Web technologies are evolving at such a frenetic pace that it becomes almost mandatory to learn on your own. A lot of us still depend on other people to do this learning for us, and we tend to use their answers to solve our everyday problems.
Inconsistent implementations, rapidly evolving specs, questionable performance impacts and maintenance implications mean we cannot always depend on others for answers but must involve ourselves actively in the process of developing specifications for new Web technologies. But how do we go about it?
There are some simple rituals we can all do, which can have us be better-informed and also better inform the people and groups who are most directly involved in the development of new Web technologies.
Web technologies are evolving at such a frenetic pace that it becomes almost mandatory to learn on your own. A lot of us still depend on other people to do this learning for us, and we tend to use their answers to solve our everyday problems.
Inconsistent implementations, rapidly evolving specs, questionable performance impacts and maintenance implications mean we cannot always depend on others for answers but must involve ourselves actively in the process of developing specifications for new Web technologies. But how do we go about it?
There are some simple rituals we can all do, which can have us be better-informed and also better inform the people and groups who are most directly involved in the development of new Web technologies.
Talk for YOW! by Brendan Gregg. "Systems performance studies the performance of computing systems, including all physical components and the full software stack to help you find performance wins for your application and kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (ftrace, bcc/BPF, and bpftrace/BPF), advice about what is and isn't important to learn, and case studies to see how it is applied. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud.
"
USENIX LISA2021 talk by Brendan Gregg (https://www.youtube.com/watch?v=_5Z2AU7QTH4). This talk is a deep dive that describes how BPF (eBPF) works internally on Linux, and dissects some modern performance observability tools. Details covered include the kernel BPF implementation: the verifier, JIT compilation, and the BPF execution environment; the BPF instruction set; different event sources; and how BPF is used by user space, using bpftrace programs as an example. This includes showing how bpftrace is compiled to LLVM IR and then BPF bytecode, and how per-event data and aggregated map data are fetched from the kernel.
Performance Wins with BPF: Getting StartedBrendan Gregg
Keynote by Brendan Gregg for the eBPF summit, 2020. How to get started finding performance wins using the BPF (eBPF) technology. This short talk covers the quickest and easiest way to find performance wins using BPF observability tools on Linux.
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
Bpftrace is a relatively new eBPF-based open source tracer for modern Linux versions (kernels 5.x.y) that is useful for analyzing production performance problems and troubleshooting software. Basic usage of the tool, as well as bpftrace one liners and advanced scripts useful for MariaDB DBAs are presented. Problems of MariaDB Server dynamic tracing with bpftrace and some possible solutions and alternative tracing tools are discussed.
Linux kernel tracing superpowers in the cloudAndrea Righi
The Linux 4.x series introduced a new powerful engine of programmable tracing (BPF) that allows to actually look inside the kernel at runtime. This talk will show you how to exploit this engine in order to debug problems or identify performance bottlenecks in a complex environment like a cloud. This talk will cover the latest Linux superpowers that allow to see what is happening “under the hood” of the Linux kernel at runtime. I will explain how to exploit these “superpowers” to measure and trace complex events at runtime in a cloud environment. For example, we will see how we can measure latency distribution of filesystem I/O, details of storage device operations, like individual block I/O request timeouts, or TCP buffer allocations, investigating stack traces of certain events, identify memory leaks, performance bottlenecks and a whole lot more.
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
Talk by Brendan Gregg for OSSNA 2017. "Advanced performance observability and debugging have arrived built into the Linux 4.x series, thanks to enhancements to Berkeley Packet Filter (BPF, or eBPF) and the repurposing of its sandboxed virtual machine to provide programmatic capabilities to system tracing. Netflix has been investigating its use for new observability tools, monitoring, security uses, and more. This talk will be a dive deep on these new tracing, observability, and debugging capabilities, which sooner or later will be available to everyone who uses Linux. Whether you’re doing analysis over an ssh session, or via a monitoring GUI, BPF can be used to provide an efficient, custom, and deep level of detail into system and application performance.
This talk will also demonstrate the new open source tools that have been developed, which make use of kernel- and user-level dynamic tracing (kprobes and uprobes), and kernel- and user-level static tracing (tracepoints). These tools provide new insights for file system and storage performance, CPU scheduler performance, TCP performance, and a whole lot more. This is a major turning point for Linux systems engineering, as custom advanced performance instrumentation can be used safely in production environments, powering a new generation of tools and visualizations."
Using the new extended Berkley Packet Filter capabilities in Linux to the improve performance of auditing security relevant kernel events around network, file and process actions.
