Components
24
Twig Components
162
Render Count
999
ms
Render Time
16.0
MiB
Memory Usage
Components
Render calls
| entry | App\Twig\Components\EntryComponent | 14.0 MiB | 80.93 ms | |
|---|---|---|---|---|
| Input props | [ "entry" => App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } "isSingle" => true "showShortSentence" => false "showBody" => true ] |
|||
| Attributes | [ "class" => "entry--single section--top" ] |
|||
| Component | App\Twig\Components\EntryComponent {#2955 -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} -newCommentMarkerCount: App\Kbin\NewCommentMarker\NewCommentMarkerCount {#2956 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -twig: Twig\Environment {#1252 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +isSingle: true +showShortSentence: false +showBody: true +showMagazineName: false +canSeeTrash: false +newComments: 0 } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.42 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#3627 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.23 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#3697 +date: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.20 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } "editedAt" => DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#3761 +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.46 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#3826 +subject: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +formDest: "entry" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 1.16 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#3892 +formDest: "entry" +subject: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entries_cross | App\Twig\Components\EntriesCrossComponent | 14.0 MiB | 55.49 ms | |
|---|---|---|---|---|
| Input props | [ "entry" => App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntriesCrossComponent {#4206 +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } -repository: App\Repository\EntryRepository {#270 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -twig: Twig\Environment {#1252 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} } |
|||
| editor_toolbar | App\Twig\Components\EditorToolbarComponent | 14.0 MiB | 0.24 ms | |
|---|---|---|---|---|
| Input props | [ "id" => "entry_comment_6874a5dee16749.17580012_body" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EditorToolbarComponent {#4331 +id: "entry_comment_6874a5dee16749.17580012_body" } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 85.88 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } "showNested" => true "dateAsUrl" => false "showMagazineName" => false "showEntryTitle" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#5280 +comment: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 1 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.19 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#5334 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.15 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#5389 +date: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.15 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } "editedAt" => DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#5443 +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.33 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#5499 +width: 40 +height: 40 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.42 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#5606 +subject: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 1.27 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#5663 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 54.36 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } "level" => 1 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#5910 +comment: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +nestedComments: [ 159826 => App\Entity\EntryComment {#5193 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530} +root: App\Entity\EntryComment {#4530} +body: """ The thing is I use Noscript so I guess having random malicious Javascript executed is pretty rare. And Firefox + Arkenfox is so much more private than damn Chromium, even though I keep a Flatpak of Chromium around.\n \n I understand that the hardened Fedora Ublue version from qoijjj isn’t that far off, maybe removing flatpaks is a bit weird and makes little sense.\n \n I am pretty sure I wont use Chromium, as Firefox is just working better for me? Everything makes sense, and for sure I wont give Google any Data. """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700857499 {#5191 : 2023-11-24 21:24:59.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5194 …} +nested: Doctrine\ORM\PersistentCollection {#5196 …} +votes: Doctrine\ORM\PersistentCollection {#5198 …} +reports: Doctrine\ORM\PersistentCollection {#5200 …} +favourites: Doctrine\ORM\PersistentCollection {#5202 …} +notifications: Doctrine\ORM\PersistentCollection {#5204 …} -id: 159826 -bodyTs: "'arkenfox':20 'around':37 'better':77 'bit':58 'chromium':28,36,71 'damn':27 'data':91 'even':29 'everyth':80 'execut':14 'far':51 'fedora':43 'firefox':19,73 'flatpak':34,55 'give':88 'googl':89 'guess':9 'harden':42 'isn':48 'javascript':13 'keep':32 'littl':62 'make':61,81 'malici':12 'mayb':53 'much':23 'noscript':6 'pretti':16,66 'privat':25 'qoijjj':47 'random':11 'rare':17 'remov':54 'sens':63,82 'sure':67,85 'thing':2 'though':30 'ublu':44 'understand':39 'use':5,70 'version':45 'weird':59 'wont':69,87 'work':76" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116840" +editedAt: null +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } 272418 => App\Entity\EntryComment {#5208 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530} +root: App\Entity\EntryComment {#4530} +body: """ The base assumption here is you trust corporations such as IBM, Google, MS, and only consider security threats from minor individual actors.\n \n There is no secure way to run any gecko/chrome based app if you don't trust google.\n \n @Genghis@monero.town @Pantherina@feddit.de """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700849352 {#5206 : 2023-11-24 19:09:12.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5210 …} +nested: Doctrine\ORM\PersistentCollection {#5212 …} +votes: Doctrine\ORM\PersistentCollection {#5214 …} +reports: Doctrine\ORM\PersistentCollection {#5216 …} +favourites: Doctrine\ORM\PersistentCollection {#5218 …} +notifications: Doctrine\ORM\PersistentCollection {#5220 …} -id: 272418 -bodyTs: "'actor':22 'app':33 'assumpt':3 'base':2,32 'consid':16 'corpor':8 'gecko/chrome':31 'genghis@monero.town':40 'googl':12,39 'ibm':11 'individu':21 'minor':20 'ms':13 'pantherina@feddit.de':41 'run':29 'secur':17,26 'threat':18 'trust':7,38 'way':27" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kafeneio.social/users/yianiris/statuses/111466863164902192" +editedAt: null +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } ] +level: 1 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 28.58 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5193 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The thing is I use Noscript so I guess having random malicious Javascript executed is pretty rare. And Firefox + Arkenfox is so much more private than damn Chromium, even though I keep a Flatpak of Chromium around.