Lennart Poettering intends to replace "sudo" with #systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new "root" process.
This isn't the only bug of course, it's not possible on Linux to read the environment of a root owned process but as systemd creates a service in the system slice, you can query D-BUS and learn sensitive information passed to the process env, such as API keys or other secrets.
https://fixupx.com/hackerfantastic/status/1785495587514638559
Nitter mirror: https://xcancel.com/hackerfantastic/status/1785495587514638559
This isn't the only bug of course, it's not possible on Linux to read the environment of a root owned process but as systemd creates a service in the system slice, you can query D-BUS and learn sensitive information passed to the process env, such as API keys or other secrets.
https://fixupx.com/hackerfantastic/status/1785495587514638559
Nitter mirror: https://xcancel.com/hackerfantastic/status/1785495587514638559
๐งต Thread โข FxTwitter / FixupX
hackerfantastic.x (@hackerfantastic)
Lennart Poettering intends to replace "sudo" with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication withโฆ
๐5
Here are some links about #systemd #alternatives for #Linux in no particular order.
Which are your favorite alternatives and distros?
https://wiki.gentoo.org/wiki/Comparison_of_init_systems
https://suckless.org/sucks/systemd/
https://unixsheikh.com/articles/the-real-motivation-behind-systemd.html
https://sysdfree.wordpress.com/
https://nosystemd.org/
https://skarnet.org/software/systemd.html
https://the-world-after-systemd.ungleich.ch/
https://ewontfix.com/14/
https://forums.debian.net/viewtopic.php?t=120652
https://www.devuan.org/os/announce/
https://www.devuan.org/os/init-freedom
https://thehackernews.com/2019/01/linux-systemd-exploit.html
https://judecnelson.blogspot.com/2014/09/systemd-biggest-fallacies.html
https://chiefio.wordpress.com/2016/05/18/systemd-it-keeps-getting-worse/
https://systemd-free.artixlinux.org/why.php
Some more added here too: https://start.me/p/Kg8keE/priv-sec
#systemd #Linux
Which are your favorite alternatives and distros?
https://wiki.gentoo.org/wiki/Comparison_of_init_systems
https://suckless.org/sucks/systemd/
https://unixsheikh.com/articles/the-real-motivation-behind-systemd.html
https://sysdfree.wordpress.com/
https://nosystemd.org/
https://skarnet.org/software/systemd.html
https://the-world-after-systemd.ungleich.ch/
https://ewontfix.com/14/
https://forums.debian.net/viewtopic.php?t=120652
https://www.devuan.org/os/announce/
https://www.devuan.org/os/init-freedom
https://thehackernews.com/2019/01/linux-systemd-exploit.html
https://judecnelson.blogspot.com/2014/09/systemd-biggest-fallacies.html
https://chiefio.wordpress.com/2016/05/18/systemd-it-keeps-getting-worse/
https://systemd-free.artixlinux.org/why.php
Some more added here too: https://start.me/p/Kg8keE/priv-sec
#systemd #Linux
๐11๐4๐3๐ค1๐ฑ1
Warning for #Android gapps traitors:
Uninstall the application:
https://play.google.com/store/apps/details?id=com.google.android.safetycore
Be careful on GrapheneOS too if you have Google services installed.
While GrapheneOS will stop it from auto installing, it can nag you about installing it. And it won't tell you what it really is. Nor will most online resources.
https://grapheneos.org/releases
https://discuss.grapheneos.org/d/19193-android-system-safety-core
If you don't have GrapheneOS, it's going to automatically install itself again at some point after uninstalling it.
Locating the App
Go to Settings โ Apps (or Apps & Notifications) โ Show system apps. Look for โAndroid System SafetyCore.โ
Check whether the app has any special permissions (e.g., internet access).
Uninstalling or Disabling
In many cases, you can uninstall an update or at least disable the app. Check the available options in the app info.
This is client side scanning. It's a way to spy on your device before it's encrypted.