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
Talk for Kernel Recipes 2017 by Brendan Gregg. "Linux perf is a crucial performance analysis tool at Netflix, and is used by a self-service GUI for generating CPU flame graphs and other reports. This sounds like an easy task, however, getting perf to work properly in VM guests running Java, Node.js, containers, and other software, has been at times a challenge. This talk summarizes Linux perf, how we use it at Netflix, the various gotchas we have encountered, and a summary of advanced features."
Mechanisms and tools of development and monitoring in Linux Kernel
A brief presentation about the tools and mechanisms about development for the Linux Kernel to help understanding of what is required.
Tools that create an execution profile or provide instrumentation through static or dynamic methods, the Linux Kernel code, will be presented.
Also discussed will be the GDB debugger and how through a remote virtual serial connection to a virtual machine it can be used to debug a live Kernel and Linux Kernel modules. Also demonstrated will be how a deeper understanding of the code can be attained by attaching the memory locations used by the Kernel module to the GDB session.
Lastly, some of the Kernel execution contexts, such as, interrupts, deferrable work, context, etc. are presented.
Spying on the Linux kernel for fun and profitAndrea Righi
Do you ever wonder what the kernel is doing while your code is running? This talk will explore some methodologies and techniques (eBPF, ftrace, etc.) to look under the hood of the Linux kernel and understand what it’s actually doing behind the scenes.
While probably the most prominent, Docker is not the only tool for building and managing containers. Originally meant to be a "chroot on steroids" to help debug systemd, systemd-nspawn provides a fairly uncomplicated approach to work with containers. Being part of systemd, it is available on most recent distributions out-of-the-box and requires no additional dependencies.
This deck will introduce a few concepts involved in containers and will guide you through the steps of building a container from scratch. The payload will be a simple service, which will be automatically activated by systemd when the first request arrives.
Talk for YOW! by Brendan Gregg. "Systems performance studies the performance of computing systems, including all physical components and the full software stack to help you find performance wins for your application and kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (ftrace, bcc/BPF, and bpftrace/BPF), advice about what is and isn't important to learn, and case studies to see how it is applied. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud.
"
USENIX LISA2021 talk by Brendan Gregg (https://www.youtube.com/watch?v=_5Z2AU7QTH4). This talk is a deep dive that describes how BPF (eBPF) works internally on Linux, and dissects some modern performance observability tools. Details covered include the kernel BPF implementation: the verifier, JIT compilation, and the BPF execution environment; the BPF instruction set; different event sources; and how BPF is used by user space, using bpftrace programs as an example. This includes showing how bpftrace is compiled to LLVM IR and then BPF bytecode, and how per-event data and aggregated map data are fetched from the kernel.
Performance Wins with BPF: Getting StartedBrendan Gregg
Keynote by Brendan Gregg for the eBPF summit, 2020. How to get started finding performance wins using the BPF (eBPF) technology. This short talk covers the quickest and easiest way to find performance wins using BPF observability tools on Linux.
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
Bpftrace is a relatively new eBPF-based open source tracer for modern Linux versions (kernels 5.x.y) that is useful for analyzing production performance problems and troubleshooting software. Basic usage of the tool, as well as bpftrace one liners and advanced scripts useful for MariaDB DBAs are presented. Problems of MariaDB Server dynamic tracing with bpftrace and some possible solutions and alternative tracing tools are discussed.
Linux kernel tracing superpowers in the cloudAndrea Righi
The Linux 4.x series introduced a new powerful engine of programmable tracing (BPF) that allows to actually look inside the kernel at runtime. This talk will show you how to exploit this engine in order to debug problems or identify performance bottlenecks in a complex environment like a cloud. This talk will cover the latest Linux superpowers that allow to see what is happening “under the hood” of the Linux kernel at runtime. I will explain how to exploit these “superpowers” to measure and trace complex events at runtime in a cloud environment. For example, we will see how we can measure latency distribution of filesystem I/O, details of storage device operations, like individual block I/O request timeouts, or TCP buffer allocations, investigating stack traces of certain events, identify memory leaks, performance bottlenecks and a whole lot more.
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
Talk by Brendan Gregg for OSSNA 2017. "Advanced performance observability and debugging have arrived built into the Linux 4.x series, thanks to enhancements to Berkeley Packet Filter (BPF, or eBPF) and the repurposing of its sandboxed virtual machine to provide programmatic capabilities to system tracing. Netflix has been investigating its use for new observability tools, monitoring, security uses, and more. This talk will be a dive deep on these new tracing, observability, and debugging capabilities, which sooner or later will be available to everyone who uses Linux. Whether you’re doing analysis over an ssh session, or via a monitoring GUI, BPF can be used to provide an efficient, custom, and deep level of detail into system and application performance.
