Linux Magazine USA 275 2023 10.pdf

(41109 KB) Pobierz
Compromising WordPress
EE
FR D
DV
Read this if you spend time on the web!
+
ISSUE 275 – OCTOBER 2023
T
hink like an
Know your enemy with these
real-world attack techniques
Lemmy:
Free
alternative to Reddit
Gesture Control:
Follow
a recipe without getting
batter on the keys
DietPi:
Lean and fast
distro for the Rasp Pi
W W W. L I N U X - M A G A Z I N E . C O M
CardStock:
Add a GUI
to your Python app
Kopia:
Stay safe with
regular backups
10
TANTALIZING
FREE TOOLS!
EDITORIAL
Welcome
MUSICAL CHAIRS
Dear Reader,
Last month I used this space to talk about IBM/Red Hat’s
plan to restrict access to Red Hat Enterprise Linux (RHEL)
source code. This eerie announcement, which seemed
quite contrary to the ideals of free software, sent shock
waves through the community. Some said it violated the
spirit of the GPL, and others argued it was necessary to
stop the clones from stealing Red Hat’s business. Every-
one agreed that Red Hat had developed a novel argument
that could potentially allow them to skirt around the
code-sharing protections of the GPL, and the general
feeling was that the matter would only be settled after a
protracted courtroom battle.
Regardless of where this episode ends legally, it is now
clear that Red Hat’s clones and other competitors are not
planning to wait for the courts. Various distros have
come up with various plans, some of which I covered last
month. This month, the big news is that Oracle, SUSE,
and CIQ have joined forces to launch the Open Enterprise
Linux Association (OpenELA).
OpenELA refers to itself as “a collaborative trade associa-
tion to encourage the development of distributions com-
patible with Red Hat Enterprise Linux (RHEL) by providing
open and free Enterprise Linux (EL) source code” [1]. It
would take a long time to explain why this organization
would be able to provide access to Red-Hat-compatible
source code when Red Hat itself restricts access. Suffice it
to say that Red Hat figured out a legal hack to the GPL, and
the companies behind OpenELA have several options for
how to hack the hack.
The legal arguments will have to play out in court – I’m
more interested in what this new organization is, what it
will do, and whether or not it will succeed. OpenELA is
exciting for a number of reasons. First of all, it ensures
ongoing free access to the Enterprise Linux code base,
which will help to avoid the fragmentation and needless
incompatibility that often confounds Linux users. An-
other important benefit of this change is that it reasserts
the free software vision just when it seemed to be slip-
ping away. The GPL is supposed to be eternally self-cor-
recting. No vendor can corner the market, because if
they try to restrict access, the community responds by
forking the code and offering alternatives.
So far so good, but a word of caution: There are many
complications to companies teaming up to produce a
shared product that is vital to their individual livelihoods.
It is way more difficult to maintain a full enterprise Linux
distribution than it is to write a check every year to the
Apache Software Foundation or send a few developers to
work on the kernel. Ultimately, each of the companies par-
ticipating in OpenELA will have to sublimate their own pri-
orities for the project to stay on track.
Back in 2005, a group of Debian-derivative distros an-
nounced that they were banding together to form the
Debian Common Core (DCC) Alliance [2], which would
work communally to provide a foundation of common
components they hoped would streamline development
and “encourage commercial adoption” of Debian-based
systems. As soon as they started, though, it became
clear why the participants were separate distros in the
first place and not a single Linux. The DCC Alliance was
fraught with disagreements and only lasted for two
years. Admittedly, some of the companies putting
money into the project were having their own financial
issues (who remembers Xandros and Linspire?) But the
fact is, a project of this magnitude requires hundreds of
decisions, and there are many reasons why different
companies would want to make those decisions in dif-
ferent ways. Companies don’t make money by sharing
everything – they make money by differentiating. When
corporations try to collaborate and compete at the same
time, they sometimes end up playing musical chairs like
the generals in
Evita.
Oracle and SUSE, for instance, aren’t exactly best bunk-
mates. It is true that SUSE supports Oracle database sys-
tems, but it is also true that Oracle likes to claim “Oracle
database runs best on Oracle Linux” [3]. SUSE, on the other
hand, is the leading system for supporting SAP’s HANA
database and ERP software, which competes directly with
Oracle’s Fusion Cloud ERP suite. CIQ is a smaller player
than the others, but one of their areas of interest is HPC,
which has long been a strength for SUSE.
The vendors behind OpenELA
will have to stay together and
keep their eyes on the prize if
they want to avoid slipping into
a game of musical chairs.
