From OpenBSD to Linux: How Pledge can Enhance Linux Security

Imagine a scenario, you downloaded a new binary called ls from the internet. The application could be malicious by intention. Binary files are difficult to trust and run over the system. It could lead to a system hijacking attack, sending your sensitive files and clipboard information to the malicious server or interfere with the existing process of your machine.

Won’t it be great if you’ve the tool to run and test the application within the defined security parameter. Like, we all know, ls command list the files in the current working directory. So, why would it require a network connection to operate? Does it make sense?

That’s where the tool, Pledge, comes in. Pledge restricts the system calls a program can make. Pledge is natively supported on OpenBSD systems. Although it isn’t officially supported on Linux systems, I’ll show you a cool hack to utilize pledge on your Linux systems.

🚧

As you can see, this is rather an advanced tool for sysadmins, network engineers and people in the network security field. Most desktop Linux users would not need something like this but that does not mean you cannot explore it out of curiosity.

What makes this port possible?

Thanks to the remarkable work done by Justine Tunney. She is the core developer behind the project- Cosmopolitan Libc.

Cosmopolitan makes it a bridge for compiling a c programs for 7 different platforms (Linux + Mac + Windows + FreeBSD + OpenBSD 7.3 + NetBSD + BIOS) at one go.

Utilizing Libc Cosmopolitan, she was able to port OpenBSD Pledge to the Linux system. Here's the nice blog done by her.

📋

A quick disclaimer: Just because you can compile a C program for 7 different platforms doesn’t mean you would be able to successfully run on all these platforms. You need to handle program dependencies as well. For instance, Iptables uses Linux sockets, so you can’t expect it to work magically on Windows systems unless you come up with a way to establish Linux socket networking to Windows.

Restrict system calls() with Pledge

You might be surprised to know one single binary can run on 7 different platforms - Windows, Linux, Mac, FreeBSD, OpenBSD, NetBSD and BIOS.

These binary files are called Actually Portable Executable (APE). You can check out this blog for more information. These binary files have the .com suffix and it’s necessary to work.

This guide will show how to use pledge.com binary on your Linux system to restrict system calls while launching any binaries or applications.

Step 1: Download pledge.com

You can download pledge-1.8.com from the url- http://justine.lol/pledge/pledge-1.8.com.

You can rename the file pledge-1.8.com to pledge.com.

Step 2: Make it executable

Run this command to make it executable.

chmod +x ./pledge.com

Step 3: Add pledge.com to the path

A quick way to accomplish this is to move the binary in standard /usr/local/bin/ location.

sudo mv ./pledge.com /usr/local/bin

Step 4: Run and test

pledge.com curl http://itsfoss.com

I didn’t assign any permission (called promises) to it so it would fail as expected. But it gives us a hint on what system calls are required by the binary ‘curl’ when it is run.

With this information, you can see if a program is requesting a system call that it should not. For example, a file explorer program asking for dns. Is it normal?

Curl is a tool that deals with URLs and indeed requires those system calls.

Let's assign promises using the -p flag. I'll explain what each of these promises does in the next section.

pledge.com -p 'stdio rpath inet dns tty sendfd recvfd' \
curl -s http://itsfoss.com

📋

The debug message error:pledge inet for socket is mis-leading. Even a similar open issue exists at the project's GitHub repo. It is evident that after providing these sets of promises "stdio rpath inet dns tty sendfd recvfd" to our curl binary, it works as expected.

It’s successfully redirecting to the https version of our website. Let’s try to see, if with the same set of promises, it can talk to https enabled websites or not.

pledge.com -p 'stdio rpath inet dns tty sendfd recvfd' \
curl -s https://itsfoss.com

Yeah! It worked.

A quick glance at promises

In the above section, we used 7 promises to make our curl request successful. Here’s a quick glimpse into what each promises intended for:

• stdio: Allows reading and writing to standard input/output (like printing to the console).
• rpath: Allows reading files from the filesystem.
• inet: Allows network-related operations (for example, connecting to a server).
• dns: Allows resolving DNS queries.
• tty: Allows access to the terminal.
• sendfd: Allow sending file descriptors.
• recvfd: Allow received file descriptors

To know what other promises are supported by the pledge binary, head over to this blog.

Porting OpenBSD pledge() to Linux

Sandboxing for Linux has never been easier.

Conclusion

OpenBSD’s pledge follows the Least Privilege model. It prevents programs from mis-utilizing system resources. Following this security model, the damage done by a malicious application can be quite limited. Although Linux has seccomp and apparmor in its security arsenal, I find pledge more intuitive and easy to use.