This talk will also demonstrate the new open source tools that have been developed, which make use of kernel- and user-level dynamic tracing (kprobes and uprobes), and kernel- and user-level static tracing (tracepoints). These tools provide new insights for file system and storage performance, CPU scheduler performance, TCP performance, and a whole lot more. This is a major turning point for Linux systems engineering, as custom advanced performance instrumentation can be used safely in production environments, powering a new generation of tools and visualizations."
Using the new extended Berkley Packet Filter capabilities in Linux to the improve performance of auditing security relevant kernel events around network, file and process actions.
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
Talk for Kernel Recipes 2017 by Brendan Gregg. "Linux perf is a crucial performance analysis tool at Netflix, and is used by a self-service GUI for generating CPU flame graphs and other reports. This sounds like an easy task, however, getting perf to work properly in VM guests running Java, Node.js, containers, and other software, has been at times a challenge. This talk summarizes Linux perf, how we use it at Netflix, the various gotchas we have encountered, and a summary of advanced features."
Mechanisms and tools of development and monitoring in Linux Kernel
A brief presentation about the tools and mechanisms about development for the Linux Kernel to help understanding of what is required.
Tools that create an execution profile or provide instrumentation through static or dynamic methods, the Linux Kernel code, will be presented.
Also discussed will be the GDB debugger and how through a remote virtual serial connection to a virtual machine it can be used to debug a live Kernel and Linux Kernel modules. Also demonstrated will be how a deeper understanding of the code can be attained by attaching the memory locations used by the Kernel module to the GDB session.
Lastly, some of the Kernel execution contexts, such as, interrupts, deferrable work, context, etc. are presented.
Spying on the Linux kernel for fun and profitAndrea Righi
Do you ever wonder what the kernel is doing while your code is running? This talk will explore some methodologies and techniques (eBPF, ftrace, etc.) to look under the hood of the Linux kernel and understand what it’s actually doing behind the scenes.
While probably the most prominent, Docker is not the only tool for building and managing containers. Originally meant to be a "chroot on steroids" to help debug systemd, systemd-nspawn provides a fairly uncomplicated approach to work with containers. Being part of systemd, it is available on most recent distributions out-of-the-box and requires no additional dependencies.
This deck will introduce a few concepts involved in containers and will guide you through the steps of building a container from scratch. The payload will be a simple service, which will be automatically activated by systemd when the first request arrives.
You have a system with an advanced programmatic tracer: do you know what to do with it? Brendan has used numerous tracers in production environments, and has published hundreds of tracing-based tools. In this talk he will share tips and know-how for creating CLI tracing tools and GUI visualizations, to solve real problems effectively. Programmatic tracing is an amazing superpower, and this talk will show you how to wield it!
Video: https://www.youtube.com/watch?v=uibLwoVKjec . Talk by Brendan Gregg for Sysdig CCWFS 2016. Abstract:
"You have a system with an advanced programmatic tracer: do you know what to do with it? Brendan has used numerous tracers in production environments, and has published hundreds of tracing-based tools. In this talk he will share tips and know-how for creating CLI tracing tools and GUI visualizations, to solve real problems effectively. Programmatic tracing is an amazing superpower, and this talk will show you how to wield it!"
Our lab planned a one-week lecture for bioinformatics beginners. I am right now the system administrator of Linux servers, NAS and Vms, so i want to teach the basics of linux system for new Linux users. And i wish to share my slide with you.
Introduction to Docker (as presented at December 2013 Global Hackathon)Jérôme Petazzoni
Not on board of the Docker ship yet? This presentation will get you up to speed, and explain everything you want to know about Linux Containers and Docker, including the new features of the latest 0.7 version (which brings support for all Linux distros and kernels).
Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek Jana treek
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
Users of modern Linux containerization technologies are frequently at loss with what kind of security guarantees are delivered by tools they use. Typical questions range from Can these be used to isolate software with known security shortcomings and rich history of security vulnerabilities? to even Can I used such technique to isolate user-generated and potentially hostile assembler payloads?
Modern Linux OS code-base as well as independent authors provide a plethora of options for those who desire to make sure that their computational loads are solidly confined. Potential users can choose from solutions ranging from Docker-like confinement projects, through Xen hypervisors, seccomp-bpf and ptrace-based sandboxes, to isolation frameworks based on hardware virtualization (e.g. KVM).
The talk will discuss available today techniques, with focus on (frequently overstated) promises regarding their strength. In the end, as they say: “Many speed bumps don’t make a wall
Linux Server Deep Dives (DrupalCon Amsterdam)Amin Astaneh
Over the past few years the Linux kernel has gained features that allow us to learn more about what's really happening on our servers and the applications that run on them.
This talk will explore how these new features, particularly perf_events and ebpf, enable us to answer questions about what a Drupal site is doing in real time beyond what the standard logs, server performance tools, and even strace will reveal. Attendees will be provided a brief introduction to example uses of these tools to diagnose performance problems.
