The Linux Thread - The Autist's OS of Choice

ditto said:
Linux file permissions explained for Zoomers

Back in my day we did file permissions in octal and we liked it
Click to expand...
And then there is selinux, I still can't get my head around it.
It sounds great in theory, a text editor shouldn't be able to connect over the network and download a file to execute, but setting up rules for everything is pretty painstaking.
 
Another Char Clone said:
It sounds great in theory, a text editor shouldn't be able to connect over the network and download a file to execute, but setting up rules for everything is pretty painstaking.
Click to expand...
OpenBSD does it right with the pledge syscall which lets programs declare their resources and drop everything else.

SELinux was built by the NSA for their purposes so I'll never trust that.
 
Speaking of KDE, I set up a Debian Sid VM and gave the Trinity Desktop Environment a spin. Immediately I realized what I had done and installed like 800+ different programs at once and now it felt like I was using a prearranged distribution. Way, way too much default applications. I didn't realize there was a base that could leave out most of the bloat, but holy shit, it was giving current versions of KDE and even GNOME a run for their money.

Well, it "works" as a nostalgia bait, and that's all I get from TDE at this juncture. The Konqueror browser is one of the most pointless additions because it can barely pull its own weight for the most basic tasks, and I do not know of it'd be safe to remove.
 
Last edited:
SELinux is so overtly complicated that that is an attack surface by itself. I was always a follower of the philosophy that good security needs to be dead simple, so that there can be no misunderstandings and so that there's also precious little room for bugs.

I have the feeling many of these mandatory access control features of the kernel have fallen out of favor in favor of namespaces, probably because they're easier to set up, cleaner and also have other uses besides security. I used to use Tomoyo for a while as it was the simplest of the MAC there is, it still was pretty complicated vs. a tool like bwrap. Performance also was kinda poor.

I still think Docker is painfully overcomplicated garbage and like half the people that offer Docker containers don't have any idea what they're doing and it shows, though.
 
  • Like
Reactions: Knight of the Rope
Rusty Metal Skull Gun said:
@Another Char Clone - just use Docker, it's pretty much superseded SELinux for sandboxing shit
Click to expand...
I discovered unshare(1), even more lightweight. Fake chroot, fake PIDs, fake UIDs, network sandboxing, it's great when you the app you want to run is already installed as a regular program, no need to download gigabytes of runtimes. I have selinux running on my gentoo in permissive mode, so the logs are more for debugging why something is behaving retarded more than as security.

ditto said:
OpenBSD does it right with the pledge syscall which lets programs declare their resources and drop everything else.
Click to expand...
unshare(2) is sort of the Linux version of BSD, sadly I don't use BSD due to lack of hardware support, its already tough with Linux.
 
  • Like
Reactions: Sperg Coalition, ditto and Rusty Metal Skull Gun
archive.ph

Bug #1996682 “racist, misogynist, homophobic, fascist content in...” …

archived 18 Nov 2022 13:52:27 UTC
archive.ph archive.ph
1668817162955.png
Offensive package has offensive humor, I'm shocked I tell you, shocked!
 
  • Like
  • Feels
  • Thunk-Provoking
Reactions: notafederalagent, Cum Elemental, Markass the Worst and 2 others
AmpleApricots said:
SELinux is so overtly complicated that that is an attack surface by itself. I was always a follower of the philosophy that good security needs to be dead simple, so that there can be no misunderstandings and so that there's also precious little room for bugs.
Click to expand...

That's an interesting point, I'd not considered that before. It's a bit like Windows' ACLs: sounds great in theory, far too complicated in practice.

AmpleApricots said:
I still think Docker is painfully overcomplicated garbage and like half the people that offer Docker containers don't have any idea what they're doing and it shows, though.
Click to expand...

Hard agree. I like Docker, but only because I can put my own Gentoo instance in there and tweak it how I want. I wouldn't trust anyone else's container.
 
  • Agree
Reactions: AmpleApricots
Another Char Clone said:
I discovered unshare(1), even more lightweight. Fake chroot, fake PIDs, fake UIDs, network sandboxing, it's great when you the app you want to run is already installed as a regular program, no need to download gigabytes of runtimes. I have selinux running on my gentoo in permissive mode, so the logs are more for debugging why something is behaving retarded more than as security.
Click to expand...
Namespaces! I use bwrap and some scripts to basically rip programs out of linux distributions and run them in subdirectories "the windows way" where an easy rm -r can get rid of them and also their dotfiles get put somewhere where they don't clutter $HOME. This allows me to maintain my own base without having to agree to decisions by tranny distro jannies like in that post about no-no words in fortune up there but still use complex software without having to compile it myself. Made me give up on gentoo which has been marred with bad decision making in the last few years in favor of running my own KISS fork. It's also good for things like e.g. Firefox doing an absolutely ludicrous amount of writing to it's profile files and battering my drive, so this also allows me to put them into a tmpfs first.

Another Char Clone said:
sadly I don't use BSD due to lack of hardware support, its already tough with Linux.
Click to expand...
I've been steadying myself to become a *BSD refugee for years by now and switched over to a lot of BSD tools. I even use ksh. I made the same experience though, every time I get my hands on a new system I get that tinge to maybe switch with that system to a *BSD and every time I come back with the realization "as long as I like using the network hardware or GPU, it's not an option" Really sucks and I don't blame them at all for the absolutely 0 support they're getting compared to even Linux, but that's them breaks. If I will live to see it, I guess the day that'll finally push me over is Linus dying/retiring/getting canceled and the corpos (through their useful idiots the trannies) taking the kernel over completely. they're 4/5 there already as is. I'll just do then what I did with Linux many years ago: Buy hardware with the express goal of running *BSD on it.
 
  • Feels
  • Like
Reactions: notafederalagent, ellroy, Mister Uno and 4 others
AmpleApricots said:
I've been steadying myself to become a *BSD refugee for years by now and switched over to a lot of BSD tools. I even use ksh. I made the same experience though, every time I get my hands on a new system I get that tinge to maybe switch with that system to a *BSD and every time I come back with the realization "as long as I like using the network hardware or GPU, it's not an option" Really sucks and I don't blame them at all for the absolutely 0 support they're getting compared to even Linux, but that's them breaks. If I will live to see it, I guess the day that'll finally push me over is Linus dying/retiring/getting canceled and the corpos (through their useful idiots the trannies) taking the kernel over completely. they're 4/5 there already as is. I'll just do then what I did with Linux many years ago: Buy hardware with the express goal of running *BSD on it.
Click to expand...

What are your thoughts on NetBSD?
 
davids877 said:
I'm apparently just using the Docker container these days, looks like Apache. Seems to work fine for all 1 of my users.
Click to expand...
I've ran it on Apache well enough before, worked well for personal use. Just rebuilding some stuff now and have an opportunity to install everything from scratch. Trying to determine if nginx will be lighter on the CPU and RAM usage compared to Apache.
 
You must log in or register to reply here.
Back