With Actually Portable Executable (APE), Linux users can now enjoy the simplicity of pledge to make their systems more secure. Users can provide more granular control over what processes can do within these environments would add an extra layer of defense.

Author Info

Bhuwan Mishra is a Fullstack developer, with Python and Go as his tools of choice. He takes pride in building and securing web applications, APIs, and CI/CD pipelines, as well as tuning servers for optimal performance. He also has passion for working with Kubernetes.

from It's FOSS https://ift.tt/axv94dl
via IFTTT

FOSS Weekly #25.10: Skype is Dead, GNOME 48 Features, Ubuntu Versions, Nano Guide and More Linux Stuff

Skype is being discontinued by Microsoft on 5th May.

Once a hallmark of the old internet, Skype was already dying a slow death. It just could not keep up with the competition from WhatsApp, Zoom etc despite Microsoft's backing.

While there are open source alternatives to Skype, I doubt if friends and family would use them.

I am not going to miss it, as I haven't used Skype in years. Let's keep it in the museum of Internet history.

Speaking of the old internet, Digg is making a comeback. 20 years back, it was the 'front page of the internet'.

💬 Let's see what else you get in this edition

• VLC aiming for the Moon.
• EA open sourcing its games.
• GNOME 48 features to expect.
• And other Linux news, tips, and, of course, memes!
• This edition of FOSS Weekly is supported by ONLYOFFICE.

✨ ONLYOFFICE PDF Editor: Create, Edit and Collaborate on PDFs on Linux

The ONLYOFFICE suite now offers an updated PDF editor that comes equipped with collaborative PDF editing and other useful features.

You can deploy ONLYOFFICE Docs on your Linux server and integrate it with your favourite platform, such as Nextcloud, Moodle and more. Alternatively, you can download the free desktop app for your Linux distro.

Online PDF editor, reader and converter | ONLYOFFICE

View and create PDF files from any text document, spreadsheet or presentation, convert PDF to DOCX online, create fillable PDF forms.

ONLYOFFICE

📰 Linux and Open Source News

• Electronic Arts has open sourced four Command & Conquer games.
• VLC is literally reaching for the Moon to mark its 20-year anniversary.
• Internxt Drive has become the first cloud storage with post-quantum encryption.
• Electronic Frontier Foundation has launched a new open source tool to detect eavesdropping on cellular networks.

GNOME 48 is just around the corner, check out what features are coming:

Discover What’s New in GNOME 48 With Our Feature Rundown!

GNOME 48 is just around the corner. Explore what’s coming with it.

It's FOSS NewsSourav Rudra

🧠 What We’re Thinking About

A German startup has published open source plans for its Nuclear Fusion power plant!

As per the latest desktop market share report, macOS usage has seen a notable dip on Steam.

🧮 Linux Tips, Tutorials and More

• Get the 'Create new document' option back in the right-click context menu in GNOME.
• Facing errors while trying to watch a DVD on Fedora? It can be fixed.
• Learn to record a selected area or an application window with OBS Studio.
• Knowing how to edit files with Nano text editor, might come in handy while dealing with config files.

New users often get confused with so many Ubuntu versions. This article helps clear the doubt.

Explained: Which Ubuntu Version Should I Use?

Confused about Ubuntu vs Xubuntu vs Lubuntu vs Kubuntu?? Want to know which Ubuntu flavor you should use? This beginner’s guide helps you decide which Ubuntu should you choose.

It's FOSSAbhishek Prakash

👷 Homelab and Maker's Corner

As a Kodi user, you cannot miss out on installing add-ons and builds. We also have a list of the best add-ons to spice up your media server.

And you can use virtual keyboard with Raspberry Pi easily.

Using On-screen Keyboard in Raspberry Pi OS

Here’s what you can do to use a virtual keyboard on Raspberry Pi OS.

It's FOSSAbhishek Prakash

✨ Apps Highlight

Facing slow downloads on your Android smartphone? Aria2App can help.

Aria2App is a Super Fast Versatile Open-Source Download Manager for Android

A useful open-source download manager for Android

It's FOSS NewsSourav Rudra

lichess lets you compete with other players in online games of Chess.

📽️ Video I am Creating for You

How much does an active cooler cools down a Raspberry Pi 5? Let's find it out in this quick video.

Subscribe to It's FOSS YouTube Channel

🧩 Quiz Time

For a change, you can take the text processing command crossword challenge.

Commands to Work With Text Files: Crossword

Solve this crossword with commands for text processing.

It's FOSSAnkush Das

💡 Quick Handy Tip

You can play Lofi music in VLC Media Player. First, switch to the Playlist view in VLC by going into View → Playlist.

Now, in the sidebar, scroll down and select Icecast Radio Directory. Here, search for Lofi in the search bar.