This talk is intended for attendees that are familiar with Linux, the command line, and have used host observability tools in the past (top, netstat, etc).
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
1. Linux Capabilites
Table of Contents
Title Pages Title Pages
Table of Contents 1 Extracting and... 4
Copyright Notice 1 System Configuration 2
LC: what they are... 3 Capability Assignment 10
The ping case 4 Distro Status 7
What LC for ping? 3 Issues? 2
Managing LCs 4 Aknowledgments 1
More examples 10
3. Linux Capabilites:
what they are and do 1-3
● Started as an implementation of POSIX:
1003.1e (API), "Protection, Audit and
Control Interfaces"
1003.2c (Shell and Utilities), "Protection
and Control Interfaces"
● Sometimes called Linux POSIX Capabilities
● 1003.1e and 1003.2c were last revised in 1997
● In 1999 they were set as withdrawn drafts
● Linux has thus gone it's own way
4. Linux Capabilites:
what they are and do 2-3
Advantages:
● They allow delegation of super-user rights to
unprivileged processes, like suid bit
● They are recorded on the filesystem, like suid bit
● They do not work on a “everything or nothing”
basis, unlike suid
In short:
● they allow a process to do some selected things
with root rights, while not anything else
5. Linux Capabilites:
what they are and do 3-3
Disadvantages:
● Commands need code to be made LC-conscious
● Some FS do not support LC (NFS v.3, though squashfs,
tmpfs and f2fs now do):
[root@debian ~]# getcap /mnt/nfs/nfsserver/dumpdates
Failed to get capabilities of file `/mnt/nfs/nfsserver/dumpdates'
(Operation not supported)
[root@debian ~]#
● LCs are not dropped like SUID
The newer libcap-ng libs makes this easy
6. TThhee ppiinngg ccaassee 11--44
● A classic example: ping
● It needs superuser rights to send echo-request
ICMP packets
● You surely do not want to let anyone be able to
produce arbitrary ICMP packets!
● This is the traditional approach:
7. TThhee ppiinngg ccaassee 22--44
Starting situation:
[alessandro@ubuntu ~]$ lsb_release drc
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
[alessandro@ubuntu ~]$ ll /bin/ping
rwsrxrx
1 root root 44178 mag 7 23:51 /bin/ping
[alessandro@ubuntu ~]$ ping c
3 routeadd.
net
PING routeadd.
net (195.182.210.166) 56(84) bytes of data.
64 bytes from routeadd.
net (195.182.210.166): icmp_seq=1 ttl=55 time=46.8 ms
64 bytes from routeadd.
net (195.182.210.166): icmp_seq=2 ttl=55 time=46.6 ms
64 bytes from routeadd.
net (195.182.210.166): icmp_seq=3 ttl=55 time=45.5 ms
routeadd.
net ping statistics 3
packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 45.549/46.329/46.829/0.558 ms
[alessandro@ubuntu ~]$
8. TThhee ppiinngg ccaassee 33--44
● According to standards, the process rights are
those of the user who launched the exec
Not of the owner of the executable file!
● Unless the suid bit is set, that is.
rwsrxrx
1 root root 44178 mag 7 23:51 /bin/ping
9. TThhee ppiinngg ccaassee 44--44
Let's “sabotage” ping:
[root@ubuntu ~]# chmod us
/bin/ping
[root@ubuntu ~]# ll /bin/ping
rwxrxrx
1 root root 44178 mag 7 23:51 /bin/ping
[root@ubuntu ~]#
The aftermath:
[alessandro@ubuntu ~]$ ping c
3 routeadd.
net
ping: icmp open socket: Operation not permitted
[alessandro@ubuntu ~]$
If not otherwise stated, Ubuntu and Fedora it's the same.
10. WWhhaatt LLCC ffoorr ppiinngg?? 11--33
● We want both the power and the safety
● We want to be able to open ICMP sockets
without assuming full root privileges!
● How do Linux Capabilities help us out?
● RTFM, of course!
➢ man capabilities(7)
➢ Most up-to-date list & info:
linux/include/uapi/linux/capability.h
11. WWhhaatt LLCC ffoorr ppiinngg?? 22--33
We get many capabilities to choose from:
AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC
AP_LEASE
FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE
LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE
This is what we need now
NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN
SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE
SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
12. WWhhaatt LLCC ffoorr ppiinngg?? 22--33
We get many capabilities to choose from:
AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC
AP_LEASE
Leading CAP_ omitted everywhere
FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE
LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE
This is what we need now
NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN
SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE
SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
13. WWhhaatt LLCC ffoorr ppiinngg?? 33--33
Man page says:
CAP_NET_RAW
* use RAW and PACKET sockets;
* bind to any address for transparent proxying.