\n \n I understand that the hardened Fedora Ublue version from qoijjj isn’t that far off, maybe removing flatpaks is a bit weird and makes little sense.\n \n I am pretty sure I wont use Chromium, as Firefox is just working better for me? Everything makes sense, and for sure I wont give Google any Data. """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700857499 {#5191 : 2023-11-24 21:24:59.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5194 …} +nested: Doctrine\ORM\PersistentCollection {#5196 …} +votes: Doctrine\ORM\PersistentCollection {#5198 …} +reports: Doctrine\ORM\PersistentCollection {#5200 …} +favourites: Doctrine\ORM\PersistentCollection {#5202 …} +notifications: Doctrine\ORM\PersistentCollection {#5204 …} -id: 159826 -bodyTs: "'arkenfox':20 'around':37 'better':77 'bit':58 'chromium':28,36,71 'damn':27 'data':91 'even':29 'everyth':80 'execut':14 'far':51 'fedora':43 'firefox':19,73 'flatpak':34,55 'give':88 'googl':89 'guess':9 'harden':42 'isn':48 'javascript':13 'keep':32 'littl':62 'make':61,81 'malici':12 'mayb':53 'much':23 'noscript':6 'pretti':16,66 'privat':25 'qoijjj':47 'random':11 'rare':17 'remov':54 'sens':63,82 'sure':67,85 'thing':2 'though':30 'ublu':44 'understand':39 'use':5,70 'version':45 'weird':59 'wont':69,87 'work':76" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116840" +editedAt: null +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } "showNested" => true "level" => 2 "showEntryTitle" => false "showMagazineName" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#5984 +comment: App\Entity\EntryComment {#5193 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The thing is I use Noscript so I guess having random malicious Javascript executed is pretty rare. And Firefox + Arkenfox is so much more private than damn Chromium, even though I keep a Flatpak of Chromium around.\n \n I understand that the hardened Fedora Ublue version from qoijjj isn’t that far off, maybe removing flatpaks is a bit weird and makes little sense.\n \n I am pretty sure I wont use Chromium, as Firefox is just working better for me? Everything makes sense, and for sure I wont give Google any Data. """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700857499 {#5191 : 2023-11-24 21:24:59.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5194 …} +nested: Doctrine\ORM\PersistentCollection {#5196 …} +votes: Doctrine\ORM\PersistentCollection {#5198 …} +reports: Doctrine\ORM\PersistentCollection {#5200 …} +favourites: Doctrine\ORM\PersistentCollection {#5202 …} +notifications: Doctrine\ORM\PersistentCollection {#5204 …} -id: 159826 -bodyTs: "'arkenfox':20 'around':37 'better':77 'bit':58 'chromium':28,36,71 'damn':27 'data':91 'even':29 'everyth':80 'execut':14 'far':51 'fedora':43 'firefox':19,73 'flatpak':34,55 'give':88 'googl':89 'guess':9 'harden':42 'isn':48 'javascript':13 'keep':32 'littl':62 'make':61,81 'malici':12 'mayb':53 'much':23 'noscript':6 'pretti':16,66 'privat':25 'qoijjj':47 'random':11 'rare':17 'remov':54 'sens':63,82 'sure':67,85 'thing':2 'though':30 'ublu':44 'understand':39 'use':5,70 'version':45 'weird':59 'wont':69,87 'work':76" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116840" +editedAt: null +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 2 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.21 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#6031 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.20 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#6086 +date: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#6140 +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.27 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#6194 +width: 40 +height: 40 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.66 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5193 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The thing is I use Noscript so I guess having random malicious Javascript executed is pretty rare. And Firefox + Arkenfox is so much more private than damn Chromium, even though I keep a Flatpak of Chromium around.\n \n I understand that the hardened Fedora Ublue version from qoijjj isn’t that far off, maybe removing flatpaks is a bit weird and makes little sense.\n \n I am pretty sure I wont use Chromium, as Firefox is just working better for me? Everything makes sense, and for sure I wont give Google any Data. """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700857499 {#5191 : 2023-11-24 21:24:59.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5194 …} +nested: Doctrine\ORM\PersistentCollection {#5196 …} +votes: Doctrine\ORM\PersistentCollection {#5198 …} +reports: Doctrine\ORM\PersistentCollection {#5200 …} +favourites: Doctrine\ORM\PersistentCollection {#5202 …} +notifications: Doctrine\ORM\PersistentCollection {#5204 …} -id: 159826 -bodyTs: "'arkenfox':20 'around':37 'better':77 'bit':58 'chromium':28,36,71 'damn':27 'data':91 'even':29 'everyth':80 'execut':14 'far':51 'fedora':43 'firefox':19,73 'flatpak':34,55 'give':88 'googl':89 'guess':9 'harden':42 'isn':48 'javascript':13 'keep':32 'littl':62 'make':61,81 'malici':12 'mayb':53 'much':23 'noscript':6 'pretti':16,66 'privat':25 'qoijjj':47 'random':11 'rare':17 'remov':54 'sens':63,82 'sure':67,85 'thing':2 'though':30 'ublu':44 'understand':39 'use':5,70 'version':45 'weird':59 'wont':69,87 'work':76" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116840" +editedAt: null +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#6271 +subject: App\Entity\EntryComment {#5193 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The thing is I use Noscript so I guess having random malicious Javascript executed is pretty rare. And Firefox + Arkenfox is so much more private than damn Chromium, even though I keep a Flatpak of Chromium around.\n \n I understand that the hardened Fedora Ublue version from qoijjj isn’t that far off, maybe removing flatpaks is a bit weird and makes little sense.\n \n I am pretty sure I wont use Chromium, as Firefox is just working better for me? Everything makes sense, and for sure I wont give Google any Data. """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700857499 {#5191 : 2023-11-24 21:24:59.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5194 …} +nested: Doctrine\ORM\PersistentCollection {#5196 …} +votes: Doctrine\ORM\PersistentCollection {#5198 …} +reports: Doctrine\ORM\PersistentCollection {#5200 …} +favourites: Doctrine\ORM\PersistentCollection {#5202 …} +notifications: Doctrine\ORM\PersistentCollection {#5204 …} -id: 159826 -bodyTs: "'arkenfox':20 'around':37 'better':77 'bit':58 'chromium':28,36,71 'damn':27 'data':91 'even':29 'everyth':80 'execut':14 'far':51 'fedora':43 'firefox':19,73 'flatpak':34,55 'give':88 'googl':89 'guess':9 'harden':42 'isn':48 'javascript':13 'keep':32 'littl':62 'make':61,81 'malici':12 'mayb':53 'much':23 'noscript':6 'pretti':16,66 'privat':25 'qoijjj':47 'random':11 'rare':17 'remov':54 'sens':63,82 'sure':67,85 'thing':2 'though':30 'ublu':44 'understand':39 'use':5,70 'version':45 'weird':59 'wont':69,87 'work':76" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116840" +editedAt: null +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 18.28 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5193 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The thing is I use Noscript so I guess having random malicious Javascript executed is pretty rare. And Firefox + Arkenfox is so much more private than damn Chromium, even though I keep a Flatpak of Chromium around.