Hilko Bengen
@hillu.bsky.social
Viel Erfolg. Möchte die Erfahrung zwar nicht unbedingt noch einmal machen müssen, aber immerhin schmeckt der Kaffee seitdem sehr viel besser.
November 24, 2025 at 4:09 PM
Viel Erfolg. Möchte die Erfahrung zwar nicht unbedingt noch einmal machen müssen, aber immerhin schmeckt der Kaffee seitdem sehr viel besser.
Das klingt danach, als könne ein Arbeitsrechtler damit viel Spaß haben! Habe die Erfahrung gemacht, dass eine Erstberatung auch ohne Rechtsschutzversicherung sich lohnen kann.
November 24, 2025 at 4:00 PM
Das klingt danach, als könne ein Arbeitsrechtler damit viel Spaß haben! Habe die Erfahrung gemacht, dass eine Erstberatung auch ohne Rechtsschutzversicherung sich lohnen kann.
"B… bu… but we do have enums. Just like C."
November 21, 2025 at 1:22 PM
"B… bu… but we do have enums. Just like C."
I absolutely love how seemingly random stuff just keeps getting added to the XKCD "Dependency" image. After all, that's how we have been building our software systems for decades.
November 21, 2025 at 11:42 AM
I absolutely love how seemingly random stuff just keeps getting added to the XKCD "Dependency" image. After all, that's how we have been building our software systems for decades.
Not nowadays, but when Python or Ruby were hyped languages, there were lots of projects whose authors mentioned the implementation language in the short description – and not much else that was interesting.
I agree on the general point, though: Avoid projects with "written in X" descriptions.
I agree on the general point, though: Avoid projects with "written in X" descriptions.
November 17, 2025 at 10:24 PM
Not nowadays, but when Python or Ruby were hyped languages, there were lots of projects whose authors mentioned the implementation language in the short description – and not much else that was interesting.
I agree on the general point, though: Avoid projects with "written in X" descriptions.
I agree on the general point, though: Avoid projects with "written in X" descriptions.
… and portability is a non-goal for Ubuntu which only has to support a handful of Linux+glibc architectures.
To me it it seems that the decision about uutils/coreutils being ready for production use in Ubuntu (which it wasn't) was driven by PR rather than by people who knew what they were doing.
To me it it seems that the decision about uutils/coreutils being ready for production use in Ubuntu (which it wasn't) was driven by PR rather than by people who knew what they were doing.
October 30, 2025 at 4:04 PM
… and portability is a non-goal for Ubuntu which only has to support a handful of Linux+glibc architectures.
To me it it seems that the decision about uutils/coreutils being ready for production use in Ubuntu (which it wasn't) was driven by PR rather than by people who knew what they were doing.
To me it it seems that the decision about uutils/coreutils being ready for production use in Ubuntu (which it wasn't) was driven by PR rather than by people who knew what they were doing.
Descriptions like "a tool to do T, written in L" always appear to be less about the tool and its purpose than about the author who is really fond of writing L.
The language and its merits seem like a feature to language advocates, much less to users.
No matter if L is Rust, Python/Ruby/"modern C++"
The language and its merits seem like a feature to language advocates, much less to users.
No matter if L is Rust, Python/Ruby/"modern C++"
August 14, 2025 at 8:45 AM
Descriptions like "a tool to do T, written in L" always appear to be less about the tool and its purpose than about the author who is really fond of writing L.
The language and its merits seem like a feature to language advocates, much less to users.
No matter if L is Rust, Python/Ruby/"modern C++"
The language and its merits seem like a feature to language advocates, much less to users.
No matter if L is Rust, Python/Ruby/"modern C++"
Wrong shade of green. Probably.
May 29, 2025 at 10:16 PM
Wrong shade of green. Probably.
Since only $user and $gid are used, we need an alternative way to get to $gid. The special variable $( (or $REAL_GROUP_ID) is not quite the same because it refers to the GID of the running process. Oh well.
May 25, 2025 at 9:36 PM
Since only $user and $gid are used, we need an alternative way to get to $gid. The special variable $( (or $REAL_GROUP_ID) is not quite the same because it refers to the GID of the running process. Oh well.
