   jakob@unthought.net   : And I see the elder races,         :
:.........................: putrid forms of man                :
:   Jakob Østergaard      : See him rise and claim the earth,  :
:        OZ9ABN           : his downfall is at hand.           :
:.........................:............{Konkhra}...............:

Re: Is there something that can be done against this ???

[Ulrich Drepper]

Mircea Ciocan <mirceac@interplus.ro> writes:

> 	The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.

This is a hoax.  Try doing something with your "exploited" shell.

-- 
---------------.                          ,-.   1325 Chesapeake Terrace
Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
Red Hat          `--' drepper at redhat.com   `------------------------

Re: Is there something that can be done against this ???

[Mircea Ciocan]

	OK, I realized is a hoax, I should look at the code first then cry the
wolf is comming :), but anyhow this crap is VERY effective in
demonstrating to a clueless IT manager that Linux is oh, sooo easy to
break in.
	So at least to learn something from this, is there a way to stop
completly that crap ???
		My apologies to get you disturbed.


		Mircea "washing the egg on his face" C.



			



Ulrich Drepper wrote:
> 
> Mircea Ciocan <mirceac@interplus.ro> writes:
> 
> >       The attached piece of script kiddie shit is the first one that worked
> > flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> > instant root access !!!.
> 
> This is a hoax.  Try doing something with your "exploited" shell.
> 
> --
> ---------------.                          ,-.   1325 Chesapeake Terrace
> Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
> Red Hat          `--' drepper at redhat.com   `------------------------

Re: Is there something that can be done against this ???

[Peter T. Breuer]

"A month of sundays ago Mircea Ciocan wrote:"
> P.S. Please tell me that I'm just being parnoid and that crap didn't
> work on your systems with a lookalike configuration.

It doesn't work. It just looks like it does to the viewer!

The "exploit" is a loadable shared library that replaces the 
getuid, geteuid, getgid and getegid functions with dummies that
always return 0. So the code in bash that looks up the
prompt and all thatgoes and  looks up roots .profile. The result is
that you get what looks like a root prompt, and your calls to 
id return 0 :-)

But it can't really change uid. Try touching a file in / !

Peter

Re: Is there something that can be done against this ???

[Ben Collins]

On Mon, Aug 13, 2001 at 09:56:37PM +0300, Mircea Ciocan wrote:
> 	The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.
> 	I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.

Wow, someone tried to pass off this as an exploit? Looks very much like
Debian's fakeroot package, used to give a false root lookalike shell
(helps when building things as normal user, when they need to think they
are root).

Nice, but not an exploit. Just a cheap old trick.

-- 
 .----------=======-=-======-=========-----------=====------------=-=-----.
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

Re: Is there something that can be done against this ???

[Eli Carter]

"Peter T. Breuer" wrote:
> 
> "A month of sundays ago Mircea Ciocan wrote:"
> > P.S. Please tell me that I'm just being parnoid and that crap didn't
> > work on your systems with a lookalike configuration.
> 
> It doesn't work. It just looks like it does to the viewer!

The \x.. constructs in the echos require bash 2.

C-ya,

Eli
--------------------.     Real Users find the one combination of bizarre
Eli Carter           \ input values that shuts down the system for days.
eli.carter(a)inet.com `-------------------------------------------------

Re: Is there something that can be done against this ???

[Aaron Lehmann]

On Mon, Aug 13, 2001 at 10:20:08PM +0300, Mircea Ciocan wrote:
> 	So at least to learn something from this, is there a way to stop
> completly that crap ???

No.

Re: Is there something that can be done against this ???

[Ronald Jeninga]

I'll have to dissapoint you, worked perfect over here
(Kernel 2.2.19, ld version 2.9.5 (with BFD 2.9.5.0.24), libc-2.1.3-141).

feeling uncomfortable,

Ronald


Mircea Ciocan wrote:
> 
>         The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.
>         I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.
> 
>                 Dead worried,
> 
>                 Mircea C.
> 
> P.S. Please tell me that I'm just being parnoid and that crap didn't
> work on your systems with a lookalike configuration.
> 
>   --------------------------------------------------------------------------------
>                Name: smile.sh
>    smile.sh    Type: Bourne Shell Program (application/x-sh)
>            Encoding: quoted-printable

Re: Is there something that can be done against this ???