\n \n I understand that the hardened Fedora Ublue version from qoijjj isn’t that far off, maybe removing flatpaks is a bit weird and makes little sense.\n \n I am pretty sure I wont use Chromium, as Firefox is just working better for me? Everything makes sense, and for sure I wont give Google any Data. """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700857499 {#5191 : 2023-11-24 21:24:59.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5194 …} +nested: Doctrine\ORM\PersistentCollection {#5196 …} +votes: Doctrine\ORM\PersistentCollection {#5198 …} +reports: Doctrine\ORM\PersistentCollection {#5200 …} +favourites: Doctrine\ORM\PersistentCollection {#5202 …} +notifications: Doctrine\ORM\PersistentCollection {#5204 …} -id: 159826 -bodyTs: "'arkenfox':20 'around':37 'better':77 'bit':58 'chromium':28,36,71 'damn':27 'data':91 'even':29 'everyth':80 'execut':14 'far':51 'fedora':43 'firefox':19,73 'flatpak':34,55 'give':88 'googl':89 'guess':9 'harden':42 'isn':48 'javascript':13 'keep':32 'littl':62 'make':61,81 'malici':12 'mayb':53 'much':23 'noscript':6 'pretti':16,66 'privat':25 'qoijjj':47 'random':11 'rare':17 'remov':54 'sens':63,82 'sure':67,85 'thing':2 'though':30 'ublu':44 'understand':39 'use':5,70 'version':45 'weird':59 'wont':69,87 'work':76" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116840" +editedAt: null +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#6328 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#5193 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The thing is I use Noscript so I guess having random malicious Javascript executed is pretty rare. And Firefox + Arkenfox is so much more private than damn Chromium, even though I keep a Flatpak of Chromium around.\n \n I understand that the hardened Fedora Ublue version from qoijjj isn’t that far off, maybe removing flatpaks is a bit weird and makes little sense.\n \n I am pretty sure I wont use Chromium, as Firefox is just working better for me? Everything makes sense, and for sure I wont give Google any Data. """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700857499 {#5191 : 2023-11-24 21:24:59.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5194 …} +nested: Doctrine\ORM\PersistentCollection {#5196 …} +votes: Doctrine\ORM\PersistentCollection {#5198 …} +reports: Doctrine\ORM\PersistentCollection {#5200 …} +favourites: Doctrine\ORM\PersistentCollection {#5202 …} +notifications: Doctrine\ORM\PersistentCollection {#5204 …} -id: 159826 -bodyTs: "'arkenfox':20 'around':37 'better':77 'bit':58 'chromium':28,36,71 'damn':27 'data':91 'even':29 'everyth':80 'execut':14 'far':51 'fedora':43 'firefox':19,73 'flatpak':34,55 'give':88 'googl':89 'guess':9 'harden':42 'isn':48 'javascript':13 'keep':32 'littl':62 'make':61,81 'malici':12 'mayb':53 'much':23 'noscript':6 'pretti':16,66 'privat':25 'qoijjj':47 'random':11 'rare':17 'remov':54 'sens':63,82 'sure':67,85 'thing':2 'though':30 'ublu':44 'understand':39 'use':5,70 'version':45 'weird':59 'wont':69,87 'work':76" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116840" +editedAt: null +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 0.50 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5193 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The thing is I use Noscript so I guess having random malicious Javascript executed is pretty rare. And Firefox + Arkenfox is so much more private than damn Chromium, even though I keep a Flatpak of Chromium around.\n \n I understand that the hardened Fedora Ublue version from qoijjj isn’t that far off, maybe removing flatpaks is a bit weird and makes little sense.\n \n I am pretty sure I wont use Chromium, as Firefox is just working better for me? Everything makes sense, and for sure I wont give Google any Data. """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700857499 {#5191 : 2023-11-24 21:24:59.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5194 …} +nested: Doctrine\ORM\PersistentCollection {#5196 …} +votes: Doctrine\ORM\PersistentCollection {#5198 …} +reports: Doctrine\ORM\PersistentCollection {#5200 …} +favourites: Doctrine\ORM\PersistentCollection {#5202 …} +notifications: Doctrine\ORM\PersistentCollection {#5204 …} -id: 159826 -bodyTs: "'arkenfox':20 'around':37 'better':77 'bit':58 'chromium':28,36,71 'damn':27 'data':91 'even':29 'everyth':80 'execut':14 'far':51 'fedora':43 'firefox':19,73 'flatpak':34,55 'give':88 'googl':89 'guess':9 'harden':42 'isn':48 'javascript':13 'keep':32 'littl':62 'make':61,81 'malici':12 'mayb':53 'much':23 'noscript':6 'pretti':16,66 'privat':25 'qoijjj':47 'random':11 'rare':17 'remov':54 'sens':63,82 'sure':67,85 'thing':2 'though':30 'ublu':44 'understand':39 'use':5,70 'version':45 'weird':59 'wont':69,87 'work':76" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116840" +editedAt: null +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } "level" => 2 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#6568 +comment: App\Entity\EntryComment {#5193 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The thing is I use Noscript so I guess having random malicious Javascript executed is pretty rare. And Firefox + Arkenfox is so much more private than damn Chromium, even though I keep a Flatpak of Chromium around.\n \n I understand that the hardened Fedora Ublue version from qoijjj isn’t that far off, maybe removing flatpaks is a bit weird and makes little sense.\n \n I am pretty sure I wont use Chromium, as Firefox is just working better for me? Everything makes sense, and for sure I wont give Google any Data. """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700857499 {#5191 : 2023-11-24 21:24:59.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5194 …} +nested: Doctrine\ORM\PersistentCollection {#5196 …} +votes: Doctrine\ORM\PersistentCollection {#5198 …} +reports: Doctrine\ORM\PersistentCollection {#5200 …} +favourites: Doctrine\ORM\PersistentCollection {#5202 …} +notifications: Doctrine\ORM\PersistentCollection {#5204 …} -id: 159826 -bodyTs: "'arkenfox':20 'around':37 'better':77 'bit':58 'chromium':28,36,71 'damn':27 'data':91 'even':29 'everyth':80 'execut':14 'far':51 'fedora':43 'firefox':19,73 'flatpak':34,55 'give':88 'googl':89 'guess':9 'harden':42 'isn':48 'javascript':13 'keep':32 'littl':62 'make':61,81 'malici':12 'mayb':53 'much':23 'noscript':6 'pretti':16,66 'privat':25 'qoijjj':47 'random':11 'rare':17 'remov':54 'sens':63,82 'sure':67,85 'thing':2 'though':30 'ublu':44 'understand':39 'use':5,70 'version':45 'weird':59 'wont':69,87 'work':76" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116840" +editedAt: null +createdAt: DateTimeImmutable @1700857499 {#5192 : 2023-11-24 21:24:59.0 +01:00 } } +nestedComments: [] +level: 2 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 24.16 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5208 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The base assumption here is you trust corporations such as IBM, Google, MS, and only consider security threats from minor individual actors.\n \n There is no secure way to run any gecko/chrome based app if you don't trust google.