Apparently it matters whether getpwuid is calld in scalar or list context:
strace -o perl2.trace perl -e '@x = getpwuid($<); print "@x\n"'; grep shadow perl2.trace
…accesses /etc/shadow while…
strace -o perl1.trace perl -e '$x = getpwuid($<); print "$x\n"'; grep shadow perl1.trace
…dowsn't.
strace -o perl2.trace perl -e '@x = getpwuid($<); print "@x\n"'; grep shadow perl2.trace
…accesses /etc/shadow while…
strace -o perl1.trace perl -e '$x = getpwuid($<); print "$x\n"'; grep shadow perl1.trace
…dowsn't.
May 25, 2025 at 9:36 PM
Apparently it matters whether getpwuid is calld in scalar or list context:
strace -o perl2.trace perl -e '@x = getpwuid($<); print "@x\n"'; grep shadow perl2.trace
…accesses /etc/shadow while…
strace -o perl1.trace perl -e '$x = getpwuid($<); print "$x\n"'; grep shadow perl1.trace
…dowsn't.
strace -o perl2.trace perl -e '@x = getpwuid($<); print "@x\n"'; grep shadow perl2.trace
…accesses /etc/shadow while…
strace -o perl1.trace perl -e '$x = getpwuid($<); print "$x\n"'; grep shadow perl1.trace
…dowsn't.
okay, the first line if user_cluster_map is…
my ($user, $pwd, $uid, $gid) = getpwuid $>;
…this is where the /etc/shadow access happens. Only $user, $gid are used. getpwuid is a Perl builtin, also defined in the POSIX module. (Perl documentation says the 2 versions behave identically, though.)
my ($user, $pwd, $uid, $gid) = getpwuid $>;
…this is where the /etc/shadow access happens. Only $user, $gid are used. getpwuid is a Perl builtin, also defined in the POSIX module. (Perl documentation says the 2 versions behave identically, though.)
May 25, 2025 at 9:36 PM
okay, the first line if user_cluster_map is…
my ($user, $pwd, $uid, $gid) = getpwuid $>;
…this is where the /etc/shadow access happens. Only $user, $gid are used. getpwuid is a Perl builtin, also defined in the POSIX module. (Perl documentation says the 2 versions behave identically, though.)
my ($user, $pwd, $uid, $gid) = getpwuid $>;
…this is where the /etc/shadow access happens. Only $user, $gid are used. getpwuid is a Perl builtin, also defined in the POSIX module. (Perl documentation says the 2 versions behave identically, though.)
The function is part of PgCommon:
user_cluster_map: Return the PostgreSQL version, cluster, and database to connect to.
There are some getpwuid, getgrid function calls there but nothing that explains /etc/shadow.
I'll add the function to my script copy and try modifying that…
user_cluster_map: Return the PostgreSQL version, cluster, and database to connect to.
There are some getpwuid, getgrid function calls there but nothing that explains /etc/shadow.
I'll add the function to my script copy and try modifying that…
May 25, 2025 at 9:36 PM
The function is part of PgCommon:
user_cluster_map: Return the PostgreSQL version, cluster, and database to connect to.
There are some getpwuid, getgrid function calls there but nothing that explains /etc/shadow.
I'll add the function to my script copy and try modifying that…
user_cluster_map: Return the PostgreSQL version, cluster, and database to connect to.
There are some getpwuid, getgrid function calls there but nothing that explains /etc/shadow.
I'll add the function to my script copy and try modifying that…
This is great news. We can just bisect where the curious /etc/shadow access happens by sprinkling exit calls into a copy of the code. If I put an exit before…
($version, $cluster, $db) = user_cluster_map() unless ($cluster or $explicit_host or $explicit_port);
…the access does not happen.
($version, $cluster, $db) = user_cluster_map() unless ($cluster or $explicit_host or $explicit_port);
…the access does not happen.
May 25, 2025 at 9:36 PM
This is great news. We can just bisect where the curious /etc/shadow access happens by sprinkling exit calls into a copy of the code. If I put an exit before…
($version, $cluster, $db) = user_cluster_map() unless ($cluster or $explicit_host or $explicit_port);
…the access does not happen.
($version, $cluster, $db) = user_cluster_map() unless ($cluster or $explicit_host or $explicit_port);
…the access does not happen.
Oh. psql is actually a symlink to /usr/share/postgresql-common/pg_wrapper.
Running that wrapper without an argument (exiting early) also leads to a /etc/shadow access attempt – and running the real psql binary (/usr/lib/postgresql/$VERSION/bin/psql) does not.
pg_wrapper is a Perl program.