Sounds like what we need.
How shall we apply it?
14. MMaannaaggiinngg LLCCss 11--44
Capabilities can be handled whith commands:
➢ getcap, display file capabilities
➢ setcap, set file capabilities
➢ getpcaps, display process capabilities
➢ capsh, capability shell wrapper
Each capability can have these sets associated:
➢ p, process is permitted the capability
➢ e, capability is marked as effective
➢ i, capability is inherited after an execve()
15. MMaannaaggiinngg LLCCss 11--44
Capabilities can be handled whith commands:
➢ getcap, display file capabilities
➢ setcap, set file capabilities
➢ getpcaps, display process capabilities
➢ capsh, capability shell wrapper
Each capability can have these sets associated:
➢ p, process is permitted the capability
➢ e, capability is marked as effective
➢ i, capability is inherited after an execve()
This has become a bit
17. MMaannaaggiinngg LLCCss 22--44
Let's start using them:
[root@ubuntu ~]# chmod us
/bin/ping
[root@ubuntu ~]# ll /bin/ping
rwxrxrx
1 root root 44168 mag 7 23:51 /bin/ping*
[root@ubuntu ~]# getcap /bin/ping
[root@ubuntu ~]# setcap CAP_NET_RAW=ep /bin/ping
[root@ubuntu ~]# getcap /bin/ping
/bin/ping = cap_net_raw+ep
[root@ubuntu ~]#
Can use this notation
with setcap, too
18. MMaannaaggiinngg LLCCss 33--44
Does it work?
[alessandro@ubuntu ~]$ ping c
3 routeadd.
net
PING routeadd.
net (195.182.210.166) 56(84) bytes of data.
64 bytes from routeadd.
net (195.182.210.166): icmp_seq=1 ttl=55 time=30.7 ms
64 bytes from routeadd.
net (195.182.210.166): icmp_seq=2 ttl=55 time=30.9 ms
64 bytes from routeadd.
net (195.182.210.166): icmp_seq=3 ttl=55 time=31.3 ms
routeadd.
net ping statistics 3
packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 30.709/30.988/31.350/0.304 ms
[alessandro@ubuntu ~]$
19. MMaannaaggiinngg LLCCss 44--44
Just a note: ping capabilities in Fedora 20:
[root@fedora ~]# getcap /bin/ping
/bin/ping = cap_net_admin,cap_net_raw+ep
[root@fedora ~]#
CAP_NET_ADMIN is for packet tagging:
[alessandro@fedora ~]$ ping c1
m
123 routeadd.
net
PING routeadd.
net (195.182.210.166) 56(84) bytes of data.
Warning: Failed to set mark 123
64 bytes from routeadd.
net (195.182.210.166): icmp_seq=1 ttl=53 time=45.8 ms
routeadd.
net ping statistics 1
packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 45.802/45.802/45.802/0.000 ms
[alessandro@fedora ~]$
20. MMoorree eexxaammpplleess 11--1111
Everyone knows of extended POSIX attributes,
right?
RRiigghhtt??
If you don't, you ought to.
● LC are useful, even necessary to make use of
EPA.
21. MMoorree eexxaammpplleess 22--1111
EPAs let you, among the rest, set files that:
a:
can only have data be appended to
i:
are immutable (cannot overwrite or erase)
S:
do synchronous writes on the media
D:
synchronous writes on directories
... (there can be up to 19)
Figuring out what filesystem supports which EPA
and with not is a matter of guesswork...
22. MMoorree eexxaammpplleess 33--1111
There is one catch, though:
● chattr does not work for ordinary users:
[alessandro@fedora ~]$ chattr +i .bashrc
chattr: Operation not permitted while setting flags on
.bashrc
[alessandro@fedora ~]$
24. MMoorree eexxaammpplleess 55--1111
But...
[alessandro@fedora ~]$ lsattr ~games/.profile
e/
opt/games/.profile
[alessandro@fedora ~]$ chattr +i ~games/.profile
[alessandro@fedora ~]$ lsattr ~games/.profile
ie/
usr/games/.profile
[alessandro@fedora ~]$
Which is normal for superuser rights.
We definitely do not want this to happen.