[Chris Meadors]

On Mon, 13 Aug 2001, Mircea Ciocan wrote:

> 	OK, I realized is a hoax, I should look at the code first then cry the
> wolf is comming :), but anyhow this crap is VERY effective in
> demonstrating to a clueless IT manager that Linux is oh, sooo easy to
> break in.

Break in?

> 	So at least to learn something from this, is there a way to stop
> completly that crap ???

What crap?  You mean, saving an attachment you got in an e-mail, stripping
out the ^Ms at the end of lines, so the script can run correctly, and then
chmod +x that script, AND THEN run that script?  Oh, that crap...

> 		My apologies to get you disturbed.

I wasn't.

> 		Mircea "washing the egg on his face" C.

I think you missed some.

-Chris
-- 
Two penguins were walking on an iceberg.  The first penguin said to the
second, "you look like you are wearing a tuxedo."  The second penguin
said, "I might be..."                         --David Lynch, Twin Peaks

Re: Is there something that can be done against this ???

[Richard B. Johnson]

On Mon, 13 Aug 2001, Mircea Ciocan wrote:

> 	The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.
> 	I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.
> 
> 		Dead worried,
> 
> 		Mircea C.
> 

It's a neat trick. It just replaces some 'C' runtime library functions
with do-nothing functions that return success for the user. It could
even replace file I/O stuff so the user changes directory, but what
`ls` shows, never changes (or is blank). A nice preload object library
could be created that could make a good April-fool joke. You've got
about 1/2 year to work on it! Install it in /lib, and when you want
to cause havoc, modify the target's ~/.bashrc file.

Cheers,
Dick Johnson

Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).

    I was going to compile a list of innovations that could be
    attributed to Microsoft. Once I realized that Ctrl-Alt-Del
    was handled in the BIOS, I found that there aren't any.

Re: Is there something that can be done against this ???

[Admin Mailing Lists]

On Mon, 13 Aug 2001, Mircea Ciocan wrote:

> 	OK, I realized is a hoax, I should look at the code first then cry the
> wolf is comming :), but anyhow this crap is VERY effective in
> demonstrating to a clueless IT manager that Linux is oh, sooo easy to
> break in.
> 	So at least to learn something from this, is there a way to stop
> completly that crap ???

yeah, murder your clueless IT manager..rinse..repeat..until they
hire a non-clueless one.

just a suggestion.

-Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco                       Network Administrator/Engineer
thelittleprince@asteroid-b612.org       Intergrafix Internet Services

    "Dream as if you'll live forever, live as if you'll die today"
http://www.asteroid-b612.org                http://www.intergrafix.net
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.

Re: Is there something that can be done against this ???

[Rik van Riel]

On Mon, 13 Aug 2001, Mircea Ciocan wrote:

> 	So at least to learn something from this, is there a way
> to stop completly that crap ???

Disable printf() ;)

Rik
--
IA64: a worthy successor to the i860.

		http://www.surriel.com/
http://www.conectiva.com/	http://distro.conectiva.com/

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Paul G. Allen]

Alan Cox wrote:
> 
> > I don't know what version we have.  Is there a way to query it through /proc?
> 
> You need to look at the lspci hex data. There's an errata document for the
> MP chipset on www.amd.com if you realyl want to scare yourself 8)
> 

I don't find the errata. Can you hold my hand and point me to it? :)

PGA

-- 
Paul G. Allen
UNIX Admin II/Programmer
Akamai Technologies, Inc.
www.akamai.com
Work: (858)909-3630
Cell: (858)395-5043

Re: Is there something that can be done against this ???