\n \n @Genghis@monero.town @Pantherina@feddit.de """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700849352 {#5206 : 2023-11-24 19:09:12.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5210 …} +nested: Doctrine\ORM\PersistentCollection {#5212 …} +votes: Doctrine\ORM\PersistentCollection {#5214 …} +reports: Doctrine\ORM\PersistentCollection {#5216 …} +favourites: Doctrine\ORM\PersistentCollection {#5218 …} +notifications: Doctrine\ORM\PersistentCollection {#5220 …} -id: 272418 -bodyTs: "'actor':22 'app':33 'assumpt':3 'base':2,32 'consid':16 'corpor':8 'gecko/chrome':31 'genghis@monero.town':40 'googl':12,39 'ibm':11 'individu':21 'minor':20 'ms':13 'pantherina@feddit.de':41 'run':29 'secur':17,26 'threat':18 'trust':7,38 'way':27" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kafeneio.social/users/yianiris/statuses/111466863164902192" +editedAt: null +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } "showNested" => true "level" => 2 "showEntryTitle" => false "showMagazineName" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#6634 +comment: App\Entity\EntryComment {#5208 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The base assumption here is you trust corporations such as IBM, Google, MS, and only consider security threats from minor individual actors.\n \n There is no secure way to run any gecko/chrome based app if you don't trust google.\n \n @Genghis@monero.town @Pantherina@feddit.de """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700849352 {#5206 : 2023-11-24 19:09:12.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5210 …} +nested: Doctrine\ORM\PersistentCollection {#5212 …} +votes: Doctrine\ORM\PersistentCollection {#5214 …} +reports: Doctrine\ORM\PersistentCollection {#5216 …} +favourites: Doctrine\ORM\PersistentCollection {#5218 …} +notifications: Doctrine\ORM\PersistentCollection {#5220 …} -id: 272418 -bodyTs: "'actor':22 'app':33 'assumpt':3 'base':2,32 'consid':16 'corpor':8 'gecko/chrome':31 'genghis@monero.town':40 'googl':12,39 'ibm':11 'individu':21 'minor':20 'ms':13 'pantherina@feddit.de':41 'run':29 'secur':17,26 'threat':18 'trust':7,38 'way':27" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kafeneio.social/users/yianiris/statuses/111466863164902192" +editedAt: null +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 2 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 13.08 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#6679 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.16 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#6798 +date: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.10 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#6852 +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 2.02 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#6906 +width: 40 +height: 40 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.45 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5208 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The base assumption here is you trust corporations such as IBM, Google, MS, and only consider security threats from minor individual actors.\n \n There is no secure way to run any gecko/chrome based app if you don't trust google.\n \n @Genghis@monero.town @Pantherina@feddit.de """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700849352 {#5206 : 2023-11-24 19:09:12.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5210 …} +nested: Doctrine\ORM\PersistentCollection {#5212 …} +votes: Doctrine\ORM\PersistentCollection {#5214 …} +reports: Doctrine\ORM\PersistentCollection {#5216 …} +favourites: Doctrine\ORM\PersistentCollection {#5218 …} +notifications: Doctrine\ORM\PersistentCollection {#5220 …} -id: 272418 -bodyTs: "'actor':22 'app':33 'assumpt':3 'base':2,32 'consid':16 'corpor':8 'gecko/chrome':31 'genghis@monero.town':40 'googl':12,39 'ibm':11 'individu':21 'minor':20 'ms':13 'pantherina@feddit.de':41 'run':29 'secur':17,26 'threat':18 'trust':7,38 'way':27" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kafeneio.social/users/yianiris/statuses/111466863164902192" +editedAt: null +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#7000 +subject: App\Entity\EntryComment {#5208 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The base assumption here is you trust corporations such as IBM, Google, MS, and only consider security threats from minor individual actors.\n \n There is no secure way to run any gecko/chrome based app if you don't trust google.\n \n @Genghis@monero.town @Pantherina@feddit.de """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700849352 {#5206 : 2023-11-24 19:09:12.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5210 …} +nested: Doctrine\ORM\PersistentCollection {#5212 …} +votes: Doctrine\ORM\PersistentCollection {#5214 …} +reports: Doctrine\ORM\PersistentCollection {#5216 …} +favourites: Doctrine\ORM\PersistentCollection {#5218 …} +notifications: Doctrine\ORM\PersistentCollection {#5220 …} -id: 272418 -bodyTs: "'actor':22 'app':33 'assumpt':3 'base':2,32 'consid':16 'corpor':8 'gecko/chrome':31 'genghis@monero.town':40 'googl':12,39 'ibm':11 'individu':21 'minor':20 'ms':13 'pantherina@feddit.de':41 'run':29 'secur':17,26 'threat':18 'trust':7,38 'way':27" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kafeneio.social/users/yianiris/statuses/111466863164902192" +editedAt: null +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 1.00 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5208 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The base assumption here is you trust corporations such as IBM, Google, MS, and only consider security threats from minor individual actors.\n \n There is no secure way to run any gecko/chrome based app if you don't trust google.\n \n @Genghis@monero.town @Pantherina@feddit.de """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700849352 {#5206 : 2023-11-24 19:09:12.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5210 …} +nested: Doctrine\ORM\PersistentCollection {#5212 …} +votes: Doctrine\ORM\PersistentCollection {#5214 …} +reports: Doctrine\ORM\PersistentCollection {#5216 …} +favourites: Doctrine\ORM\PersistentCollection {#5218 …} +notifications: Doctrine\ORM\PersistentCollection {#5220 …} -id: 272418 -bodyTs: "'actor':22 'app':33 'assumpt':3 'base':2,32 'consid':16 'corpor':8 'gecko/chrome':31 'genghis@monero.town':40 'googl':12,39 'ibm':11 'individu':21 'minor':20 'ms':13 'pantherina@feddit.de':41 'run':29 'secur':17,26 'threat':18 'trust':7,38 'way':27" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kafeneio.social/users/yianiris/statuses/111466863164902192" +editedAt: null +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#7057 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#5208 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The base assumption here is you trust corporations such as IBM, Google, MS, and only consider security threats from minor individual actors.\n \n There is no secure way to run any gecko/chrome based app if you don't trust google.\n \n @Genghis@monero.town @Pantherina@feddit.de """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700849352 {#5206 : 2023-11-24 19:09:12.