{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"兩個熊孩子,引發了一場“口水”大戰。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"兩個孩子在父親的電腦上玩耍時,不經意間發現了一種能繞過 Linux 屏保程序並鎖定系統的方法。這是個漏洞,可能允許惡意攻擊者繞過操作系統的屏保程序及密碼,訪問本應鎖定的桌面。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一位暱稱 robo2bobo 的用戶在 GitHub 上的 bug 報告寫道,“幾周之前,孩子們打算訪問我的 Linux 桌面。而我就站在他們身後,看着他們到處亂按亂拍。”兩個孩子在物理與軟鍵盤上同時按下隨機按鍵,最終導致 Linux Mint 屏保程序崩潰、他們得以直接訪問桌面。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這位程序員爸爸很驚訝,於是他讓孩子們再試一次,沒想到居然成功了,“我本來以爲這只是個偶然事件,但孩子們後來又把問題重現了。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當天晚上,他到 Linux Mint 的 GitHub 頁面上反饋了這一 bug。沒想到的是,馬上就有其他網友表示在同樣的桌面環境下,“他的孩子”也遇到了同樣的問題…"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Linux Mint 首席開發者 Clement Lefebvre 經過一番研究,表示:“這是一個高優先級的錯誤,需要儘快修復。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Bug 來源:OSK 上的Ē鍵"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最開始,開發人員花了一天多時間,想復現問題,但實際情況並沒那麼容易:“自昨天以來,我們一直無法在此處重現崩潰。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/c4\/c4473923ce96d57f2319cfc88687ccdd.gif","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"網友想象開發人員如何試圖重現錯誤"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據 Clement 的介紹,問題最終被歸因於 libcaribou,即 Linux Mint 中使用的桌面界面 Cinnamon 所隨附的軟鍵盤(OSK)組件。具體來講,當用戶按下軟鍵盤上的“ē”鍵時,此 bug 即會被觸發。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在大多數情況下,這個 bug 應該會導致 Cinnamon 桌面進程崩潰;但如果在屏保程序下打開軟鍵盤,則 bug 會引發屏保崩潰,於是用戶即可訪問底層桌面。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Lefebvre 表示,去年 10 月 Linux Mint 系統曾着手修復 CVE-2020-25712 漏洞,卻在不經意間引入了這個新的 bug。從那時起,所有使用 Cinnamon 4.2 以及更高版本的 Linux Mint 發行版都會受到這一繞過攻擊的影響。這是因爲從 Cinnamon 4.2 起,系統開始將軟鍵盤功能添加至屏保頁當中。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"程序員大神 JWZ:I TOLD YOU!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關於這個 bug 的討論,吸引來了傑米·扎溫斯基(Jamie Zawinski),對此他專門發表了一篇文章,表示他 17 年前就警告過 Cinnamon 和 GNOME 官方:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“如果沒有在 Linux 上運行 XScreenSaver,那麼可以你的屏幕就相當於沒有鎖定。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/f3\/f3a0c60b68f481785e96097b0013eb42.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"文章配了一段閃瞎眼睛的“I TOLD YOU”視頻"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"出生於 1968 年的傑米·扎溫斯基,英文簡稱爲 JWZ,是《黑客帝國》中 MATRIX 矩陣的設計者。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"他同時也是 Netscape 瀏覽器的主要設計者,出生於匹茲堡,中學沒有畢業,就已經是一個天才程序員,15 歲開始在卡耐基梅隆大學做 Lisp 研發。90 年代初,他去了加州,加入著名的網景:“早在你聽說過 Netscape 之前,我就已經負責開發 Netscape Navigator 1.1 的 UNIX 版本了。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2004 年,JWZ 首次警告說他遇到了 Linux Mint 的漏洞,之後每隔幾年,JWZ 都會遇到此類 bug。每出現一次,就吐槽一次。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CVE-2019-3010,從 Oracle Solaris 屏幕保護程序可以獲得特殊權限升級;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CVE-2014-1949, MDVSA-2015:162:在 Cinnamon 屏幕保護程序中按菜單鍵,再按 ESC 鍵,就可以進入 shell;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"按住向下鍵,解鎖 Cinnamon 屏幕保護程序;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"按住回車鍵,解鎖 GNOME 屏幕保護程序。