SUSE, the main sponsor of the openSUSE Project, is offering a discount on its eLearning platform for members looking to enhance their skills in SUSE technologies.

The eLearning offers a variety of training courses that could be useful to openSUSE users, including Linux administration, Kubernetes, security and systems management.

A couple members from the community reached out to Tori Easterly inquiring about the possibility for members to receive a discount or a more accessible pricing option for those interested in enhancing their skills. As a result, SUSE extended a 20 percent discount.

Enterprise-level training allows people to learn at their own pace and convenience. The courses cover Linux fundamentals, automation and cutting-edge technologies like Kubernetes and container management. The eLearning provides unlimited access to all SUSE IT courses, spanning Linux, Systems Management, Security, Edge Computing and more. As IT evolves rapidly, the curriculum is frequently updated to reflect the latest advancements in SUSE technologies.

openSUSE Project members can get 20 percent off SUSE eLearning courses using the Coupon Code TRAIN2025 upon checkout.

For many years, the development of syslog-ng happened on the master branch in Git. However, if you follow that branch, you might have noticed that there has not been much activity on it lately. That is because we introduced a new branch in git called “develop”.

https://www.syslog-ng.com/community/b/blog/posts/introducing-the-develop-branch-of-the-syslog-ng-git-repo

The March syslog-ng newsletter is now on-line:

• Test syslog-ng on EPEL 10!

• Collecting Active Roles logs centrally using the syslog-ng Windows Agent

• syslog-ng OSE 4.8.1 is now in EPEL 10, quick fix for Elasticsearch

It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2025-03-epel-10-elasticsearch-active-roles

Table of Contents

• 1) Introduction
• 2) Symlink Attack in /var/log/below/error_root.log
• 3) Further Issues
• 4) Bugfix
• 5) CVE Assignment
• 6) Hardening Suggestions
• 7) Timeline
• 8) References

1) Introduction

Below is a tool for recording and displaying system data like hardware utilization and cgroup information on Linux. In January 2025, Below was packaged and submitted to openSUSE Tumbleweed. Below runs as a systemd service with root privileges. The SUSE security team monitors additions and changes to systemd service unit files in openSUSE Tumbleweed, and through this we noticed problematic log directory permissions applied in Below’s code.

The version we reviewed in this context was v0.8.1 and this report is based on that version.

Upstream released a bugfix in version v0.9.0 and a security advisory on GitHub.

2) Symlink Attack in /var/log/below/error_root.log

Below’s systemd service runs with full root privileges. It attempts to create a world-writable directory in /var/log/below. Even if the directory already exists, the Rust code ensures that it receives mode 0777 permissions:

    if perm.mode() & 0o777 != 0o777 {
        perm.set_mode(0o777);
        match dir.set_permissions(perm) {
            Ok(()) => {}
            Err(e) => {
                bail!(
                    "Failed to set permissions on {}: {}",
                    path.to_string_lossy(),
                    e
                );
            }
        }
    }

This logic leads to different outcomes depending on the packaging on Linux distributions:

• in openSUSE Tumbleweed the directory was packaged with 01755 permissions (below.spec line 73), thus causing the set_permissions() call to run, resulting in a directory with mode 0777 during runtime.
• in Gentoo Linux the directory is created with mode 01755 resulting in the same outcome as on openSUSE Tumbleweed (below.ebuild). Where the 01755 mode is exactly coming from is not fully clear, maybe the cargo build process assigns these permissions during installation.
• in Fedora Linux the directory is packaged with 01777 permissions, thus the set_permissions() code will not run, because the if condition masks out the sticky bit. The directory stays at mode 01777 (rust-below.spec).
• the Arch Linux AUR package (maybe wrongly) does not pre-create the log directory. Thus the set_permissions() code will run and create the directory with mode 0777.

Below creates a log file in /var/log/below/error_root.log and assigns mode 0666 to it. This (somewhat confusingly) happens via a log_dir variable, which has been changed to point to the error_root.log file. The 0666 permission assignment to the logfile happens in logging::setup(), also accompanied by a somewhat strange comment in the code.

A local unprivileged attacker can stage a symlink attack in this location and cause an arbitrary file in the system to obtain 0666 permissions, likely leading to a full local root exploit, if done right, e.g. by pointing the symlink to /etc/shadow. Even if the file already exists it can be removed and replaced by a symlink, because of the world-writable directory permissions. The attack is thus not limited to scenarios in which the file has not yet been created by Below.

We believe the actual intention of this code might have been to assign mode 01777 (i.e. carrying a sticky bit). The sticky bit is neither contained in the if condition nor in the set_permissions() call, though. With the sticky bit set the Linux kernel’s protected_symlinks logic, which is enabled on most Linux distributions, would protect from symlink attacks.

3) Further Issues

Even on Fedora Linux, where /var/log/below has “safe” 01777 permissions, there is a time window during which problems can arise. As long as below.service has not been started, another local user can pre-create /var/log/below/error_root.log and e.g. place a FIFO special file there. This will pose a local DoS against the below service, since it will fail to open the path and thus fail to start.

If /var/log/below were to be deleted for any reason, then Below would still recreate it using the bad 0777 mode permissions, which can also happen on distributions that initially package /var/log/below using permissions that do not trigger the set_permissions() call in Below’s code.

Below applies many world-writable and world-readable permissions under /var/log/below. This seems a strange choice. For some reason the internal state data of Below is also stored within the log directory in /var/log/below/store. The data is fully world-readable, which could result in information leaks, if Below stores system information there that would not otherwise be accessible to unprivileged local users. We did not check if this applies, though. By pre-creating this directory before below.service runs for the first time, an unprivileged user can control all of its contents, possibly violating the integrity of Below in various ways.

The world-writable logfile error_root.log makes no sense to us as well. Why should arbitrary users in the system be able to modify the log data of Below? This allows log spoofing by local users. Even making the logfile world-readable is considered bad style by some people these days. Why /var/log/below should be world-writable in the first place is also unclear to us. Ideally only root or a dedicated below service user should be allowed to write there.

4) Bugfix

Upstream published a bugfix in commit 10e73a21d67 which is part of Below v0.9.0. The commit basically removes all problematic permission assignments from the code, stating that these directories are better setup by systemd. This seems to refer to an added systemd directive LogsDirectory=below in the below.service file.

With this change no world-writable directories or files should turn up in /var/log/below anymore, and the most severe issues from this report are addressed. The possible matter of world-readable log and store files remains, though.

We did not get any details from upstream about the design decisions in Below that led to this issue or about any further changes that upstream intends to perform to improve security in this area.

5) CVE Assignment

Upstream assigned CVE-2025-27591 for this issue.

6) Hardening Suggestions

It could be considered to apply hardening directives in Below’s systemd service unit that prevent some attack types. Most prominently, restricting write access for the daemon to a range of well known locations comes to mind.

7) Timeline

8) References

• Below GitHub repository
• Below v0.9.0 bugfix release
• Bugfix commit 10e73a21d67
• Below GitHub Security Advisory

Last weekend, I was welcomed to a special event in an industrial area of Budapest. Zsolt Audio – one of the best known high-end audio manufacturers in Hungary – turns 40 this year, and Zsolt Huszti, the founder, started a series of events celebrating this in the showroom next to his “factory”. We listened to some fun stories from the past 40 years, and also to music on some of his latest devices.

The first time I heard about Heed Audio was in 2011, when one of my friends brought me along to an open house event. Sadly, that was the last time I met that friend before his passing, but that’s a different story. I’m happy that he introduced me to Heed Audio right before leaving us…

At that time, we listened to the Enigma 5 speakers, and to me, it was love at first sight. I mean, first listening… :-) I decided that these are the speakers I want to listen to. And almost a decade later, this dream finally became true. And while the Enigma 5 is no longer produced, you can still find some info about it at the bottom of this page: https://heedaudio.com/loudspeakers/

At the event last Saturday, we learned a lot about the company’s future plans, some of which is quite interesting. Zsolt had some ground-breaking ideas, but I’m not in the position to share those publicly. However, we also listened to a few devices that are already available or will be available soon.

The Heed Audio Asterisk is a really simple stereo amplifier. Nothing fancy, just three line inputs, and it can drive a pair of speakers. However, it can do its job really well. Connected to the amplifier, we could listen to a pair of bookshelf speakers. They are tiny and still under development, but could already fill the show room with a loud and clear voice. The amplifier is already available: https://www.bartimexaudio.hu/Heed-Audio-Asterisk

I love the sound of the Enigma 5 speakers. They do a fantastic job with most of the music I listen to. You can easily draw a map of instruments you are listening to in 3D. I did it a couple of times, and they turned out to be pretty accurate when compared to photos taken during recordings. Unlike the Enigma 5, the reincarnation of the StandArt speakers we listened to are not omnidirectional. You cannot expect the same level of spatial sound. However, speakers directed at you reproduce the atmosphere of a (prog)rock concert much better. At the event, we also listened to some Rammstein, which was pure joy on these speakers. They were driven by a Heed Obelisk integrated amplifier, a slightly more modern version of what I use at home. As you could guess from this description, these speakers are not meant to replace the Enigmas, but rather complement them.

This was just the first event of a promising series. I’m looking forward to listening to even more stories and music!

Dear Tumbleweed users and hackers,

This week felt quite busy; lots of things going through staging, but luckily, most things passed rather easy from what I’ve seen. At this point, a big “thank you” to the package maintainers taking care of such a smooth process. Tumbleweed could not be rolling at its speed without your help.

Seven snapshots were published (0227…0305) during this week. The most relevant changes included are:

• KDE Plasma 6.3.2
• Postfix 3.10.1
• libzypp/zypper updates with experimental ‘parallel download’ capabilities.
• Linux kernel 6.13.5
• glibc 2.41
• QEmu 9.2.2
• GNOME Shell 47.5

The next snapshots to come will bring even larger changes, namely:

• Python 3.13 as primary python interpreter. /usr/bin/python3 will be switched to version 3.13. This will require a rather large Tumbleweed rebuild to ensure the python3-* symbols move to the correct packages.
• GCC 15: We will run the well-tested 2-phase approach from previous years: first, switch the used libraries to the ones generated by gcc15 (the phase we are currently working on), then later switch to GCC 15 being the compiler.
• Mozilla Firefox 136.0
• KDE Gear 24.12.3
• Mesa 25.0.1
• RPM 4.20.1
• Perl 5.40.1

If you read only one long article this month, it should be The Anti-Social Century by the The Atlantic.

I planned to write about tribalism for a long time, as it bothers me a lot and often puts me in trouble. Unfortunately, most people think in tribes, such as “I’m a Democrat”, “I’m a Republican”, or “You’re either with us, or against us”. Something similar also exists here in Hungary. When I agree with something that others also support, those people think that I belong to their tribe. However, as soon as I disagree with them about something, those same people immediately think that I belong to another tribe. But nothing could be further from the truth–I do not belong to any tribe. If I agree on something with the Democrats, it does not mean that I reject everything what the Republicans say. And the same is true the other way round.

And this applies not just to politics, but to all aspects of life, including IT. Just think about my operating system affiliations. I consider myself a FreeBSD guy at heart. Still, I use openSUSE as my main OS on my laptop, as it provides the best installation and hardware support (often better than Windows) and has most of the software I need. My colleagues have a lot more trouble using the same company laptop with other operating systems. That said, I also use Windows, even if my title is “open-source evangelist”: Teams and PowerPoint for work, while Capture One and Ableton for my hobbies. And even if I use FreeBSD, openSUSE and Windows as my daily drivers, most of my friends are from the Fedora / RHEL (& compatibles) community, as most syslog-ng users use CentOS and friends, which means that I spend most of my time with those people. Would it help in any way if I embraced a tribal mindset for the various Linux distros or operating systems? Certainly not.

Long story short: Forget tribalism and be social! The article in The Atlantic describes many changes that led to this situation. If we are aware of these, we can hopefully reverse the trends.

In my previous OneIdentity Active Roles blog, you learned how to forward Active Roles logs to a central syslog-ng server to parse and store the logs. In this blog, I’ll show you how to:

• Work with parsed Active Roles logs.
• Store logs to various document stores.
• Prepare long-term storage.
• Send alerts for some critical events.

Even if this blog about commercial software, the name-value pairs concept I describe in this blog in depth is the same in the open source syslog-ng.

https://www.syslog-ng.com/community/b/blog/posts/working-with-parsed-active-roles-logs-in-syslog-ng

This week, I reorganized the speakers in my room and wanted to test the change by listening to a wide variety of music. The first piece that came to my mind was “Rhapsody in Blue” by Gershwin https://en.wikipedia.org/wiki/Rhapsody_in_Blue, as I have a fantastic recording of it made by the Pittsburgh Symphony Orchestra. That said, I know that I’m not a music maniac enough, as I do not have it on vinyl, but rather as a digital download from HDTracks: https://www.hdtracks.com/#/album/5de7b4c75935a842dd765e23. Rhapsody in Blue already sounded great with the original setup, but placing the speakers farther away from each other and turning up the volume made wonders. Even in a middle-sized room, it suddenly sounded as if I was in a huge concert hall.

TIDAL: https://listen.tidal.com/album/79240363

Once the album was over, I wanted to experiment further. That’s when I realized that I have a few more recordings of Rhapsody in Blue. Well, not the original, but various adaptations. The next one I listened to had a completely different style: progressive metal. It is on the third album of Liquid Tension Experiment. This was the only time when the new setup did not improve the sound. I mean, it wasn’t bad at all, but a bit more bass would have helped :-) I listened to this music from a Blu-ray disk.

TIDAL: https://listen.tidal.com/album/168567035

The third song featuring the melodies of Rhapsody in Blue was recorded by Hiromi, a jazz pianist from Japan. I have this album as a CD from Japan, but I also have it in high resolution FLAC files from HDTracks: https://www.hdtracks.com/#/album/5dfb7dc30a58de3182f046f0. I know the sound of the piano pretty well, as there was at least one piano in my home most of my life. Turning up the volume a bit and listening to a good recording made wonders: it was a lot more lifelike than usual.

TIDAL: https://listen.tidal.com/album/119047940/

The new speaker arrangement gives a nicer, more realistic sound. However, it also needs to be louder, as I’m farther away from the speakers. So, for now, I just note the position of the speakers and move back everything as it was previously…

I am looking for even more Rhapsody in Blue recordings. Do you have any recommendations, either for the original or for other arrangements?