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5210 …} +nested: Doctrine\ORM\PersistentCollection {#5212 …} +votes: Doctrine\ORM\PersistentCollection {#5214 …} +reports: Doctrine\ORM\PersistentCollection {#5216 …} +favourites: Doctrine\ORM\PersistentCollection {#5218 …} +notifications: Doctrine\ORM\PersistentCollection {#5220 …} -id: 272418 -bodyTs: "'actor':22 'app':33 'assumpt':3 'base':2,32 'consid':16 'corpor':8 'gecko/chrome':31 'genghis@monero.town':40 'googl':12,39 'ibm':11 'individu':21 'minor':20 'ms':13 'pantherina@feddit.de':41 'run':29 'secur':17,26 'threat':18 'trust':7,38 'way':27" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kafeneio.social/users/yianiris/statuses/111466863164902192" +editedAt: null +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 0.32 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5208 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The base assumption here is you trust corporations such as IBM, Google, MS, and only consider security threats from minor individual actors.\n \n There is no secure way to run any gecko/chrome based app if you don't trust google.\n \n @Genghis@monero.town @Pantherina@feddit.de """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700849352 {#5206 : 2023-11-24 19:09:12.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5210 …} +nested: Doctrine\ORM\PersistentCollection {#5212 …} +votes: Doctrine\ORM\PersistentCollection {#5214 …} +reports: Doctrine\ORM\PersistentCollection {#5216 …} +favourites: Doctrine\ORM\PersistentCollection {#5218 …} +notifications: Doctrine\ORM\PersistentCollection {#5220 …} -id: 272418 -bodyTs: "'actor':22 'app':33 'assumpt':3 'base':2,32 'consid':16 'corpor':8 'gecko/chrome':31 'genghis@monero.town':40 'googl':12,39 'ibm':11 'individu':21 'minor':20 'ms':13 'pantherina@feddit.de':41 'run':29 'secur':17,26 'threat':18 'trust':7,38 'way':27" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kafeneio.social/users/yianiris/statuses/111466863164902192" +editedAt: null +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } "level" => 2 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#7297 +comment: App\Entity\EntryComment {#5208 +user: Proxies\__CG__\App\Entity\User {#5209 +avatar: Proxies\__CG__\App\Entity\Image {#6724 …} +cover: null +email: "yianiris@kafeneio.social" +username: "@yianiris@kafeneio.social" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Politics of equality\n \n Block neo-nazi blue-yellow flag covers\n \n Vanguard revolutionaries are closet authoritarians capitalist reformers\n \n linux with runit or s6 and no-systemd minimalism\n \n I fix old machines, from PCs to flat heads and pushrods\n \n EVs are the number 1 threat to the environment, unrecyclable toxic waste with a 5y life expectancy """ +lastActive: DateTime @1729512950 {#6719 : 2024-10-21 14:15:50.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#6726 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#6728 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#6730 …} +entries: Doctrine\ORM\PersistentCollection {#6732 …} +entryVotes: Doctrine\ORM\PersistentCollection {#6734 …} +entryComments: Doctrine\ORM\PersistentCollection {#6736 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#6738 …} +posts: Doctrine\ORM\PersistentCollection {#6740 …} +postVotes: Doctrine\ORM\PersistentCollection {#6742 …} +postComments: Doctrine\ORM\PersistentCollection {#6744 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#6746 …} +subscriptions: Doctrine\ORM\PersistentCollection {#6748 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#6750 …} +follows: Doctrine\ORM\PersistentCollection {#6752 …} +followers: Doctrine\ORM\PersistentCollection {#6754 …} +blocks: Doctrine\ORM\PersistentCollection {#6756 …} +blockers: Doctrine\ORM\PersistentCollection {#6758 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#6760 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#6762 …} +reports: Doctrine\ORM\PersistentCollection {#6764 …} +favourites: Doctrine\ORM\PersistentCollection {#6766 …} +violations: Doctrine\ORM\PersistentCollection {#6768 …} +notifications: Doctrine\ORM\PersistentCollection {#6770 …} +awards: Doctrine\ORM\PersistentCollection {#6772 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#6774 …} +categories: Doctrine\ORM\PersistentCollection {#6776 …} -id: 74812 -password: "$2y$13$XUje9IlHUSsxILC1KAVweObRnMOYr1sN2yij571OzJ1fzXHzcZO8S" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#6778 …} +apId: "yianiris@kafeneio.social" +apProfileId: "https://kafeneio.social/users/yianiris" +apPublicUrl: "https://kafeneio.social/@yianiris" +apFollowersUrl: "https://kafeneio.social/users/yianiris/followers" +apInboxUrl: "https://kafeneio.social/inbox" +apDomain: "kafeneio.social" +apPreferredUsername: "yianiris" +apDiscoverable: false +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1728125734 {#6716 : 2024-10-05 12:55:34.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1699848546 {#6718 : 2023-11-13 05:09:06.0 +01:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4530 +user: App\Entity\User {#4478 +avatar: null +cover: null +email: "Genghis@monero.town" +username: "@Genghis@monero.town" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1727755770 {#4535 : 2024-10-01 06:09:30.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4479 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4481 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4474 …} +entries: Doctrine\ORM\PersistentCollection {#4472 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4469 …} +entryComments: Doctrine\ORM\PersistentCollection {#4467 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4465 …} +posts: Doctrine\ORM\PersistentCollection {#4462 …} +postVotes: Doctrine\ORM\PersistentCollection {#4460 …} +postComments: Doctrine\ORM\PersistentCollection {#4458 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4455 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4453 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4451 …} +follows: Doctrine\ORM\PersistentCollection {#4593 …} +followers: Doctrine\ORM\PersistentCollection {#4586 …} +blocks: Doctrine\ORM\PersistentCollection {#4576 …} +blockers: Doctrine\ORM\PersistentCollection {#4565 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4538 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4596 …} +reports: Doctrine\ORM\PersistentCollection {#4592 …} +favourites: Doctrine\ORM\PersistentCollection {#4590 …} +violations: Doctrine\ORM\PersistentCollection {#4589 …} +notifications: Doctrine\ORM\PersistentCollection {#4588 …} +awards: Doctrine\ORM\PersistentCollection {#4578 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4581 …} +categories: Doctrine\ORM\PersistentCollection {#4579 …} -id: 55848 -password: "$2y$13$HqEXs2j4jmUOXvZ9PkmOt.KAkoUY7/BJtEFYNnj.P0w2J3be9h.AK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4577 …} +apId: "Genghis@monero.town" +apProfileId: "https://monero.town/u/Genghis" +apPublicUrl: "https://monero.town/u/Genghis" +apFollowersUrl: null +apInboxUrl: "https://monero.town/inbox" +apDomain: "monero.town" +apPreferredUsername: "Genghis" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705356415 {#4533 : 2024-01-15 23:06:55.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1697022720 {#4532 : 2023-10-11 13:12:00.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ The desktop security model is insecure in general. Phone OSes are much more secure.