25. MMoorree eexxaammpplleess 66--1111
This is the right way to do it:
[root@fedora ~]# chmod us
/bin/chattr
[root@fedora ~]# ll /bin/chattr
rwxrxrx
1 root root 10736 Aug 3 11:36 /bin/chattr
[root@fedora ~]# setcap CAP_LINUX_IMMUTABLE=ep /bin/chattr
[root@fedora ~]# getcap /bin/chattr
/bin/chattr = cap_linux_immutable+ep
[root@fedora ~]#
26. MMoorree eexxaammpplleess 77--1111
Which causes the right things to happen:
[alessandro@fedora ~]$ lsattr .bashrc
e.
bashrc
[alessandro@fedora ~]$ chattr +i .bashrc
[alessandro@fedora ~]$ lsattr .bashrc
ie.
bashrc
[alessandro@fedora ~]$ chattr +i ~games/.profile
chattr: Permission denied while setting flags on
/usr/games/.profile
[alessandro@fedora ~]$
28. MMoorree eexxaammpplleess 88--1111
●DAC = Discretionary Access Control
● It's the classic Unix “who gets to do what”
decision mechanism
● In the filesystem it shows as the rwx file rights
● Linux Capabilities can mess them up as well! :-)
29. MMoorree eexxaammpplleess 99--1111
Let's beep the beeper! (In an xterm)
[alessandro@fedora ~]$ beep f
2000 l
100
Could not open /dev/tty0 or /dev/vc/0 for writing
open: No such file or directory
[alessandro@fedora ~]$
Man page says:
By default beep is not installed with the suid bit set, because that
would just be zany. On the other hand, if you do make it suid
root, all your problems with beep bailing on ioctl calls will
magically vanish, which is pleasant, and the only reason not to is
that any suid program is a potential security hole. Conveniently,
beep is very short, so auditing it is pretty straightforward.
30. MMoorree eexxaammpplleess 1100--1111
Let's try using LC instead. The error we got was:
Could not open /dev/tty0 or /dev/vc/0 for writing
That is, it's a DAC issue.
[root@fedora ~]# setcap CAP_DAC_OVERRIDE=pe /bin/beep
[root@fedora ~]#
[alessandro@fedora ~]$ beep f
2000 l
100
ioctl: Operation not permitted
ioctl: Operation not permitted
[alessandro@fedora ~]$
CAP_SYS_TTY_CONFIG
Use vhangup(2); employ various privileged ioctl(2) operations
on virtual terminals.
From
beep(1):
33. Extracting and Decoding LC info
1-4
What LCs are active now?
[root@ubuntu ~]# cp /bin/bash /tmp/
[root@ubuntu ~]# setcap CAP_KILL,CAP_DAC_OVERRIDE+epi /tmp/bash
[root@ubuntu ~]# getcap /tmp/bash
/tmp/bash = cap_dac_override,cap_kill+eip
[root@ubuntu ~]#
Inheritance is set
[alessandro@ubuntu ~]$ /tmp/bash l
[alessandro@ubuntu ~]$ getpcaps $$
Capabilities for `15400': = cap_dac_override,cap_kill+ep
[alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status
CapInh: 0000000000000000
CapPrm: 0000000000000022
CapEff: 0000000000000022
CapBnd: 0000001fffffffff
[alessandro@ubuntu ~]$
Inheritance is missing!
34. Extracting and Decoding LC info
2-4
Decoding Hex LC bitmap:
[alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status
CapInh: 0000000000000000
CapPrm: 0000000000000022
CapEff: 0000000000000022
CapBnd: 0000001fffffffff
[alessandro@ubuntu ~]$ capsh decode=
0000000000000000
0x0000000000000000=
[alessandro@ubuntu ~]$ capsh decode=
0000000000000022
0x0000000000000022=cap_dac_override,cap_kill
[alessandro@ubuntu ~]$
Still represented as a set
35. Extracting and Decoding LC info
3-4
0000001fffffffff = Capability Bounding Set
1 = allowable cap (kept if present)
0 = masked cap (or no LC associated to bit)
Bits are mapped one-to-one to a LC
0000001fffffffff is a 64-bit mask
● It's been a 64 bit mask since libcap vers. 2.03
● Before it was 32-bit
36. Extracting and Decoding LC info
4-4
Number of bit-mapped capabilities is consistent
with zero-based value stored in
/proc/sys/kernel/cap_last_cap
Kernel 3.14.19:1fffffffff → 1+9*4=37
/proc/sys/kernel/cap_last_cap = 36
Kernel 3.16.3: 3fffffffff → 2+9*4=38
/proc/sys/kernel/cap_last_cap = 37
37. SSyysstteemm CCoonnffiigguurraattiioonn 11--22
capability.conf1: users who inherit LCs
[root@ubuntu ~]# cat /etc/security/capability.conf
cap_kill alessandro
none *
[root@ubuntu ~]#
Changes are effective after a new login:
Ubuntu 14.04.1 LTS ubuntu tty1
If missing all users get all
available capabilities!