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"JWZ 說,早在 17 年前,他甚至還準確提到過這個崩潰 bug,用來解釋“如果不按設計思路操作,會發生什麼問題”,可是每次 Linux Mint 都回復說“已經修復了”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"JWZ 認爲,“糟糕的安全性比沒有安全性還差”,因爲現在的 Linux 圖形化界面根基 X11 存在着不可修復的嚴重問題:鎖定和身份驗證是操作系統級別的問題;X11 體系結構的這一錯誤永遠無法修復。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後還說:“我很關注他們打算如何解決這個問題。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Linux Mint 還擊:你行你上,別 BB!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然 Linux Mint 在本週三發佈了相關補丁,可以解決此項 bug 並有效預防潛在崩潰,但 JWZ 所說的話,可氣壞 Lefebvre 了。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/5f\/5f60b564411b3f615475b8dcd592faf8.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"看熱鬧不嫌事大的網友,之前特地將 JWZ 的博客網址發到了 GitHub 的 bug 報告下,還 at 了相關維護人員。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Lefebvre 在 GitHub 頁面上回應 JWZ:“寫篇文章大加嘲諷沒有任何意義。我建議你把自己的口嗨變成行動… 我希望你能在真正參與工作的 6 個月之後再寫封郵件,告訴我們‘這裏還有問題,原因是一、二、三……’,或者直接給我們設計出一套又美觀易用、又安全穩定的 locker。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":12}},{"type":"strong"}],"text":"然後逐條反駁了 JWZ 的批評:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"早在 2004 年,也就是 17 年前,我已經在文檔中解釋過自己在 XScreenSaver 中做出的設計權衡。我甚至還準確提到過這個崩潰 bug,用來解釋“如果不按設計思路操作,會發生什麼問題”。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"老哥,要讓別人重視你的意見,還是得更務實一點。這就像我 17 年前提醒你“別出門,可能會遇上車禍。”到了真出事的時候,再告訴參加葬禮的朋友們“我早跟他說過了。”問題是,講這些有意義嗎?該出門還得出,該上高速還是得上,生活本來就沒那麼安全。用戶只是想要漂亮的屏保,我們也在努力滿足大家的要求。這裏要請 JWZ 老兄想想,要在設計中把安全性與豐富性結合起來究竟有多困難。我們早該在設計中考慮這個問題?對,漂亮話誰都會說。重點在於,當時我們的目標是給用戶提供漂亮的屏保,哪顧得上那麼多?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"哪怕是 light-locker 與 KDE 本身,在實際效果上也比 JWZ 的設想更靠譜,至少其在滿足安全保障的同時,爲用戶需求給出了一種解決方案。我們最初發布 light-locker 時,並沒發現這類問題。因爲當時我們大多使用 gnome-scrensaver 及 mate-screensaver 替代 xscreensaver。換句話說,我們接受了 xscreensaver 存在安全缺陷這個事實,並在發佈 light-locker 時幾乎忘了這回事。很遺憾,bug 就這麼被保留了下來。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而在編寫 cinnamon-screensaver 時,本意是用它來替換掉 gnome 屏保程序。很可惜,我們還是沒想起修復 bug。畢竟那時候我們連 light-locker 都沒考慮進來,更何況是 xscreensaver 呢。於是乎,就引發了這次的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其實這類問題總會出現,反反覆覆出現。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這就是現實,不管接不接受,這就是現實。JWZ 老哥好像不太明白這一點——你不可能禁止人們做自己想做的事兒,比如出於安全考慮不讓他們過馬路。哪怕有人總在提醒,除了讓他們心煩之外,不會對交通安全有任何幫助。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"每次 bug 出現,都回復說“這的確是個 bug,但他們已經修復了”。這是不對的,問題是這不應該是個 bug。真正的原因是系統設計的問題。設計系統安全架構的人,不應該採取讓安全失效的方式。這是不合理的。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可以看到,GNOME 團隊已經從頭開始進行項目重寫(我不太清楚他們在重寫階段用了什麼設計),我們也有類似的計劃。沒錯,我們犯了前人曾經犯過的錯誤,最後問題出現給了我們當頭一棒。但糾結於過去真的沒什麼意思,最重要的是怎麼避免問題再次出現。我們決定在開發路線圖上把歡迎程序和鎖定程序區分開來,這一點將在 5.0 版本中有所體現。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"極盡嘲諷之能事的博文確實容易吸引眼球,也能讓我們意識到問題所在。但我們的關注重點永遠應該放在代碼本身(不只是 gnome-screensaver 或者其他已經發布的上游代碼,而是整個項目中的代碼),有了問題就做做審覈,項目不就是這麼發展完善的嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"JWZ 雖然提出了問題,但沒有給出任何解決方案。就個人來說,我認爲無論是在安全層面還是功能層面,light-locker 與 KDE 應該都是目前最好的方案選項。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"出於種種原因,這個 bug 會在其他屏保鎖定程序中不斷出現。編寫安全代碼其實非常困難,大部分開發者其實根本不做不到。鎖定與身份驗證都是操作系統層級的問題。X11 架構中的這個問題永遠無法修復。