\n \n Reasonable desktop OS to use is Qubes, Fedora, MacOS, ChromeOS, or Windows pro/enterprise (hardened)\n \n Phones are much more secure especially the Pixel 8/pro with MTE immensely reducing remote exploitation. GrapheneOS is the only distro that enables MTE by default and recently implemented it in their Vanadium browser.\n \n Secure phones (secure elements are important): IPhones and Pixels (GrapheneOS or stock)\n \n Also yes, Chromium is much more secure on Linux than Gecko based browsers because of its great internal sandboxing and site isolation. Firefox on Windows is catching up though, but still bad on desktop Linux and android.\n \n This all doesn’t matter if you’re running an EoL device. Make sure your receiving official security and firmware updates.\n \n that’s about it """ +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1710702956 {#4540 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4528 …} +nested: Doctrine\ORM\PersistentCollection {#4526 …} +votes: Doctrine\ORM\PersistentCollection {#4524 …} +reports: Doctrine\ORM\PersistentCollection {#4522 …} +favourites: Doctrine\ORM\PersistentCollection {#4490 …} +notifications: Doctrine\ORM\PersistentCollection {#4494 …} -id: 159318 -bodyTs: "'8/pro':37 'also':74 'android':110 'bad':105 'base':85 'browser':61,86 'catch':100 'chromeo':24 'chromium':76 'default':53 'desktop':2,16,107 'devic':122 'distro':48 'doesn':113 'element':65 'enabl':50 'eol':121 'especi':34 'exploit':43 'fedora':22 'firefox':96 'firmwar':130 'gecko':84 'general':8 'grapheneo':44,71 'great':90 'harden':28 'immens':40 'implement':56 'import':67 'insecur':6 'intern':91 'iphon':68 'isol':95 'linux':82,108 'maco':23 'make':123 'matter':115 'model':4 'mte':39,51 'much':12,31,78 'offici':127 'os':17 'ose':10 'phone':9,29,63 'pixel':36,70 'pro/enterprise':27 'qube':21 're':118 'reason':15 'receiv':126 'recent':55 'reduc':41 'remot':42 'run':119 'sandbox':92 'secur':3,14,33,62,64,80,128 'site':94 'still':104 'stock':73 'sure':124 'though':102 'updat':131 'use':19 'vanadium':60 'window':26,98 'yes':75" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://monero.town/comment/2578411" +editedAt: DateTimeImmutable @1701383000 {#4476 : 2023-11-30 23:23:20.0 +01:00 } +createdAt: DateTimeImmutable @1700848562 {#4539 : 2023-11-24 18:56:02.0 +01:00 } } +root: App\Entity\EntryComment {#4530} +body: """ The base assumption here is you trust corporations such as IBM, Google, MS, and only consider security threats from minor individual actors.\n \n There is no secure way to run any gecko/chrome based app if you don't trust google.\n \n @Genghis@monero.town @Pantherina@feddit.de """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700849352 {#5206 : 2023-11-24 19:09:12.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@Genghis@monero.town" ] +children: Doctrine\ORM\PersistentCollection {#5210 …} +nested: Doctrine\ORM\PersistentCollection {#5212 …} +votes: Doctrine\ORM\PersistentCollection {#5214 …} +reports: Doctrine\ORM\PersistentCollection {#5216 …} +favourites: Doctrine\ORM\PersistentCollection {#5218 …} +notifications: Doctrine\ORM\PersistentCollection {#5220 …} -id: 272418 -bodyTs: "'actor':22 'app':33 'assumpt':3 'base':2,32 'consid':16 'corpor':8 'gecko/chrome':31 'genghis@monero.town':40 'googl':12,39 'ibm':11 'individu':21 'minor':20 'ms':13 'pantherina@feddit.de':41 'run':29 'secur':17,26 'threat':18 'trust':7,38 'way':27" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kafeneio.social/users/yianiris/statuses/111466863164902192" +editedAt: null +createdAt: DateTimeImmutable @1700849352 {#5207 : 2023-11-24 19:09:12.0 +01:00 } } +nestedComments: [] +level: 2 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 76.06 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } "showNested" => true "dateAsUrl" => false "showMagazineName" => false "showEntryTitle" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#7373 +comment: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 1 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#7418 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.13 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#7473 +date: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.13 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } "editedAt" => DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#7527 +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.13 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#7581 +width: 40 +height: 40 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.39 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#7650 +subject: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 0.95 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#7707 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 27.56 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } "level" => 1 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#7947 +comment: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +nestedComments: [ 162221 => App\Entity\EntryComment {#5239 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4566} +root: App\Entity\EntryComment {#4566} +body: "Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700915617 {#5237 : 2023-11-25 13:33:37.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@BCsven@lemmy.ca" ] +children: Doctrine\ORM\PersistentCollection {#5240 …} +nested: Doctrine\ORM\PersistentCollection {#5242 …} +votes: Doctrine\ORM\PersistentCollection {#5244 …} +reports: Doctrine\ORM\PersistentCollection {#5246 …} +favourites: Doctrine\ORM\PersistentCollection {#5248 …} +notifications: Doctrine\ORM\PersistentCollection {#5250 …} -id: 162221 -bodyTs: "'also':12 'alway':40 'assum':43 'backport':39 'bug':24,37 'cve':29 'day':15 'debian':38 'detail':35 'didnt':26 'dont':32 'get':27 'good':1 'issu':7,10 'know':33 'less':20 'like':21 'mean':13 'most':11 'new':5,9 'old':23 'point':2 'secur':6 'zero':14" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5136075" +editedAt: null +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } ] +level: 1 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 22.29 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5239 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +root: App\Entity\EntryComment {#4566} +body: "Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700915617 {#5237 : 2023-11-25 13:33:37.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@BCsven@lemmy.ca" ] +children: Doctrine\ORM\PersistentCollection {#5240 …} +nested: Doctrine\ORM\PersistentCollection {#5242 …} +votes: Doctrine\ORM\PersistentCollection {#5244 …} +reports: Doctrine\ORM\PersistentCollection {#5246 …} +favourites: Doctrine\ORM\PersistentCollection {#5248 …} +notifications: Doctrine\ORM\PersistentCollection {#5250 …} -id: 162221 -bodyTs: "'also':12 'alway':40 'assum':43 'backport':39 'bug':24,37 'cve':29 'day':15 'debian':38 'detail':35 'didnt':26 'dont':32 'get':27 'good':1 'issu':7,10 'know':33 'less':20 'like':21 'mean':13 'most':11 'new':5,9 'old':23 'point':2 'secur':6 'zero':14" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5136075" +editedAt: null +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } "showNested" => true "level" => 2 "showEntryTitle" => false "showMagazineName" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#3105 +comment: App\Entity\EntryComment {#5239 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +root: App\Entity\EntryComment {#4566} +body: "Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700915617 {#5237 : 2023-11-25 13:33:37.