CAP_KILL is now inherited
ubuntu login: alessandro
Password:
[alessandro@ubuntu ~]$ getpcaps $$
Capabilities for `8586': = cap_kill+i
[alessandro@ubuntu ~]$
38. SSyysstteemm CCoonnffiigguurraattiioonn 22--22
Child process of new shell now does inherit LCs:
[alessandro@ubuntu ~]$ getpcaps $$
Capabilities for `16332': = cap_kill+i
[alessandro@ubuntu ~]$ getcap /tmp/bash
/tmp/bash = cap_dac_override,cap_kill+eip
[alessandro@ubuntu ~]$ /tmp/bash l
[alessandro@ubuntu ~]$ getpcaps $$
Capabilities for `16849': = cap_kill+eip cap_dac_override+ep
[alessandro@ubuntu ~]$
Cap is in config file Cap is not in config file
1) Ubuntu package libpam-cap is required. Fedora has package libcap,
but this setup does not work (PAM failure: System error)
39. Capability aassssiiggnnmmeenntt 11--1100
2.2.11 2.6.25 optional
2.6.33 built-in
System-wide bounding-set Per-thread bounding-set
● Before 2.6.25 Bounding Set was system-wide
● Beginning 2.6.25 it's per-thread
● Can be dropped by process with CAP_SETPCAP
via prctl(2) PR_CAPBSET_DROP operation
● Inherited at fork(2), preserved on execve(2)
● Optional until 2.6.33, then built-in
40. Capability aassssiiggnnmmeenntt 22--1100
N New P Previous F Capab. set to the File
e Effective
capability p Permitted capability i Inherited capability
CBS Capability Bounding Set1
New capabilities used to be computed this way:
Np (Pi∪Fi)∩(Fp∪CBS)
Ne Fe∪Np
Ni Pi
1) Mask of permitted capabilities retained after an execve(2). No effect on inherited caps.
From kernel 2.6.25, limits inherited capabilities that can be added to self even if they are permitted.
41. Capability aassssiiggnnmmeenntt 33--1100
N New P Previous F Capab. set to the File
e Effective
capability p Permitted capability i Inherited capability
CBS Capability Bounding Set1
Now they are computed this way:
Np (Pi∪Fi)∩(Fp∪CBS)
Ne Fe ? Np : 02
Ni Pi
2) Not and AND any more, because Effective set is a bit, no longer a set (one bit per capability) as it
used to be.
42. Capability aassssiiggnnmmeenntt 44--1100
What does the Capability Bounding Set do?
1) On an execve(2), it ANDs out thread's
permitted caps from file's permitted caps.
2) Limits thread's inheritable caps that can be
added with a capset(2) (kernel >= 2.6.25).
a)Filtered capability can still be permitted
b)Inheritable cap can still be set if it's in
file's inheritable set.
43. Capability aassssiiggnnmmeenntt 55--1100
Possibile security risk: undesired permitted caps.
Consider the situation:
1) Parent process has CAP_X Inh, not in CBS
2) CAP_X cannot be in Perm set
a) But it is retained in Inh set by children
3) Process can still exec child with CAP_X in
both Perm and Inh sets!
Dropping CBS can instill a false sense of security!
Alone it's not sufficient!
44. Capability aassssiiggnnmmeenntt 66--1100
Like SUID, shell scripts' LC are not honored:
[alessandro@ubuntu ~]$ cat ~/bin/test_cap.sh
#!/bin/dash
getpcaps $$
grep ^Cap /proc/$$/status
[alessandro@ubuntu ~]$ getcap ~/bin/test_cap.sh
/home/alessandro/bin/test_cap.sh = cap_linux_immutable+ep
[alessandro@ubuntu ~]$ test_cap.sh
Capabilities for `9093': =
Not honored
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
Not honored
CapBnd: 0000001fffffffff
[alessandro@ubuntu ~]$
45. Capability aassssiiggnnmmeenntt 77--1100
Only binary executables' LC are honored:
[alessandro@ubuntu ~]$ cat ~/bin/test2_cap.sh
#!/tmp/dash
getpcaps $$
grep ^Cap /proc/$$/status
[alessandro@ubuntu ~]$ getcap ~/bin/test2_cap.sh /tmp/dash
/tmp/dash = cap_linux_immutable+ep
[alessandro@ubuntu ~]$ test2_cap.sh
Capabilities for `9218': = cap_linux_immutable+ep
CapInh: 0000000000000000
CapPrm: 0000000000000200
CapEff: 0000000000000200
Now honored Now honored
CapBnd: 0000001fffffffff
[alessandro@ubuntu ~]$
47. Capability aassssiiggnnmmeenntt 99--1100
CBS reduction with capsh. Initial state:
[alessandro@ubuntu ~]$ getcap $(which capsh ping)
/sbin/capsh = cap_setpcap+p
/bin/ping = cap_net_raw+p
[alessandro@ubuntu ~]$ getpcaps $$
Capabilities for `7842': =
[alessandro@ubuntu ~]$ ping qc1
routeadd.