我得承認,這些 bug 值得高度重視——因爲安全性差比沒有安全保障還可怕。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我對以上內容深表贊同。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更讓人生氣的,在於開發 XScreenSaver 鎖屏程序毫無樂趣可言。我一點興趣也沒有,添加這項功能單純只是爲了滿足用戶需求。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其實大多數朋友都像我一樣,都不願親自參與安全保護工作。作爲開發者,誰不想弄點酷炫的功能出來呢?而安全實際是在束縛自己,一個個查缺補漏,防止惡意人士破壞整個系統。這很重要,但沒有樂趣。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"唉……"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"XScreenSaver 是個了不起的項目,幫助用戶解決了現實需求。作爲其 fork 的 gnome-screensaver 也是一樣,多年來始終服務於用戶羣體。所以雖然曝出一些安全隱患,但項目開發者已經明確解釋了他們爲什麼要做出這樣的選擇與權衡。所以我覺得沒必要抱怨——發現了問題,就解決問題嘛。我們還會更進一步。JWZ 的反饋對我們來說相當於一股反向推進,也更堅定了我們“如非必要,勿增實體”的基本開發理念。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但我還是想對 JWZ 老哥說一句,單靠說漂亮話解決不了實際問題。最好的辦法,就是我們攜手建立一條最安全的道路。是的,不要抱怨、別總強調什麼“我早說過”,加入到代碼審計中來、加入到功能開發中來,做個能解決問題的人。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"延伸閱讀:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.jwz.org\/blog\/2021\/01\/i-told-you-so-2021-edition\/","title":"","type":null},"content":[{"type":"text","text":"https:\/\/www.jwz.org\/blog\/2021\/01\/i-told-you-so-2021-edition\/"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/github.com\/linuxmint\/cinnamon-screensaver\/issues\/354","title":"","type":null},"content":[{"type":"text","text":"https:\/\/github.com\/linuxmint\/cinnamon-screensaver\/issues\/354"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
程序員大神JWZ和Linux Mint幹起來了:一個Bug引起的“口水仗”
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"兩個熊孩子,引發了一場“口水”大戰。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"兩個孩子在父親的電腦上玩耍時,不經意間發現了一種能繞過 Linux 屏保程序並鎖定系統的方法。這是個漏洞,可能允許惡意攻擊者繞過操作系統的屏保程序及密碼,訪問本應鎖定的桌面。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一位暱稱 robo2bobo 的用戶在 GitHub 上的 bug 報告寫道,“幾周之前,孩子們打算訪問我的 Linux 桌面。而我就站在他們身後,看着他們到處亂按亂拍。”兩個孩子在物理與軟鍵盤上同時按下隨機按鍵,最終導致 Linux Mint 屏保程序崩潰、他們得以直接訪問桌面。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這位程序員爸爸很驚訝,於是他讓孩子們再試一次,沒想到居然成功了,“我本來以爲這只是個偶然事件,但孩子們後來又把問題重現了。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當天晚上,他到 Linux Mint 的 GitHub 頁面上反饋了這一 bug。沒想到的是,馬上就有其他網友表示在同樣的桌面環境下,“他的孩子”也遇到了同樣的問題…"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Linux Mint 首席開發者 Clement Lefebvre 經過一番研究,表示:“這是一個高優先級的錯誤,需要儘快修復。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Bug 來源:OSK 上的Ē鍵"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最開始,開發人員花了一天多時間,想復現問題,但實際情況並沒那麼容易:“自昨天以來,我們一直無法在此處重現崩潰。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/c4\/c4473923ce96d57f2319cfc88687ccdd.gif","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"網友想象開發人員如何試圖重現錯誤"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據 Clement 的介紹,問題最終被歸因於 libcaribou,即 Linux Mint 中使用的桌面界面 Cinnamon 所隨附的軟鍵盤(OSK)組件。具體來講,當用戶按下軟鍵盤上的“ē”鍵時,此 bug 即會被觸發。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在大多數情況下,這個 bug 應該會導致 Cinnamon 桌面進程崩潰;但如果在屏保程序下打開軟鍵盤,則 bug 會引發屏保崩潰,於是用戶即可訪問底層桌面。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Lefebvre 表示,去年 10 月 Linux Mint 系統曾着手修復 CVE-2020-25712 漏洞,卻在不經意間引入了這個新的 bug。