Now, double-click on any Lo-fi channel to start playing. On the other hand, if you want to listen to music via the web browser, you can use freeCodeCamp.org Code Radio.

🤣 Meme of the Week

You didn't have to join the dark side, Firefox. 🫤

🗓️ Tech Trivia

In 1953, MIT's Whirlwind computer showcased an early form of system management software called "Director," developed by Douglas Ross. Demonstrated at a digital fire control symposium, Director automated resource allocation (like memory, storage, and printing), making it one of the earliest examples of an operating system-like program.

🧑‍🤝‍🧑 FOSSverse Corner

An important question has been raised by one of our longtime FOSSers.

Do we all see the same thing on the internet?

I think we all assume we are seeing the same content on a website. But do we.? Read this quote from an article on the Australian ABC news “Many people are unaware that the internet they see is unique to them. Even if we surf the same news websites, we’ll see different news stories based on our previous likes. And on a website like Amazon, almost every item and price we see is unique to us. It is chosen by algorithms based on what we were previously wanting to buy and willing to pay. There is…

It's FOSS Communitynevj

❤️ With love

Share it with your Linux-using friends and encourage them to subscribe (hint: it's here).

Share the articles in Linux Subreddits and community forums.

Follow us on Google News and stay updated in your News feed.

Opt for It's FOSS Plus membership and support us 🙏

Enjoy FOSS 😄

from It's FOSS https://ift.tt/25P4bKg
via IFTTT

Record Windows and Cropped Area in OBS Studio

When it comes to screen recording in Linux or any other operating system, OBS Studio becomes he go-to choice.

It offers all the features baked in for users, ranging from casual screen recorders to advanced streamers.

One such useful feature is to record a part of the screen in OBS Studio. I'll share the detailed steps for Linux users in this tutorial.

🚧

The method mentioned is based on a Wayland session. Also, this is a personal workflow, and if readers have better options, feel free to comment, so that I can improve the article for everyone.

Record an application window in OBS Studio

Before starting, first click on File → Settings from OBS Studio main menu. Here, in the Settings window, go to the Video section and note the Canvas resolution and Output scale resolution for your system.

Note Canvas and Output Scale values

This will be helpful when you are reverting in a later step.

Step 1: Create a new source

First, let's create a new source for our recording. Click on the “+” icon on the OBS Studio home screen as shown in the screenshot below. Select “Screen Capture (Pipewire)” option.

📋

For X11 system, this may be Display Capture (XSHM).

Click on "+" to add a new source

On the resulting window, give a name to the source and then click OK.

Give a name to the source

Once you press OK, you will be shown a dialog box to select the record area.

Step 2: Select the window to record

Here, select the Window option from the top bar.

Select the window to be recorded.

Once you click on the Window option, you will be able to see all the open windows listed. Select a window that you want to record from the list, as shown in the screenshot above.

This will give you a dialog box, with a preview of the window being recorded.

Enable the cursor recording (if needed) and click OK.

Selected window in preview

Step 3: Crop the video to window size

Now, in the main OBS window, you can see that the application you have selected is not filling the full canvas, in my case 1920×1080.

Empty space in canvas

The output will contain this window and the rest of the canvas in black if you keep recording with this setting.

You need to crop the area so that only the necessary part is present on the output file.

For this, right-click on our source and select Resize Output (Source Size) option, as shown below:

Resize output source size

Click on Yes, when prompted.

Accept Confirmation

As soon as you click Yes, you can see that the canvas is now reduced to the size of the window.

Canvas Resized

Step 4: Record the video

You can now start recording the video using the Record button.

Start video recording

Once finished, stop recording, and the saved video file won't contain any other part, except the window.

Step 5: Delete the video source

Now that you have recorded the video, let's remove this particular source.

Right-click on the source and select Remove.

Remove the source

Step 6: Revert the canvas and output scale

While we were resizing the canvas to the window, the setting has been also changed on your OBS Studio video settings. If left unchanged, your future videos will also be recorded with the reduced size.

So, click on File in the OBS Studio main menu and select Settings.

Click on File → Settings

On the Settings window, go to Videos and revert the Base Canvas Resolution and Output Scaled Resolution to your preferred normal values. Then click Apply.

Revert Canvas Size to normal

Record an area on the screen in OBS Studio

This is the same process as the one described above, except for the area selection.

Step 1: Create a new source

Click on the plus button on the Sources section in OBS Studio and select Screen Capture.

Select Screen Capture

Name the source and click OK.

Step 2: Select a region

On the area selection dialog box, click on Region. From the section, select Select Region option.

Select Region

Notice the cursor has now changed to a plus sign. Drag the area you want to record.

