!NBBFPbiuttRgTqbrcY:nixos.org

NixOS Security Discussions

365 Members
Discussions around Security | Triaging happens in #security:nixos.org127 Servers

Load older messages

SenderMessageTime
27 Sep 2024
@hexa:lossy.networkhexano14:50:38
@austreelis:the-apothecary.club@austreelis:the-apothecary.club left the room.16:09:07
28 Sep 2024
@majiir:matrix.org@majiir:matrix.org left the room.00:11:31
@setthemfree:matrix.orgundltdHow can I verify that a certain port is not "open" on a certain interface / ip on my machine? Like, how can I actually test it without physically going to another machine and nmapping/etc?11:14:29
@f0x:pixie.townf0x
In reply to @setthemfree:matrix.org
How can I verify that a certain port is not "open" on a certain interface / ip on my machine? Like, how can I actually test it without physically going to another machine and nmapping/etc?
with netstat or ss 		11:48:54
@aloisw:kde.orgaloiswThat doesn't take the firewall into account.11:53:24
@f0x:pixie.townf0x
In reply to @aloisw:kde.org
That doesn't take the firewall into account.
is there anything that does, from the local machine? 		13:36:23
@clefru:matrix.orgclefru
In reply to @f0x:pixie.town
is there anything that does, from the local machine?
Put nmap into a docker container maybe? That should pass the firewall if I recall correctly. 		13:49:08
@philipp:xndr.dephilippI don't think there is a universal answer since firewalls rules are more complex than just "port open or closed". 15:15:29
@setthemfree:matrix.orgundltd
In reply to@philipp:xndr.de
I don't think there is a universal answer since firewalls rules are more complex than just "port open or closed".
let's say packets dropped or rejected by the kernel even if something is listening on said port and address 		15:24:12
@setthemfree:matrix.orgundltdand I guess the next question is "packets from where"15:26:15
@setthemfree:matrix.orgundltdto which the best answer I can provide (as a firewall noob) is "from outside my machine"15:27:08
@jwagner:wdz.deJohann Not sure about that. The netfilter is quite complex and I do not have really a clue how Docker fucks around in there. 17:05:12
@tgerbet:matrix.orgtgerbetBasically if you have a Docker container running with port binding on anything else than a local address it will bypass your FW rules (it also does on local bind but it is less likely to be an issue on standard configs)21:57:53
29 Sep 2024
@hexa:lossy.networkhexaadded CAP_DAC_OVERRIDE to logrotate.service, and was a bit worried about the broad scope, but since it runs as root a capability boundary is better than nothing?20:01:05
@hexa:lossy.networkhexajust now I grepped for other occurrences of this capability in nixpkgs20:01:18
@hexa:lossy.networkhexa 
nixos/modules/services/monitoring/netdata.nix
295:          "CAP_DAC_OVERRIDE"      # is required for freeipmi and slabinfo plugins

nixos/modules/services/security/kanidm.nix
925:        # CAP_DAC_OVERRIDE is needed to ignore ownership of unixd socket
929:          "CAP_DAC_OVERRIDE"

nixos/modules/services/backup/snapraid.nix
169:            CapabilityBoundingSet = "CAP_DAC_OVERRIDE";
212:            CapabilityBoundingSet = "CAP_DAC_OVERRIDE" +

nixos/modules/services/misc/snapper.nix
282:          CapabilityBoundingSet = "CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE";

nixos/modules/services/logging/logrotate.nix
263:          "CAP_DAC_OVERRIDE"

nixos/modules/services/networking/ntp/chrony.nix
222:          CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_SYS_RESOURCE" "CAP_SYS_TIME" ];

nixos/modules/services/networking/tetrd.nix
84:            "CAP_DAC_OVERRIDE"
89:            "CAP_DAC_OVERRIDE"
20:01:22
@hexa:lossy.networkhexaideally those can be reviewed, especially if they are network-facing services like kanidm20:01:59
@hexa:lossy.networkhexa 
   CAP_DAC_OVERRIDE
          Bypass file read, write, and execute permission checks.
          (DAC is an abbreviation of "discretionary access
          control".)
20:02:37
@hexa:lossy.networkhexafwiw20:02:38
30 Sep 2024
@hexa:lossy.networkhexahttps://github.com/OpenPrinting/cups/releases/tag/v2.4.1112:11:56
@hexa:lossy.networkhexahttps://github.com/OpenPrinting/cups/blob/2.4.x/CHANGES.md#changes-in-cups-v2411-2024-09-3012:12:20
@tgerbet:matrix.orgtgerbet Seems to contain only the set of patches for CVE-2024-47175. I opened the PR anyway, at least it allows us to cleanup the series of fetchpatch https://github.com/NixOS/nixpkgs/pull/345553 17:22:15
1 Oct 2024
@-_o:matrix.org-_o joined the room.21:00:10
2 Oct 2024
@insurgo:matrix.orgtlaurion aka Insurgo [UTC-4] changed their display name from tlaurion aka Insurgo [UTC-4] (πŸ›«πŸ—ΊοΈπŸ›¬: Back 2024-10-01) to tlaurion aka Insurgo [UTC-4].12:42:36
3 Oct 2024
@elvishjerricco:matrix.orgElvishJerricco emily: point was that you'd do your idea of storing per generation secrets in terms of their names, along with a store of name -> secret. That way any generation always gets the most up to date version of the secret for the name. But if the name changes, the old generation still gets whatever was stored for the old name 18:02:39
@emilazy:matrix.orgemily(wrong emily :) )18:03:02
@elvishjerricco:matrix.orgElvishJerriccodamn autocorrect18:03:09
@emilazy:matrix.orgemilyI don't think it's intuitive that the name is semantically relevant in a way that is dependent on previous generations18:03:24
@elvishjerricco:matrix.orgElvishJerricco * damn autocorrect autocomplete (that one was autocorrect) 18:03:27

Show newer messages

Back to Room ListRoom Version: 9