[Henning P. Schmiedehausen]

Mircea Ciocan <mirceac@interplus.ro> writes:

>	The attached piece of script kiddie shit is the first one that worked

bash-2.04# less /etc/shadow
/etc/shadow: Permission denied

It _is_ shit. Nothing more. "Faked root". Yawn.

	Regards
		Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20   

Re: Is there something that can be done against this ???

[Helge Hafting]

Mircea Ciocan wrote:
> 
>         OK, I realized is a hoax, I should look at the code first then cry the
> wolf is comming :), but anyhow this crap is VERY effective in
> demonstrating to a clueless IT manager that Linux is oh, sooo easy to
> break in.

Good.  I don't want a clueless it manager administrating a linux box
anyway.
Of course the same applies to NT.  Try creating a unprivileged account
named "administrator" with full access to a faked control panel.  Or
for something a little easier - a fake program named "format" 
or "deltree" that writes the same on screen as the real thing.  
And makes the disk click by seeking. :-)

Any os is sooo easy to simulate a break in. 

>         So at least to learn something from this, is there a way to stop
> completly that crap ???

Don't work for a manager that clueless - or tell him it's a hoax.

Helge Hafting

Re: Is there something that can be done against this ???

[joseph.bueno]

Mircea Ciocan wrote:
> 
>         The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.
>         I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.
> 
>                 Dead worried,
> 
>                 Mircea C.
> 
> P.S. Please tell me that I'm just being parnoid and that crap didn't
> work on your systems with a lookalike configuration.
> 
>   ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>                Name: smile.sh
>    smile.sh    Type: Bourne Shell Program (application/x-sh)
>            Encoding: quoted-printable

Hi,

The question is not : "is this script dangerous ?",
but "are you ready to blindly execute a shell script
(or any program) that you receive in your  mail ?".

I don't care if this script is dangerous or not because I will never execute it,
or any program that I receive my email before checking its contents and making sure
it is OK.
(And my mail reader will not execute anything automatically, not even Javascript).

If somebody is dumb enough to execute any  program received by email,
don't loose time trying to find some weaknesses in the system; just
send him a shell script with "rm -rf /". It will do enough harm !

Best protection against mail virus is not technical (although it may help),
but user education; and this is true regardless of which operating system
or mail reader is used ! 

Regards
--
Joseph Bueno
NetClub/Trader.com

RE: Is there something that can be done against this ???

[David Schwartz]

> The question is not : "is this script dangerous ?",
> but "are you ready to blindly execute a shell script
> (or any program) that you receive in your  mail ?".

	Sure, as a user created solely for that purpose, it should be entirely
safe.

> I don't care if this script is dangerous or not because I will
> never execute it,
> or any program that I receive my email before checking its
> contents and making sure
> it is OK.
> (And my mail reader will not execute anything automatically, not
> even Javascript).

	Why? Is it because you don't trust your system security? Your operating
system shouldn't let the script do anything you don't want it to do.

> If somebody is dumb enough to execute any  program received by email,
> don't loose time trying to find some weaknesses in the system; just
> send him a shell script with "rm -rf /". It will do enough harm !

	That should do no harm. What you mean to say is "if somebody is dumb enough
to execute any program recieved by email under a user account that has
permissions to modify files he cares about, consume too many process slots,
consume excessive vm, or has other special capabilities".

> Best protection against mail virus is not technical (although it
> may help),
> but user education; and this is true regardless of which operating system
> or mail reader is used !

	If a user can run code that can harm the system, then nobody who isn't
trusted not to harm the system can be a user. That's not how we want Linux
to be, is it?

	DS

Re: Is there something that can be done against this ???

[Helge Hafting]

David Schwartz wrote:
> 
> > The question is not : "is this script dangerous ?",
> > but "are you ready to blindly execute a shell script
> > (or any program) that you receive in your  mail ?".
> 
>         Sure, as a user created solely for that purpose, it should be entirely
> safe.

It definitely ought to be safe.  But don't run any script people mail
you in a test account - you'll be sorry when they exploit a bug in
your kernel or perhaps one of your trusted daemons...