Select Area to Record

You can see that the preview now has the selected area. Don't forget to enable the cursors, if needed.

It is normal that the canvas is way too big and your video occupies only a part of it.

Canvas Size Mismatch

Step 3: Resize the source

Like in the previous section, right-click on the source and select Resize output option.

Resize Output to Area Capture

Step 4: Record and revert the settings

Start recording the video. Once it is completed, save the recording and remove the source. Revert the canvas and output scale settings, as shown in step 6 of the previous section.

💬 Hope this guide has helped you record with OBS Studio. Please let me know if this tutorial helped you or if you need further help.

from It's FOSS https://ift.tt/TZV0OX8
via IFTTT

Using On-Screen Keyboard in Raspberry Pi OS

From Kiosk projects to homelab dashboards, there are numerous usage of a touch screen display with Raspberry Pi.

And it makes total sense to use the on-screen keyboard on the touch device rather than plugging in a keyboard and mouse.

Thankfully, the latest versions of Raspberry Pi OS provide a simple way to install and use the on-screen keyboard.

On-screen keyboard on Raspberry Pi

Let me show how you can install the on-screen keyboard support on Raspberry Pi OS.

📋

I am using the DIY Touchscreen by SunFounder (partner link). It's an interesting display that is also compatible with other SBCs. I'll be doing its full review next week. The steps should also work on other touch screens, too.

SunFounder Latest 10 Inch DIY Touch Screen All-In-One Solution for Raspberry Pi 5, IPS HD 1280x800 LCD, Built-In USB-C PD 5.1V/5A Output, HDMI, 10-point, No Driver, Speakers, for RPi 5/4/3/Zero 2W

This SunFounder Touch Screen is a 10-point IPS touch screen in a 10.1″ big size and with a high resolution of 1280x800, bringing you perfect visual experience. It works with various operating systems including Raspberry Pi OS, Ubuntu, Ubuntu Mate, Windows, Android, and Chrome OS.

SunFounderSunFounder

Partner Link

Just check if you already have the on-screen keyboard support

Raspberry Pi OS Bookworm and later versions include the Squeekboard software for the on-screen keyboard feature.

Now, this package may already be installed by default. If you open a terminal and touch the interface and it brings the keyboard, you have everything set already.

It is also possible that it is installed but not enabled.

Go to the menu, then Preferences and open Raspberry Pi config tool. In the display tab, see if you can change the settings for the on-screen keyboard.

On-screen keyboard support already installed on Raspberry Pi

If you tap the on-screen keyboard settings and it says, "A virtual keyboard is not installed", you will have to install the software first. The next section details the steps.

Virtual Keyboard is not installed

Getting on-screen keyboard in Raspberry Pi OS Bookworm

🚧

You'll need a physical keyboard and mouse for installing the required package If you cannot connect one, you could try to SSH into the Pi.

Update the package cache of your Raspberry Pi first:

sudo apt update

The squeekboard package provides the virtual keyboard in Debian. Install it using the command below:

sudo apt install squeekboard

Once installed, click on the menu and start Raspberry Pi Configuration from the Preferences.

Access Raspberry Pi Configuration

In the Raspberry Pi Configuration tool, go to the Display tab and touch it.

You'll see three options:

• Enabled always: The on-screen keyboard will be always accessible through the top panel, whether you are using touchscreen or not.
• Enabled if touchscreen found: The on-screen keyboard is only accessible when it detects a touchscreen.
• Disabled: Virtual keyboard won't be accessible at all.

Out of these three, you'll be tempted to go for the 'Enabled if touchscreen found'.

However, it didn't work for me. I opted for Enabled always instead.

But not all applications will automatically bring up the on-screen keyboard. In my case, Chromium didn't play well. Thankfully, the on-screen keyboard icon at top panel lets you access it at will.

Virtual keyboard comes up for supported application but it is also accessible from top panel

And this way, you can enjoy the keyboard on a touchscreen.

Conclusion

For older versions of Raspberry Pi OS, you could also go with the matchbox-keyboard package.

sudo apt install matchbox-keyboard

Since Squeekboard is for Wayland, perhaps Matchbox will work on Xorg display server.

The official documents of SunFounder's Touchscreen mentions that Squeekboard is installed by default in Raspberry Pi OS but that was not the case for me.

Installing it was matter of one command and then the virtual keyboard was up and running. This is tested on Raspberry Pi OS but since Squeekboard is available for Wayland in general, it might work on other operating systems, too.

💬 Did it work for you? If yes, a simple 'thank you' will encourage me. If not, please provide the details and I'll try to help you.

from It's FOSS https://ift.tt/qFSl4j3
via IFTTT