Running that wrapper without an argument (exiting early) also leads to a /etc/shadow access attempt – and running the real psql binary (/usr/lib/postgresql/$VERSION/bin/psql) does not.
pg_wrapper is a Perl program.
May 25, 2025 at 9:36 PM
Oh. psql is actually a symlink to /usr/share/postgresql-common/pg_wrapper.
Running that wrapper without an argument (exiting early) also leads to a /etc/shadow access attempt – and running the real psql binary (/usr/lib/postgresql/$VERSION/bin/psql) does not.
pg_wrapper is a Perl program.
Running that wrapper without an argument (exiting early) also leads to a /etc/shadow access attempt – and running the real psql binary (/usr/lib/postgresql/$VERSION/bin/psql) does not.
pg_wrapper is a Perl program.
Without nscd running, /etc/passwd is read instead. /etc/nsswitch is read multiple times. Guess we are coming from a libc function.
Using ltrace -S (for logging library calls and syscalls) I get log entries that the shadow read attempt comes from within getspnam_r.
Using ltrace -S (for logging library calls and syscalls) I get log entries that the shadow read attempt comes from within getspnam_r.
May 25, 2025 at 9:36 PM
Without nscd running, /etc/passwd is read instead. /etc/nsswitch is read multiple times. Guess we are coming from a libc function.
Using ltrace -S (for logging library calls and syscalls) I get log entries that the shadow read attempt comes from within getspnam_r.
Using ltrace -S (for logging library calls and syscalls) I get log entries that the shadow read attempt comes from within getspnam_r.
In the environment where I'm responsible for security monitoring your bwrap solution would lead to more audit log spam since we monitor mount syscalls.
I find this behavior curious – and I can reproduce it on a Debian/unstable box. Why does this happen?
If nscd is running, it is contacted before.
I find this behavior curious – and I can reproduce it on a Debian/unstable box. Why does this happen?
If nscd is running, it is contacted before.
May 25, 2025 at 9:36 PM
In the environment where I'm responsible for security monitoring your bwrap solution would lead to more audit log spam since we monitor mount syscalls.
I find this behavior curious – and I can reproduce it on a Debian/unstable box. Why does this happen?
If nscd is running, it is contacted before.
I find this behavior curious – and I can reproduce it on a Debian/unstable box. Why does this happen?
If nscd is running, it is contacted before.
New features and fixes include
- New configuration option to filter events based on IP addresses, ports in SOCKADDR messages
- Bug fixes to avoid wrong/misleading SYSCALL.SCRIPT enrichments
- New configuration option to filter events based on IP addresses, ports in SOCKADDR messages
- Bug fixes to avoid wrong/misleading SYSCALL.SCRIPT enrichments
April 23, 2025 at 4:59 PM
New features and fixes include
- New configuration option to filter events based on IP addresses, ports in SOCKADDR messages
- Bug fixes to avoid wrong/misleading SYSCALL.SCRIPT enrichments
- New configuration option to filter events based on IP addresses, ports in SOCKADDR messages
- Bug fixes to avoid wrong/misleading SYSCALL.SCRIPT enrichments
🐑
👊🇺🇸🔥
(that's how this works, right?)
👊🇺🇸🔥
(that's how this works, right?)
March 26, 2025 at 10:12 PM
🐑
👊🇺🇸🔥
(that's how this works, right?)
👊🇺🇸🔥
(that's how this works, right?)
New features, fixes:
- Save state across restarts
- Apply labels for executables to processes found in /proc
- Fix parsing errors in some non-"enriched" messages
- Fix missing uid/gid translations
- More flexible permissions for log files
- SELinux, AppArmor policy updates
- Configurable build id
- Save state across restarts
- Apply labels for executables to processes found in /proc
- Fix parsing errors in some non-"enriched" messages
- Fix missing uid/gid translations
- More flexible permissions for log files
- SELinux, AppArmor policy updates
- Configurable build id
March 4, 2025 at 9:21 AM
New features, fixes:
- Save state across restarts
- Apply labels for executables to processes found in /proc
- Fix parsing errors in some non-"enriched" messages
- Fix missing uid/gid translations
- More flexible permissions for log files
- SELinux, AppArmor policy updates
- Configurable build id
- Save state across restarts
- Apply labels for executables to processes found in /proc
- Fix parsing errors in some non-"enriched" messages
- Fix missing uid/gid translations
- More flexible permissions for log files
- SELinux, AppArmor policy updates
- Configurable build id