Helge Hafting

Re: Is there something that can be done against this ???

[joseph.bueno]

David Schwartz wrote:
> 
> > The question is not : "is this script dangerous ?",
> > but "are you ready to blindly execute a shell script
> > (or any program) that you receive in your  mail ?".
> 
>         Sure, as a user created solely for that purpose, it should be entirely
> safe.
> 

How many users are there that use a specific user account to read
their emails on their Linux workstation ?
I don't, I use my account to read mails, write documents,
develop programs,etc. So even if a malicious program does
not do any arm to the system, it can at least destroy or corrupt my
own files and I will loose time restoru=ing from last backup and
rebuilding recently modified files.

> > I don't care if this script is dangerous or not because I will
> > never execute it,
> > or any program that I receive my email before checking its
> > contents and making sure
> > it is OK.
> > (And my mail reader will not execute anything automatically, not
> > even Javascript).
> 
>         Why? Is it because you don't trust your system security? Your operating
> system shouldn't let the script do anything you don't want it to do.

Yes I trust my system security. But even the system is not affected,
since the script will run with my userid, it will be able to do everything
I am allowed to do.

> 
> > If somebody is dumb enough to execute any  program received by email,
> > don't loose time trying to find some weaknesses in the system; just
> > send him a shell script with "rm -rf /". It will do enough harm !
> 
>         That should do no harm. What you mean to say is "if somebody is dumb enough
> to execute any program recieved by email under a user account that has
> permissions to modify files he cares about, consume too many process slots,
> consume excessive vm, or has other special capabilities".

It was just a one line example. Even if does not do any harm to
system files, it will harm my own files !

BTW, how many people are positively sure that they can
run "su nobody -c rm -rf /" on their system without loosing anything ?

> 
> > Best protection against mail virus is not technical (although it
> > may help),
> > but user education; and this is true regardless of which operating system
> > or mail reader is used !
> 
>         If a user can run code that can harm the system, then nobody who isn't
> trusted not to harm the system can be a user. That's not how we want Linux
> to be, is it?

Well, you are right; but even if a user does not harm the system,
he will harm himself and there is no way the system can protect him
against it. So we are back to my point: user protection comes from
user education.

> 
>         DS
> 
Regards
--
Joseph Bueno
NetClub/Trader.com

Re: Is there something that can be done against this ???

[Colonel]

In clouddancer.list.kernel, you wrote:
>
>David Schwartz wrote:
>> 
>> > The question is not : "is this script dangerous ?",
>> > but "are you ready to blindly execute a shell script
>> > (or any program) that you receive in your  mail ?".
>> 
>>         Sure, as a user created solely for that purpose, it should be entirely
>> safe.
>> 
>
>How many users are there that use a specific user account to read
>their emails on their Linux workstation ?
>I don't, I use my account to read mails, write documents,
>develop programs,etc. So even if a malicious program does
>not do any arm to the system, it can at least destroy or corrupt my
>own files and I will loose time restoru=ing from last backup and
>rebuilding recently modified files.


Anybody that can think probably does that.  First they think that
setting up a test user takes a few seconds, then they think that
restoring from backup takes at least 100x longer....


-- 
Windows 2001: "I'm sorry Dave ...  I'm afraid I can't do that."

RE: Is there something that can be done against this ???

[David Schwartz]

> David Schwartz wrote:

> > > The question is not : "is this script dangerous ?",
> > > but "are you ready to blindly execute a shell script
> > > (or any program) that you receive in your  mail ?".

> >         Sure, as a user created solely for that purpose, it
> > should be entirely
> > safe.

> It definitely ought to be safe.  But don't run any script people mail
> you in a test account - you'll be sorry when they exploit a bug in
> your kernel or perhaps one of your trusted daemons...

	Well that's my point. If you don't feel comfortable doing this, it's
because you suspect that something is wrong with your system's security. Of
course, we don't go testing how scratch-resistant our glasses are by
attempting to scratch them. In principle, however, it should be safe from an
OS standpoint assuming your system has been configured to be secure.

