everywhere.fraudulent.link is a Fediverse instance that uses the ActivityPub protocol. In other words, users at this host can communicate with people that use software like Mastodon, Pleroma, Friendica, etc. all around the world.

This server runs the snac software and there is no automatic sign-up process.

Site description
another fucking kait instance
Admin email
kait@azumanga.gay
Admin account
@gigalomaniac@everywhere.fraudulent.link

Search results for tag #security

Baa »
@Baa@mk.absturztau.be

The way Gitlab, Forgejo, Gitea etc. use the server-side SSH server to accept pushed data over SSH relies on a system user called git having SSH access. (or forgejo in their case).

Access is granted by the standard authorized_keys inside ~/.ssh, which for forgejo means /var/lib/forgejo/.ssh/authorized_keys. When a user adds an SSH key to their account, it's added to this authorized_keys file.

I really hate this, this means that any user of Forgejo is only inches away from having full shell access. The default shell of the forgejo user is /bin/bash, it exists inside of /etc/passwd:

forgejo:x:122:130:Forgejo (Beyond coding. We forge.):/var/lib/forgejo:/bin/bash
I really really hate this. The only thing preventing random users of Forgejo having shell access is the default command of the SSH session as stipulated by the authorized_keys entry, this is what it looks like:
command="/usr/bin/forgejo --config=/etc/forgejo/app.ini serv key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgnZeNC4fMCXYuWxir7NlKts9Zj4sYZZJzzHh4IyTm2 Baa-New

This is technically secure, there is no publicly known way of bypassing this and gaining shell access by adding your own SSH key to forge and SSHing into the server as the forgejo user. It will immediately disconnect you, and if you try submitting any specific command you'll receive Disallowed command.

But still, I really really really hate this. We're just one tiny misconfiguration, one minuscule exploit away from granting all forgejo users shell access into the server ​

Imagine for example, you were hosting a Minecraft server on Windows. And to grant a user access to it, you had to create them a Windows User inside control userpasswords2 and then explicitly disallow them RDP access. That RDP config is the only thing preventing them for remoting straight into your server. This si what it feels like, I can't help but wish SSH was entirely separate from everything else going on here.

Which is exactly what Forgejo's own built-in SSH server does, I'll enable that and move it to a different port, because I'm too scared otherwise, and my server's not even public, and I haven't even started with Runners yet, those scare me even more ​

Feel free to correct me if I'm wrong, or add your own insights I'd like to know more about this mentality

    🗳

    tortoise »
    @tortoise@wetdry.world

    Is removing access to older releases for the sake of security actually being secure or is it more of a "security through obscurity" thing?

    GrapheneOS doesn't have an archive of their releases and when I asked about it someone said it's for "security reasons"

    I don't know if they're associated with the project, but they're in the GrapheneOS discord.

    Real Security:0
    Security Through Obscurity:0
      4 ★ 4 ↺

      gigalomaniac (apathetic mode) »
      @gigalomaniac@everywhere.fraudulent.link

      this is so and their are a stain on the ecosystem we all need to to i also think we need to go back to instead of this so called because we need to with our whos with me


        4 ★ 4 ↺

        gigalomaniac (apathetic mode) »
        @gigalomaniac@everywhere.fraudulent.link

        this is so and their are a stain on the ecosystem we all need to to i also think we need to go back to instead of this so called because we need to with our whos with me


          about this site - powered by snac