從那時起,所有使用 Cinnamon 4.2 以及更高版本的 Linux Mint 發行版都會受到這一繞過攻擊的影響。這是因爲從 Cinnamon 4.2 起,系統開始將軟鍵盤功能添加至屏保頁當中。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"程序員大神 JWZ:I TOLD YOU!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關於這個 bug 的討論,吸引來了傑米·扎溫斯基(Jamie Zawinski),對此他專門發表了一篇文章,表示他 17 年前就警告過 Cinnamon 和 GNOME 官方:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“如果沒有在 Linux 上運行 XScreenSaver,那麼可以你的屏幕就相當於沒有鎖定。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/f3\/f3a0c60b68f481785e96097b0013eb42.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"文章配了一段閃瞎眼睛的“I TOLD YOU”視頻"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"出生於 1968 年的傑米·扎溫斯基,英文簡稱爲 JWZ,是《黑客帝國》中 MATRIX 矩陣的設計者。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"他同時也是 Netscape 瀏覽器的主要設計者,出生於匹茲堡,中學沒有畢業,就已經是一個天才程序員,15 歲開始在卡耐基梅隆大學做 Lisp 研發。90 年代初,他去了加州,加入著名的網景:“早在你聽說過 Netscape 之前,我就已經負責開發 Netscape Navigator 1.1 的 UNIX 版本了。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2004 年,JWZ 首次警告說他遇到了 Linux Mint 的漏洞,之後每隔幾年,JWZ 都會遇到此類 bug。每出現一次,就吐槽一次。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CVE-2019-3010,從 Oracle Solaris 屏幕保護程序可以獲得特殊權限升級;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CVE-2014-1949, MDVSA-2015:162:在 Cinnamon 屏幕保護程序中按菜單鍵,再按 ESC 鍵,就可以進入 shell;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"按住向下鍵,解鎖 Cinnamon 屏幕保護程序;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"按住回車鍵,解鎖 GNOME 屏幕保護程序。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"JWZ 說,早在 17 年前,他甚至還準確提到過這個崩潰 bug,用來解釋“如果不按設計思路操作,會發生什麼問題”,可是每次 Linux Mint 都回復說“已經修復了”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"JWZ 認爲,“糟糕的安全性比沒有安全性還差”,因爲現在的 Linux 圖形化界面根基 X11 存在着不可修復的嚴重問題:鎖定和身份驗證是操作系統級別的問題;X11 體系結構的這一錯誤永遠無法修復。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後還說:“我很關注他們打算如何解決這個問題。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Linux Mint 還擊:你行你上,別 BB!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然 Linux Mint 在本週三發佈了相關補丁,可以解決此項 bug 並有效預防潛在崩潰,但 JWZ 所說的話,可氣壞 Lefebvre 了。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/5f\/5f60b564411b3f615475b8dcd592faf8.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"看熱鬧不嫌事大的網友,之前特地將 JWZ 的博客網址發到了 GitHub 的 bug 報告下,還 at 了相關維護人員。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Lefebvre 在 GitHub 頁面上回應 JWZ:“寫篇文章大加嘲諷沒有任何意義。我建議你把自己的口嗨變成行動… 我希望你能在真正參與工作的 6 個月之後再寫封郵件,告訴我們‘這裏還有問題,原因是一、二、三……’,或者直接給我們設計出一套又美觀易用、又安全穩定的 locker。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":12}},{"type":"strong"}],"text":"然後逐條反駁了 JWZ 的批評:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"早在 2004 年,也就是 17 年前,我已經在文檔中解釋過自己在 XScreenSaver 中做出的設計權衡。我甚至還準確提到過這個崩潰 bug,用來解釋“如果不按設計思路操作,會發生什麼問題”。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"老哥,要讓別人重視你的意見,還是得更務實一點。這就像我 17 年前提醒你“別出門,可能會遇上車禍。”到了真出事的時候,再告訴參加葬禮的朋友們“我早跟他說過了。”問題是,講這些有意義嗎?該出門還得出,該上高速還是得上,生活本來就沒那麼安全。用戶只是想要漂亮的屏保,我們也在努力滿足大家的要求。這裏要請 JWZ 老兄想想,要在設計中把安全性與豐富性結合起來究竟有多困難。我們早該在設計中考慮這個問題?對,漂亮話誰都會說。重點在於,當時我們的目標是給用戶提供漂亮的屏保,哪顧得上那麼多?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"哪怕是 light-locker 與 KDE 本身,在實際效果上也比 JWZ 的設想更靠譜,至少其在滿足安全保障的同時,爲用戶需求給出了一種解決方案。