Other information on the topic:
https://www.androidauthority.com/google-messages-nudes-3499420/
https://www.androidauthority.com/android-system-key-verifier-3499353/
Uninstall the application:
Android System SafetyCore, which has been automatically installed on most devices. It is used by Google to scan your data, just like Apple has been doing on iOS, but you have the choice to uninstall it. If you don't have it yet, watch out for it being installed silently over the next few days!https://play.google.com/store/apps/details?id=com.google.android.safetycore
Be careful on GrapheneOS too if you have Google services installed.
While GrapheneOS will stop it from auto installing, it can nag you about installing it. And it won't tell you what it really is. Nor will most online resources.
Sandboxed Google Play compatibility layer: stop Play Store from attempting to auto-install some system component packages, such as "Android System SafetyCore" (com.google.android.safetycore) and "Android System Key Verifier" (com.google.android.contactkeys)
https://grapheneos.org/releases
The phone is asking me to install this app, anyone knows information about if its truly need it or not? Im with the Google Play Services sandbox install
https://discuss.grapheneos.org/d/19193-android-system-safety-core
If you don't have GrapheneOS, it's going to automatically install itself again at some point after uninstalling it.
Locating the App
Go to Settings โ Apps (or Apps & Notifications) โ Show system apps. Look for โAndroid System SafetyCore.โ
Check whether the app has any special permissions (e.g., internet access).
Uninstalling or Disabling
In many cases, you can uninstall an update or at least disable the app. Check the available options in the app info.
This is client side scanning. It's a way to spy on your device before it's encrypted.
Other information on the topic:
https://www.androidauthority.com/google-messages-nudes-3499420/
https://www.androidauthority.com/android-system-key-verifier-3499353/
๐33โค2๐1๐1
The functionality provided by Google's new Android System SafetyCore app available through the Play Store is covered here:
https://security.googleblog.com/2024/10/5-new-protections-on-google-messages.html
Neither this app or the Google Messages app using it are part of GrapheneOS and neither will be, but GrapheneOS users can choose to install and use both. Google Messages still works without the new app.
The app doesn't provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc. This allows apps to check content locally without sharing it with a service and mark it with warnings for users.
It's unfortunate that it's not open source and released as part of the Android Open Source Project and the models also aren't open let alone open source. It won't be available to GrapheneOS users unless they go out of the way to install it.
We'd have no problem with having local neural network features for users, but they'd have to be open source. We wouldn't want anything saving state by default. It'd have to be open source to be included as a feature in GrapheneOS though, and none of it has been so it's not included.
Google Messages uses this new app to classify messages as spam, malware, nudity, etc. Nudity detection is an optional feature which blurs media detected as having nudity and makes accessing it require going through a dialog.
Apps have been able to ship local AI models to do classification forever. Most apps do it remotely by sharing content with their servers. Many apps have already have client or server side detection of spam, malware, scams, nudity, etc.
Classifying things like this is not the same as trying to detect illegal content and reporting it to a service. That would greatly violate people's privacy in multiple ways and false positives would still exist. It's not what this is and it's not usable for it.
GrapheneOS has all the standard hardware acceleration support for neural networks but we don't have anything using it. All of the features they've used it for in the Pixel OS are in closed source Google apps. A lot is Pixel exclusive. The features work if people install the apps.
https://xcancel.com/GrapheneOS/status/1888280836426084502
https://security.googleblog.com/2024/10/5-new-protections-on-google-messages.html
Neither this app or the Google Messages app using it are part of GrapheneOS and neither will be, but GrapheneOS users can choose to install and use both. Google Messages still works without the new app.
The app doesn't provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc. This allows apps to check content locally without sharing it with a service and mark it with warnings for users.
It's unfortunate that it's not open source and released as part of the Android Open Source Project and the models also aren't open let alone open source. It won't be available to GrapheneOS users unless they go out of the way to install it.
We'd have no problem with having local neural network features for users, but they'd have to be open source. We wouldn't want anything saving state by default. It'd have to be open source to be included as a feature in GrapheneOS though, and none of it has been so it's not included.