net
PING routeadd.
net (195.182.210.166) 56(84) bytes of data.
routeadd.
net ping statistics 1
packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 27.718/27.718/27.718/0.000 ms
[alessandro@ubuntu ~]$
48. CCaappaabbiilliittyy aassssiiggnnmmeenntt 1100--1100
Running new shell with lowered CBS via capsh:
[alessandro@ubuntu ~]$ capsh drop=
cap_net_raw [
alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000001fffffdfff
[alessandro@ubuntu ~]$ capsh decode=
2000
0x0000000000002000=cap_net_raw
[alessandro@ubuntu ~]$ ping qc1
routeadd.
net
ping: icmp open socket: Operation not permitted
[alessandro@ubuntu ~]$
49. DDiissttrroo ssttaattuuss 11--77
The plan is to replace as many SUID/SGID
executables with capabilities as possible:
● Fedora: Last update: 2011-04-05, completion:
100% (many, but not all, SUID taken off)
● Ubuntu: WIP (Last update: 2011-09-27)
Not everything SUID could be ported to Linux
Capabilities (yet)
51. DDiissttrroo ssttaattuuss 33--77
Ubuntu 14.04.1 (Trusty Tahr): a few more (also in
a non-standard, XFCE install)
# find / /usr xdev
type
f perm
/111 perm
/4000 user
root | wc l
29
#
They used to be 34 in 13.10 (Saucy Salamander)
52. DDiissttrroo ssttaattuuss 44--77
Let's see one case where LC do not work:
[alessandro@fedora ~]$ ll /usr/bin/at
rwsrxrx
1 root root 53208 5 dic 12.34 /usr/bin/at
[alessandro@fedora ~]$ getcap /usr/bin/at
[alessandro@fedora ~]$
Let's strip off the SUID bit and any cap:
[root@fedora ~]# chmod us
/usr/bin/at
[root@fedora ~]# setcap r
/usr/bin/at
[root@fedora ~]#
[alessandro@fedora ~]$ at f
~/bin/at.sh now+5min
cannot set egid: Operation not permitted
[alessandro@fedora ~]$
53. DDiissttrroo ssttaattuuss 55--77
Let's try to make it happy:
[root@fedora ~]# setcap CAP_SETGID+ep /usr/bin/at
[root@fedora ~]#
No joy:
[alessandro@fedora ~]$ at f
~/bin/at.sh now+5min
cannot set euid: Operation not permitted
[alessandro@fedora ~]$
[root@fedora ~]# setcap CAP_SETUID,CAP_SETGID+ep /usr/bin/at
[root@fedora ~]#
[alessandro@fedora ~]$ at f
~/bin/at.sh now+5min
PAM failure: System error
[alessandro@fedora ~]$ :(
54. DDiissttrroo ssttaattuuss 66--77
Log says:
[alessandro@fedora ~]$ tail 1
/var/log/secure
Feb 23 10:08:43 fedora at: PAM audit_log_acct_message()
failed: Operation not permitted
[alessandro@fedora ~]$
Game over, for now.
55. DDiissttrroo ssttaattuuss 77--77
Ubuntu has taken a different approach:
● it uses the same at/atd implementation (by
Thomas Koenig, ig25@rz.uni-karlsruhe.de)
● it runs the daemon as user daemon
● the client command is SUID and SGUI
daemon:daemon, allowing it to:
write into /var/spool/cron/atjobs/.SEQ
send atd signals
Old school, simple, effective, safe.
56. IIssssuueess?? 11--22
«Why are not more people aware of and using
capabilities? I believe that poor
documentation is the primary reason. For
example, Fedora 10 is missing the man pages
for getpcaps, capsh and pam_cap, and
the Fedora Security Guide does not even
mention capabilities»
(Finnbarr P. Murphy, May 28th, 2009 )
Every bit as true today!
57. IIssssuueess?? 22--22
●Online distro docs stopped years ago
● Fedora Security Guide in same condition in
19.1, and is absent in 20 documentation
➢ At least man pages are there
➢ SELinux only future?
● Behaviour of LC changing over time
➢ Same commands, capabilities and sets yield
different result from 2.6.24 with no errors
● libcap-ng should make programming easier
58. AAkknnoowwlleeddggmmeennttss 11--11
● The Linux man-pages Project people (
https://www.kernel.org/doc/man-pages/)
● Finnbarr P. Murphy (blog post and references,
useful though outdated)
● And kernel developers, of course!
Andrew G. Morgan <morgan@kernel.org>
Alexander Kjeldaas <astor@guardian.no> with help
from Aleph1, Roland Buresund and Andrew Main.