我們最初發布 light-locker 時,並沒發現這類問題。因爲當時我們大多使用 gnome-scrensaver 及 mate-screensaver 替代 xscreensaver。換句話說,我們接受了 xscreensaver 存在安全缺陷這個事實,並在發佈 light-locker 時幾乎忘了這回事。很遺憾,bug 就這麼被保留了下來。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而在編寫 cinnamon-screensaver 時,本意是用它來替換掉 gnome 屏保程序。很可惜,我們還是沒想起修復 bug。畢竟那時候我們連 light-locker 都沒考慮進來,更何況是 xscreensaver 呢。於是乎,就引發了這次的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其實這類問題總會出現,反反覆覆出現。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這就是現實,不管接不接受,這就是現實。JWZ 老哥好像不太明白這一點——你不可能禁止人們做自己想做的事兒,比如出於安全考慮不讓他們過馬路。哪怕有人總在提醒,除了讓他們心煩之外,不會對交通安全有任何幫助。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"每次 bug 出現,都回復說“這的確是個 bug,但他們已經修復了”。這是不對的,問題是這不應該是個 bug。真正的原因是系統設計的問題。設計系統安全架構的人,不應該採取讓安全失效的方式。這是不合理的。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可以看到,GNOME 團隊已經從頭開始進行項目重寫(我不太清楚他們在重寫階段用了什麼設計),我們也有類似的計劃。沒錯,我們犯了前人曾經犯過的錯誤,最後問題出現給了我們當頭一棒。但糾結於過去真的沒什麼意思,最重要的是怎麼避免問題再次出現。我們決定在開發路線圖上把歡迎程序和鎖定程序區分開來,這一點將在 5.0 版本中有所體現。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"極盡嘲諷之能事的博文確實容易吸引眼球,也能讓我們意識到問題所在。但我們的關注重點永遠應該放在代碼本身(不只是 gnome-screensaver 或者其他已經發布的上游代碼,而是整個項目中的代碼),有了問題就做做審覈,項目不就是這麼發展完善的嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"JWZ 雖然提出了問題,但沒有給出任何解決方案。就個人來說,我認爲無論是在安全層面還是功能層面,light-locker 與 KDE 應該都是目前最好的方案選項。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"出於種種原因,這個 bug 會在其他屏保鎖定程序中不斷出現。編寫安全代碼其實非常困難,大部分開發者其實根本不做不到。鎖定與身份驗證都是操作系統層級的問題。X11 架構中的這個問題永遠無法修復。我得承認,這些 bug 值得高度重視——因爲安全性差比沒有安全保障還可怕。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我對以上內容深表贊同。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更讓人生氣的,在於開發 XScreenSaver 鎖屏程序毫無樂趣可言。我一點興趣也沒有,添加這項功能單純只是爲了滿足用戶需求。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其實大多數朋友都像我一樣,都不願親自參與安全保護工作。作爲開發者,誰不想弄點酷炫的功能出來呢?而安全實際是在束縛自己,一個個查缺補漏,防止惡意人士破壞整個系統。這很重要,但沒有樂趣。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"唉……"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"XScreenSaver 是個了不起的項目,幫助用戶解決了現實需求。作爲其 fork 的 gnome-screensaver 也是一樣,多年來始終服務於用戶羣體。所以雖然曝出一些安全隱患,但項目開發者已經明確解釋了他們爲什麼要做出這樣的選擇與權衡。所以我覺得沒必要抱怨——發現了問題,就解決問題嘛。我們還會更進一步。JWZ 的反饋對我們來說相當於一股反向推進,也更堅定了我們“如非必要,勿增實體”的基本開發理念。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但我還是想對 JWZ 老哥說一句,單靠說漂亮話解決不了實際問題。最好的辦法,就是我們攜手建立一條最安全的道路。是的,不要抱怨、別總強調什麼“我早說過”,加入到代碼審計中來、加入到功能開發中來,做個能解決問題的人。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"延伸閱讀:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.jwz.org\/blog\/2021\/01\/i-told-you-so-2021-edition\/","title":"","type":null},"content":[{"type":"text","text":"https:\/\/www.jwz.org\/blog\/2021\/01\/i-told-you-so-2021-edition\/"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/github.com\/linuxmint\/cinnamon-screensaver\/issues\/354","title":"","type":null},"content":[{"type":"text","text":"https:\/\/github.com\/linuxmint\/cinnamon-screensaver\/issues\/354"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章
4場和Zabbix春日約會,“承包”四月天
在全國各地和Zabbix相遇互動,4月活動集錦,來約會吧! 時間 活動名稱 城市 4/20(週六) KCD雲原生社區日 上海 4/20(週六) OceanBase開發者大會