Google Messages uses this new app to classify messages as spam, malware, nudity, etc. Nudity detection is an optional feature which blurs media detected as having nudity and makes accessing it require going through a dialog.
Apps have been able to ship local AI models to do classification forever. Most apps do it remotely by sharing content with their servers. Many apps have already have client or server side detection of spam, malware, scams, nudity, etc.
Classifying things like this is not the same as trying to detect illegal content and reporting it to a service. That would greatly violate people's privacy in multiple ways and false positives would still exist. It's not what this is and it's not usable for it.
GrapheneOS has all the standard hardware acceleration support for neural networks but we don't have anything using it. All of the features they've used it for in the Pixel OS are in closed source Google apps. A lot is Pixel exclusive. The features work if people install the apps.
https://xcancel.com/GrapheneOS/status/1888280836426084502
Google Online Security Blog
5 new protections on Google Messages to help keep you safe
Posted by Jan Jedrzejowicz, Director of Product, Android and Business Communications; Alberto Pastor Nieto, Sr. Product Manager Google Messa...
๐12๐3โค2
#Systemd Adding The Ability to Boot Directly Into A Disk Image Downloaded Via HTTP
https://www.phoronix.com/news/systemd-disk-image-boot-HTTP
#Linux #backdoor
https://www.phoronix.com/news/systemd-disk-image-boot-HTTP
#Linux #backdoor
Phoronix
Systemd Adding The Ability to Boot Directly Into A Disk Image Downloaded Via HTTP
Systemd lead developer Lennart Poettering has been working on adding the ability to let systemd boot directly into a disk image downloaded via HTTP within the initial RAM disk (initrd) during the Linux boot process.
๐ฅ9๐4๐คฃ3๐1๐คฎ1
Krita
Free and open source digital painting application. It is for artists who want to create professional work from start to end. Krita is used by comic book artists, illustrators, concept artists, matte and texture painters and in the digital VFX industry.
https://krita.org
https://invent.kde.org/graphics/krita
Download
https://cdn.kde.org/ci-builds/graphics/krita/
#AI plugin
https://kritaaidiffusion.com
#krita #image #editor #paint
Free and open source digital painting application. It is for artists who want to create professional work from start to end. Krita is used by comic book artists, illustrators, concept artists, matte and texture painters and in the digital VFX industry.
https://krita.org
https://invent.kde.org/graphics/krita
Download
https://cdn.kde.org/ci-builds/graphics/krita/
#AI plugin
https://kritaaidiffusion.com
#krita #image #editor #paint
GitLab
Graphics / Krita ยท GitLab
Krita is a free and open source cross-platform application that offers an end-to-end solution for creating digital art files from scratch built on the KDE and Qt frameworks.
๐ฅ10๐7โค6๐1๐1๐คก1
kitty
The fast, feature-rich, GPU based #terminal emulator
Uses GPU and SIMD vector CPU instructions for best in class
Uses threaded rendering for absolutely minimal latency
Performance tradeoffs can be tuned
Capable Scriptable Composable Cross-platform Innovative
To get started see Quickstart.
https://sw.kovidgoyal.net/kitty/
With software, such as "Kitty", it is possible to read documents, images and other graphical formats with these software:
https://github.com/dsanson/termpdf.py
http://www.kraxel.org/blog/linux/fbida/
https://github.com/itsjunetime/tdf
It means, that we no longer need GTK+ (which dropped support for X11), Qt and other graphical toolkits in order to have a full operational computer.
The fast, feature-rich, GPU based #terminal emulator
Uses GPU and SIMD vector CPU instructions for best in class
Uses threaded rendering for absolutely minimal latency
Performance tradeoffs can be tuned
Capable Scriptable Composable Cross-platform Innovative
To get started see Quickstart.
https://sw.kovidgoyal.net/kitty/
With software, such as "Kitty", it is possible to read documents, images and other graphical formats with these software:
https://github.com/dsanson/termpdf.py
http://www.kraxel.org/blog/linux/fbida/
https://github.com/itsjunetime/tdf
It means, that we no longer need GTK+ (which dropped support for X11), Qt and other graphical toolkits in order to have a full operational computer.
kitty
If you live in the terminal, kitty is made for YOU! The fast, feature-rich, GPU based terminal emulator. Fast Uses GPU and SIMD vector CPU instructions for best in class performance, Uses threaded ...