	DS

Re: Is there something that can be done against this ???

[Scott Wood]

On Tue, Aug 14, 2001 at 03:00:58AM -0700, David Schwartz wrote:
> 	Why? Is it because you don't trust your system security? Your operating
> system shouldn't let the script do anything you don't want it to do.

Anything?  How will it be prevented from being used to attack other machines
(other than attacks that require root on the attacking machine), or to relay
spam, or to act as a warez/mp3/whatever server (sure, quotas could be used,
but are they?  And even if they are, does it have enough space for a few
small titles)?

And if that account is also used for mail reading, it could send your
mailbox to the attacker, delete or alter your mail, etc.  It'd also have
access to a bunch of e-mail addresses that it could forward itself to.

> 	That should do no harm. What you mean to say is "if somebody is dumb enough
> to execute any program recieved by email under a user account that has
> permissions to modify files he cares about, consume too many process slots,
> consume excessive vm, or has other special capabilities".

And by default, even the nobody user can use virtually all the memory or
processes it wants.  Even with only a few process slots, it could steal a
decent amount of CPU cycles (hmm... a distributed.net worm? :-).

> 	If a user can run code that can harm the system, then nobody who isn't
> trusted not to harm the system can be a user. That's not how we want Linux
> to be, is it?

If you define "harm the system" as perform any unauthorized
externally-visible (relative to the sandbox) action, then Linux is a *long*
way from achieving that.

-Scott

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Eric S. Raymond]

Alan Cox <alan@lxorguk.ukuu.org.uk>:
> http://www.amd.com/products/cpg/athlon/techdocs/index.html#chipset
> 
> Its the AMD760tm MP - really

Got it.  I read the docs.

So what are the implications of running in no-IOAPIC mode?  Performance loss?
-- 
		<a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>

A nation or civilization that continues to produce soft-minded men
purchases its own spiritual death on an installment plan.
	--Martin Luther King, Jr. 

Re: S2464 (K7 Thunder) hangs -- some lessons learned

[Alan Cox]

> So what are the implications of running in no-IOAPIC mode?  Performance loss?

Slight performance hit. For the moment Im interested to know if it helps, 
as a guess

Alan

Re: Is there something that can be done against this ???

[Helge Hafting]

joseph.bueno@trader.com wrote:
[...]
> How many users are there that use a specific user account to read
> their emails on their Linux workstation ?
> I don't, I use my account to read mails, write documents,
> develop programs,etc. So even if a malicious program does
> not do any arm to the system, it can at least destroy or corrupt my
> own files and I will loose time restoru=ing from last backup and
> rebuilding recently modified files.
> 
So you aren't reading mail as root - which is what any windows
user do.  I believe few people read mail from a "mail-only"
account, but reading the mail is seldom dangerous.  If someone
mails you a unknown program though - definitely run that
from a test account if you tries it at all.

Helge Hafting

Re: Is there something that can be done against this ???

[Per Jessen]

On Mon, 13 Aug 2001 22:20:08 +0300, Mircea Ciocan wrote:

>	OK, I realized is a hoax, I should look at the code first then cry the
>wolf is comming :), but anyhow this crap is VERY effective in
>demonstrating to a clueless IT manager that Linux is oh, sooo easy to
>break in.

This is an EXCELLENT comment - we need to be concerned not just about fact, 
but also about perception. For those of you in admin jobs with clueless
IT managers watching over your shoulder, this is a real challenge. Hopefully,
since you have *already* adopted Linux, you'll be able to prove that
this particular script was no threat to Linux.


>	So at least to learn something from this, is there a way to stop
>completly that crap ???
>		My apologies to get you disturbed.

I think you did rightly so. No apologies needed.


regards,
Per Jessen

regards,
Per Jessen, Zurich
http://www.enidan.com - home of the J1 serial console.

Windows 2001: "I'm sorry Dave ...  I'm afraid I can't do that."