Follow your curiosity

I was listening to Guy Roz give his farewell address on the TED Radio Hour he mentioned this as one of his most impactful guests and I would have to agree. This is great advice.

… one of the things I’ve been saying a lot to people is that we keep telling people to follow their passion. And I feel like that can be an intimidating and almost cruel thing to say to people at times because first of all, if somebody has one central, powerful, burning passion, they’re probably already following it because that’s sort of the definition of passion – is that you don’t have a choice. If you don’t – which is a lot of people, have one central, burning, passion and somebody tells you to follow your passion, I think you have the right to give them the finger (laughter) because it just makes you feel worse.

And so I always say to people, forget it. Like, if you don’t have an obvious passion, forget about it. Follow your curiosity because passion is sort of a tower of flame that is not always accessible. And curiosity is something that anybody can access any day. Your curiosity may lead you to your passion or may it not. It may have been for, air quotes, nothing, in which case all you’ve done your entire life is spend your existence in pursuit of the things that made you feel curious and inspired and that should be good enough. Like, if you get to do that, that’s a wonderful way to spend your time here.

Warning: RH-Sharpe’s Rootkit

Problem: You ran rkhunter -c on your CentOS powered web server and it found something called “RH-Sharpe’s Rootkit”.

I was cleaning up a minor infection on a WordPress site that wordfence identified. (The irony is not lost on me.) Once I’d verified all the files in wordpress and checked logs to see if the files had been accessed, I also ran clamav and rkhunter just to make sure. rkhunter alerted me to something called “RH-Sharpe’s Rootkit”. 💩 💩 💩

keep calm and check the logs
Always good advice.

rkhunter logs are usually found at “/var/log/rkhunter/rkhunter.log”.
It offers more detail on why a specific alert was generated.

 ....
 [08:15:25] Checking for RH-Sharpe's Rootkit…
 [08:15:25]   Checking for file '/bin/lps'                    [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/lpstree'            [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/ltop'               [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/lkillall'           [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/ldu'                [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/lnetstat'           [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/wp'                 [ Found ]
 [08:15:26]   Checking for file '/usr/bin/shad'               [ Not found ]
 [08:15:26]   Checking for file '/usr/bin/vadim'              [ Not found ]
 [08:15:26]   Checking for file '/usr/bin/slice'              [ Not found ]
 [08:15:26]   Checking for file '/usr/bin/cleaner'            [ Not found ]
 [08:15:26]   Checking for file '/usr/include/rpcsvc/du'      [ Not found ]
 [08:15:26] Warning: RH-Sharpe's Rootkit                      [ Warning ]
 [08:15:26]          File '/usr/bin/wp' found
....

So in this case; it alerted because it found an executable called “wp”. If your a wordpress user; stand down. This is the wordpress command line tool.
It’s a text file. Have a look at it and make sure, but it’s like not something to freak out about.

When I googled for this error; almost nothing came up except for this. Appears “/usr/bin/slice” is also an often found trigger for this warning.

Hopefully this will be useful to the next person who googles for this term mid-panic as I did earlier today.

Please stop the FUD about WordPress.

I came across this posting from a web services company with a brief comparison of different cms options.

Craft — Very secure

WordPress — Can be difficult to secure properly (frequent vulnerabilities due to popularity)

Drupal — Very secure

Clients and co-workers come in with this “wordpress is insecure” opinion largely because of misinformed opinions from “experts”.

Better summaries for their security would be;
Craft – So far; secure with regular updates and careful plug-in selection.
WordPress- Secure with regular updates and careful plug-in selection.
Drupal – Secure with regular updates and careful plug-in selection.

Lets look into that a little bit; shall we.

Craft CMS
They do list all the security best practices they engage in which is great.
The Common Vulnerabilities and Exposures database has 11 reported issues with “Craft CMS” since 2017 with 3 in 2019. It doesn’t look like they engage in any kind of project level security review of this code. While I’d say given that low number of issues it probably deserves being called “secure”; more expert eyes looking in a regular way would be better.
They do benefit from the efforts of the Yii2 project its built on and aren’t likely to experience issues with any of their components. It’s smaller ecosystem than say Symfony but still relevant.

WordPress
A quick search of the CVE shows that plug-ins and themes are 99% of all the WordPress related vulnerabilities. WordPress core had 11 reported vulnerabilities in 2019. The WordPress core has security team which reviews its code base. It’s active user community reported most of those; not its security team. The push button nature of WordPress updates is its greatest feature. I’d have no trouble trusting a client to apply updates to their site which to me means its likely more secure than other options.

Drupal
I’d argue that Drupal is less secure than WordPress.
11 vulnerabilities were reported in Drupal in 2019. Plug-ins are also the majority of their issues. Drupal also has a security team which is constantly reviewing its code base and its most popular plug-ins. With version 8; they’ve chosen to use standard components provided from the Symfony project which should eliminate a lot of their potential security issues with core components. Updates are still a pain point; although its much better in version 8. Updates are often more complicated than pushing the “update button” I’d wager that your average client isn’t going to do that very often.

And while we’re on the topic.
The section on “License” is misleading.

Craft is offered under the “Craft” license. It is proprietary open-source software.
You can’t run it without a license and should pixel and tonic go out of business; you won’t be able to run craft.
(Granted; that will likely never happen but it could.)

WordPress and Drupal are licensed under the GPLv2 license. This is free (as in freedom) open-source software which can be used for derivative works.
https://wordpress.org/about/license/
https://www.drupal.org/about/licensing

I likely put more though into this posting than the original author. I understand the demands of making materials accessible to a client but I’m also tired of folks bagging on WordPress. I love php and for better or worse; WordPress is really why we’re still talking about php in 2020.

Stepping down from the soapbox now.

GOGS/Gitea Fix Critical API Auth By-Pass

I subscribe to updates from the forums and wasn’t alerted to this critical issue.

Manasseh Zhou reported a critical session bypass issue in the go-marcaron framework which impacts Gogs 0.11.86 @ 2019-01-30 and Gitea < 1.5.4.
Because of missing access checks; an attacker can log into any account and run arbitrary commands on an effected server.

This was reported as CVE-2018-18926 and CVE-2018-18925
Manasseh provides a detailed breakdown of the issue on his site.

Gogs and Gitea users should update immediately to the latest release.

On a side note; I’m concerned about the timeline here. This issue was first reported to the Gogs project in late 2018 and opened as a github issue in Aug. of 2019 which finally got the attention of unknwon and was resolved two days later. Gitea fixed this issue in Oct. of 2018.
I will be looking into other tools to internally host our git repositories.

Using php composer with RedHat Software Collections

Software Collections make running more than one version of php on the same server pretty painless. It does take some getting use to.

PHP has lots of command line tools which assume that php is available in the environment; which isn’t the case in an SCL environment.

Assumptions

  • Your using RedHat or CentOS 7.
  • php 7.2 is installed via software collections. (rh-php72)
  • PHP Composer’s “composer.phar” is downloaded in “/opt/php-composer/”

Here is a little bash script to work around this quirk of using SCL packages.

#! /bin/bash

#choose which scl package we want to use.
source scl_source enable rh-php72

#pass all shell args to composer.
php /opt/php-composer/composer.phar "[email protected]"

Save this as “composer” and make it executable (chmod +x composer) and moved it into the “/usr/local/bin/” folder.

This trick also works for cron jobs which need a specific version of php to run.