Info
[1]
Open Enterprise Linux Association:
https://openela.org/
[2]
Debian Common Core Alliance:
https://en.wikipedia.org/wiki/DCC_Alliance
[3]
Oracle Database Runs Best on Oracle Linux:
https://www.
oracle.com/linux/technologies/rdbms-12c-oraclelinux.html
Joe Casad,
Editor in Chief
LINUX-MAGAZINE.COM
ISSUE 275
OCTOBER 2023
3
OCTOBER 2023
ON THE COVER
34 Compromising WordPress
WordPress powers the Internet, and PHP
powers WordPress. What could possibly go
wrong?
68 Gesture-Controlled Book
All the cooking with less of the mess: fun in the
kitchen with a gesture sensor and gestured-
controlled image viewer.
43 CardStock
Augment your Python apps with graphics,
buttons, sounds, clip art, and more.
78 Lemmy
This free discussion platform is the perfect
replacement for users who are weary of
Reddit.
64 DietPi
Check out this lean and fast distro for the
Raspberry Pi.
90 Kopia
A user-friendly backup solution that interfaces
easily with mainstream storage services.
NEWS
08
News
• Zorin OS 16.3 Available
• Linux Mint 21.2 Available for Installation
• AlmaLinux Will No Longer Aim for 1:1 RHEL Compatibility
• Canonical Announces Real-Time Ubuntu for Intel Core
• EU-US Data Privacy Framework Ensures Safe Data Transfers
• IEEE Releases New Standard for LiFi Communications
REVIEWS
40
Distro Walk – Fedora
Matthew Miller, Fedora Project Leader, discusses Fedora’s
relationship with Red Hat and its role in the Linux
community.
12
Kernel News
• Heap Hardening Against Hostile Spraying
• Core Contention Improvements … or Not
IN-DEPTH
43
CardStock
CardStock provides a simple development environment for
building a Python graphical application.
COVER STORIES
16
Understanding Reverse Shells
Firewalls block shell access from outside the network. But
what if the shell is launched from the inside?
48
Command Line – adequate
The adequate command-line tool helps users pinpoint
problems with installed DEB packages.
52
rename
The rename command is a powerful means to
simultaneously rename or even move multiple files
following a given pattern.
22
Privilege Escalation
Even a small configuration error or oversight can create an
opening for privilege escalation. These real-world escalation
techniques will help you understand what to watch for.
58
Programming Snapshot – Go Network
Diagnostics
Why is the WiFi not working? Instead of always typing the
same steps to diagnose the problem, Mike Schilli writes a
tool in Go that puts the wireless network through its paces
and helps isolate the cause.
28
Local File Inclusion
A local file inclusion attack uses files that are already on
the target system.
34
How Attackers Slip Inside WordPress
WordPress is an incredibly popular tool for building
websites. Don’t think the attackers haven’t noticed. We’ll
show you what to keep an eye on.
95
Back Issues
96
Events
97
Call for Papers
98
Coming Next Month
4
OCTOBER 2023
ISSUE 275
LINUX-MAGAZINE.COM
Think like an
Intruder
The worst case scenario is when the
attackers know more than you do about
your network. If you want to stay safe,
learn the ways of the enemy. This month
we give you a glimpse into the mind
of the attacker, with a close look at
privilege escalation, reverse shells, and
other intrusion techniques.
73
Welcome
This month in Linux Voice.
74
Doghouse – Copyright
The ideas about and methods for protecting software
rights have evolved as computers have moved from
expensive and relatively rare to far more affordable
and ubiquitous.
MakerSpace
64
DietPi
The DietPi minimalist distribution improves the
performance of the Raspberry Pi and other single-board
computers as servers and desktops and comes with more
than 200 specially chosen applications and services.
75
Command-Line Screenshot Tools
Linux is awash in desktop screenshot tools, but what if you
want to take a quick screenshot from a terminal window?
78
Lemmy – Reddit Alternative
With Reddit closing off access to its API, it is time to look
to the Fediverse for an alternative.
84
FOSSPicks
This month Graham looks at Gyroflow, gRainbow,
Polyrhythmix, mfp, Mission Center, and more!
68
Gesture-Controlled Book
Have you found yourself following
instructions on a device for
repairing equipment or been
halfway through a recipe,
up to your elbows in
grime or ingredients,
then needing to turn or
scroll down a page?
90
Tutorial – Mastering Kopia
Data deduplication, encryption, compression,
incremental backups, error correction, and support
for snapshots and popular cloud storage
services: Kopia delivers.
@linux_pro
@linuxpromagazine
Linux Magazine
@linuxmagazine
TWO TERRIFIC DISTROS
DOUBLE-SIDED DVD!
SEE PAGE 6 FOR DETAILS
LINUX-MAGAZINE.COM
ISSUE 275
OCTOBER 2023
5

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin