Basically

  • Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though
  • The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)
  • the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!
  • X11 is insecure, okay we know that
  • the kernel is very bloated and everything in there has all the permissions, which is not needed
  • Kernel bugs are often not fixed quickly or at all
  • Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE

I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.

On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.

This would mean user namespaces need to be enabled again, which I can’t seem to make work with

sudo sysctl -w kernel.unprivileged_users_clone=1

But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?

I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):

https://github.com/qoijjj/hardened-images

The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.

Maybe nix is a solution? Would this be a good idea?

Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. Here is a spec file from rusty-snake.

What do you know about this?

    • ReversalHatchery@beehaw.org
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.

      Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.

  • TheAnonymouseJoker@lemmy.ml
    link
    fedilink
    arrow-up
    15
    arrow-down
    7
    ·
    edit-2
    1 year ago

    Some stuff related to madaidan I wrote and compiled a couple years ago.

    https://i.imgur.com/FiYhbkk.jpg: madaidan being very 4chan-y in terms of blaming the computer language for problems in particular software code (in this case Linux kernel), while dismissing everything when it comes to Windows. His blog page about Linux is a massive piece of “toilet paper” repeatedly debunked at this point. If you think the phrase “toilet paper” is mine, come, have a look.

    https://web.archive.org/web/20210929053611/https://old.reddit.com/r/linux/comments/pwi1l9/thoughts_about_an_article_talking_about_the/

    https://web.archive.org/web/20220111035527/https://news.ycombinator.com/item?id=25590079

    https://archive.is/zxS72

    TL;DR his blog has been dismissed enough at this point to consider it nothing more than digital rag. Security zealots are dangerous to FOSS community, like Brad Spengler/grsecurity, madaidan, GrapheneOS and so on. You can identify them as Big Tech security evangelists trying to shit on FOSS with arguments I would say do not end up being very intelligent and academic, and more reactionary and flakey.

    Also a little note on security. You do not need as much security as much as you need privacy, freedom and anonymity. Security is variable, it only buys you the time against attacker, and is the least priority among these 4 things in computing.

  • GustavoM@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Not really relevant, but I’ve got a “rule of thumb” for all security-related issues;

    “If it doesn’t nuke my PC, then I’m good. If it does, then I’m still good since backups and logs exist, and if it was related to the latest seucirty issue? Then I make a quick patch and/or update. Then back to 1.”