โค5
Payload-Dumper-Android
A Powerful #OTA Extractor App for #Android
You can extract images (boot, vendor_boot...) from a OTA.zip without a PC, directly on Android, without root access.
https://github.com/rajmani7584/Payload-Dumper-Android
Download
https://github.com/rajmani7584/Payload-Dumper-Android/releases/
A Powerful #OTA Extractor App for #Android
You can extract images (boot, vendor_boot...) from a OTA.zip without a PC, directly on Android, without root access.
https://github.com/rajmani7584/Payload-Dumper-Android
Download
https://github.com/rajmani7584/Payload-Dumper-Android/releases/
๐ฅ26โ4โค1
SmartTube
Advanced player for set-top boxes and tvs running Android OS
Features
No Ads
Designed for TV screens
Up to 8K video resolution
Login into your account
Cast from the phone
Support tv box remote controller
Support external software keyboard
Support devices without Google Services
Open source
https://smarttubeapp.github.io
https://github.com/yuliskov/SmartTube
https://github.com/yuliskov/SmartTube/releases
WARNING NOT FULLY OPEN SOURCE
There are at least 5 proprietary libraries in the app.
https://github.com/yuliskov/SmartTube/issues/471
* Crashlytics (/com/crashlytics): Tracking
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep
* Firebase Analytics (/com/google/firebase/analytics): Tracking
IzzySoft:
The 5 offenders are not permitted at F-Droid (and before you ask: I wouldn't take it into my repo either unless at least Crashlytics and Firebase Analytics are removed; 5 non-free libraries is a bit much for free/libre software).
#video #yt #androidtv
Advanced player for set-top boxes and tvs running Android OS
Features
No Ads
Designed for TV screens
Up to 8K video resolution
Login into your account
Cast from the phone
Support tv box remote controller
Support external software keyboard
Support devices without Google Services
Open source
https://smarttubeapp.github.io
https://github.com/yuliskov/SmartTube
https://github.com/yuliskov/SmartTube/releases
WARNING NOT FULLY OPEN SOURCE
There are at least 5 proprietary libraries in the app.
https://github.com/yuliskov/SmartTube/issues/471
* Crashlytics (/com/crashlytics): Tracking
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep
* Firebase Analytics (/com/google/firebase/analytics): Tracking
IzzySoft:
The 5 offenders are not permitted at F-Droid (and before you ask: I wouldn't take it into my repo either unless at least Crashlytics and Firebase Analytics are removed; 5 non-free libraries is a bit much for free/libre software).
#video #yt #androidtv
SmartTube (Official Site)
Home
Free premium app for Android boxes and tvs
๐ฅ13๐7โค1๐ฅฐ1
ReVanced
https://revanced.app
Download
https://github.com/ReVanced/revanced-manager/releases
ReVanced Documentation
https://github.com/ReVanced/revanced-documentation
Patches
https://revanced.app/patches
https://github.com/revanced
https://t.me/app_revanced
Revanced magisk module
https://github.com/j-hc/revanced-magisk-module
https://t.me/rvc_magisk
#revanced #vanced #video #yt #android
https://revanced.app
Download
https://github.com/ReVanced/revanced-manager/releases
ReVanced Documentation
https://github.com/ReVanced/revanced-documentation
Patches
https://revanced.app/patches
https://github.com/revanced
https://t.me/app_revanced
Revanced magisk module
https://github.com/j-hc/revanced-magisk-module
https://t.me/rvc_magisk
#revanced #vanced #video #yt #android
revanced.app
Continuing the legacy of Vanced.
๐13๐ฅ10โ2โค1