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@BCsven@lemmy.ca" ] +children: Doctrine\ORM\PersistentCollection {#5240 …} +nested: Doctrine\ORM\PersistentCollection {#5242 …} +votes: Doctrine\ORM\PersistentCollection {#5244 …} +reports: Doctrine\ORM\PersistentCollection {#5246 …} +favourites: Doctrine\ORM\PersistentCollection {#5248 …} +notifications: Doctrine\ORM\PersistentCollection {#5250 …} -id: 162221 -bodyTs: "'also':12 'alway':40 'assum':43 'backport':39 'bug':24,37 'cve':29 'day':15 'debian':38 'detail':35 'didnt':26 'dont':32 'get':27 'good':1 'issu':7,10 'know':33 'less':20 'like':21 'mean':13 'most':11 'new':5,9 'old':23 'point':2 'secur':6 'zero':14" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5136075" +editedAt: null +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 2 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.19 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#3111 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.19 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#3118 +date: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.09 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#3469 +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.13 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#3135 +width: 40 +height: 40 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.75 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5239 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +root: App\Entity\EntryComment {#4566} +body: "Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700915617 {#5237 : 2023-11-25 13:33:37.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@BCsven@lemmy.ca" ] +children: Doctrine\ORM\PersistentCollection {#5240 …} +nested: Doctrine\ORM\PersistentCollection {#5242 …} +votes: Doctrine\ORM\PersistentCollection {#5244 …} +reports: Doctrine\ORM\PersistentCollection {#5246 …} +favourites: Doctrine\ORM\PersistentCollection {#5248 …} +notifications: Doctrine\ORM\PersistentCollection {#5250 …} -id: 162221 -bodyTs: "'also':12 'alway':40 'assum':43 'backport':39 'bug':24,37 'cve':29 'day':15 'debian':38 'detail':35 'didnt':26 'dont':32 'get':27 'good':1 'issu':7,10 'know':33 'less':20 'like':21 'mean':13 'most':11 'new':5,9 'old':23 'point':2 'secur':6 'zero':14" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5136075" +editedAt: null +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#3376 +subject: App\Entity\EntryComment {#5239 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +root: App\Entity\EntryComment {#4566} +body: "Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700915617 {#5237 : 2023-11-25 13:33:37.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@BCsven@lemmy.ca" ] +children: Doctrine\ORM\PersistentCollection {#5240 …} +nested: Doctrine\ORM\PersistentCollection {#5242 …} +votes: Doctrine\ORM\PersistentCollection {#5244 …} +reports: Doctrine\ORM\PersistentCollection {#5246 …} +favourites: Doctrine\ORM\PersistentCollection {#5248 …} +notifications: Doctrine\ORM\PersistentCollection {#5250 …} -id: 162221 -bodyTs: "'also':12 'alway':40 'assum':43 'backport':39 'bug':24,37 'cve':29 'day':15 'debian':38 'detail':35 'didnt':26 'dont':32 'get':27 'good':1 'issu':7,10 'know':33 'less':20 'like':21 'mean':13 'most':11 'new':5,9 'old':23 'point':2 'secur':6 'zero':14" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5136075" +editedAt: null +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 0.68 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5239 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +root: App\Entity\EntryComment {#4566} +body: "Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700915617 {#5237 : 2023-11-25 13:33:37.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@BCsven@lemmy.ca" ] +children: Doctrine\ORM\PersistentCollection {#5240 …} +nested: Doctrine\ORM\PersistentCollection {#5242 …} +votes: Doctrine\ORM\PersistentCollection {#5244 …} +reports: Doctrine\ORM\PersistentCollection {#5246 …} +favourites: Doctrine\ORM\PersistentCollection {#5248 …} +notifications: Doctrine\ORM\PersistentCollection {#5250 …} -id: 162221 -bodyTs: "'also':12 'alway':40 'assum':43 'backport':39 'bug':24,37 'cve':29 'day':15 'debian':38 'detail':35 'didnt':26 'dont':32 'get':27 'good':1 'issu':7,10 'know':33 'less':20 'like':21 'mean':13 'most':11 'new':5,9 'old':23 'point':2 'secur':6 'zero':14" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5136075" +editedAt: null +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#3331 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#5239 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +root: App\Entity\EntryComment {#4566} +body: "Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700915617 {#5237 : 2023-11-25 13:33:37.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@BCsven@lemmy.ca" ] +children: Doctrine\ORM\PersistentCollection {#5240 …} +nested: Doctrine\ORM\PersistentCollection {#5242 …} +votes: Doctrine\ORM\PersistentCollection {#5244 …} +reports: Doctrine\ORM\PersistentCollection {#5246 …} +favourites: Doctrine\ORM\PersistentCollection {#5248 …} +notifications: Doctrine\ORM\PersistentCollection {#5250 …} -id: 162221 -bodyTs: "'also':12 'alway':40 'assum':43 'backport':39 'bug':24,37 'cve':29 'day':15 'debian':38 'detail':35 'didnt':26 'dont':32 'get':27 'good':1 'issu':7,10 'know':33 'less':20 'like':21 'mean':13 'most':11 'new':5,9 'old':23 'point':2 'secur':6 'zero':14" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5136075" +editedAt: null +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 6.96 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5239 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +root: App\Entity\EntryComment {#4566} +body: "Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700915617 {#5237 : 2023-11-25 13:33:37.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@BCsven@lemmy.ca" ] +children: Doctrine\ORM\PersistentCollection {#5240 …} +nested: Doctrine\ORM\PersistentCollection {#5242 …} +votes: Doctrine\ORM\PersistentCollection {#5244 …} +reports: Doctrine\ORM\PersistentCollection {#5246 …} +favourites: Doctrine\ORM\PersistentCollection {#5248 …} +notifications: Doctrine\ORM\PersistentCollection {#5250 …} -id: 162221 -bodyTs: "'also':12 'alway':40 'assum':43 'backport':39 'bug':24,37 'cve':29 'day':15 'debian':38 'detail':35 'didnt':26 'dont':32 'get':27 'good':1 'issu':7,10 'know':33 'less':20 'like':21 'mean':13 'most':11 'new':5,9 'old':23 'point':2 'secur':6 'zero':14" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5136075" +editedAt: null +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } "level" => 2 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#2928 +comment: App\Entity\EntryComment {#5239 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4566 +user: App\Entity\User {#4550 +avatar: null +cover: null +email: "BCsven@lemmy.ca" +username: "@BCsven@lemmy.ca" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1729574243 {#4570 : 2024-10-22 07:17:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4549 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4547 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4545 …} +entries: Doctrine\ORM\PersistentCollection {#4543 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4541 …} +entryComments: Doctrine\ORM\PersistentCollection {#4600 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4603 …} +posts: Doctrine\ORM\PersistentCollection {#4605 …} +postVotes: Doctrine\ORM\PersistentCollection {#4607 …} +postComments: Doctrine\ORM\PersistentCollection {#4609 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4611 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4613 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4615 …} +follows: Doctrine\ORM\PersistentCollection {#4617 …} +followers: Doctrine\ORM\PersistentCollection {#4619 …} +blocks: Doctrine\ORM\PersistentCollection {#4621 …} +blockers: Doctrine\ORM\PersistentCollection {#4623 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4625 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4627 …} +reports: Doctrine\ORM\PersistentCollection {#4629 …} +favourites: Doctrine\ORM\PersistentCollection {#4631 …} +violations: Doctrine\ORM\PersistentCollection {#4633 …} +notifications: Doctrine\ORM\PersistentCollection {#4635 …} +awards: Doctrine\ORM\PersistentCollection {#4637 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4639 …} +categories: Doctrine\ORM\PersistentCollection {#4641 …} -id: 33050 -password: "$2y$13$ex.HANJWSG7JpCOOyTwxZ.0qMRBbQ7Rz5W6ynR.pdjamLkGGWcJ9i" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4643 …} +apId: "BCsven@lemmy.ca" +apProfileId: "https://lemmy.ca/u/BCsven" +apPublicUrl: "https://lemmy.ca/u/BCsven" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ca/inbox" +apDomain: "lemmy.ca" +apPreferredUsername: "BCsven" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1712694238 {#4563 : 2024-04-09 22:23:58.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1689996346 {#4568 : 2023-07-22 05:25:46.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers." +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701484087 {#4574 : 2023-12-02 03:28:07.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4567 …} +nested: Doctrine\ORM\PersistentCollection {#4558 …} +votes: Doctrine\ORM\PersistentCollection {#4561 …} +reports: Doctrine\ORM\PersistentCollection {#4556 …} +favourites: Doctrine\ORM\PersistentCollection {#4554 …} +notifications: Doctrine\ORM\PersistentCollection {#4552 …} -id: 161518 -bodyTs: "'also':64,80 'avail':116 'bug':39,72 'case':50 'command':96 'correct':7 'critic':123 'cve':85,129 'cycl':20 'daily/weekly':35 'enhanc':42 'etc':127 'fix':40,47,59 'flaw':62 'full':110 'get':34 'guarante':18 'issu':24 'kernel':46,53 'list':101,111 'lts':13 'major':61 'mean':28,70 'need':126 'new':68,71,74 'number':130 'one':121 'opensus':90 'os':14 'packag':36 'paramet':97 'patch':22,102,105,114 'realiz':67 'recommend':124 'releas':58 'revis':55 'roll':57 'search':99 'secur':4,23,104 'show':108 'softwar':69 'stabl':1,12,25 'still':33 'stuff':86 'suggest':103 'support':19 'suse':88 'system':119 'take':10 'tri':87 'unknown':79 'updat':30,37 'various':95 'vulner':75 'well':44 'worri':83 'yet':78 'zypper':92" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ca/comment/5161035" +editedAt: DateTimeImmutable @1701455382 {#4572 : 2023-12-01 19:29:42.0 +01:00 } +createdAt: DateTimeImmutable @1700896173 {#4573 : 2023-11-25 08:09:33.0 +01:00 } } +root: App\Entity\EntryComment {#4566} +body: "Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700915617 {#5237 : 2023-11-25 13:33:37.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@BCsven@lemmy.ca" ] +children: Doctrine\ORM\PersistentCollection {#5240 …} +nested: Doctrine\ORM\PersistentCollection {#5242 …} +votes: Doctrine\ORM\PersistentCollection {#5244 …} +reports: Doctrine\ORM\PersistentCollection {#5246 …} +favourites: Doctrine\ORM\PersistentCollection {#5248 …} +notifications: Doctrine\ORM\PersistentCollection {#5250 …} -id: 162221 -bodyTs: "'also':12 'alway':40 'assum':43 'backport':39 'bug':24,37 'cve':29 'day':15 'debian':38 'detail':35 'didnt':26 'dont':32 'get':27 'good':1 'issu':7,10 'know':33 'less':20 'like':21 'mean':13 'most':11 'new':5,9 'old':23 'point':2 'secur':6 'zero':14" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5136075" +editedAt: null +createdAt: DateTimeImmutable @1700915617 {#5238 : 2023-11-25 13:33:37.0 +01:00 } } +nestedComments: [] +level: 2 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 113.75 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } "showNested" => true "dateAsUrl" => false "showMagazineName" => false "showEntryTitle" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#7684 +comment: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 1 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.16 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#8018 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.13 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#8073 +date: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.09 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#8127 +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.13 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#8181 +width: 40 +height: 40 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.44 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#8274 +subject: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 0.66 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#8331 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 38.87 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } "level" => 1 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#8571 +comment: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +nestedComments: [ 161733 => App\Entity\EntryComment {#5254 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4650} +root: App\Entity\EntryComment {#4650} +body: "Thanks yes I forgot to mention that." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700901174 {#5252 : 2023-11-25 09:32:54.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" "@duncesplayed@lemmy.one" ] +children: Doctrine\ORM\PersistentCollection {#5255 …} +nested: Doctrine\ORM\PersistentCollection {#5257 …} +votes: Doctrine\ORM\PersistentCollection {#5259 …} +reports: Doctrine\ORM\PersistentCollection {#5261 …} +favourites: Doctrine\ORM\PersistentCollection {#5263 …} +notifications: Doctrine\ORM\PersistentCollection {#5265 …} -id: 161733 -bodyTs: "'forgot':4 'mention':6 'thank':1 'yes':2" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5132613" +editedAt: null +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } ] +level: 1 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 13.44 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5254 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +root: App\Entity\EntryComment {#4650} +body: "Thanks yes I forgot to mention that." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700901174 {#5252 : 2023-11-25 09:32:54.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" "@duncesplayed@lemmy.one" ] +children: Doctrine\ORM\PersistentCollection {#5255 …} +nested: Doctrine\ORM\PersistentCollection {#5257 …} +votes: Doctrine\ORM\PersistentCollection {#5259 …} +reports: Doctrine\ORM\PersistentCollection {#5261 …} +favourites: Doctrine\ORM\PersistentCollection {#5263 …} +notifications: Doctrine\ORM\PersistentCollection {#5265 …} -id: 161733 -bodyTs: "'forgot':4 'mention':6 'thank':1 'yes':2" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5132613" +editedAt: null +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } "showNested" => true "level" => 2 "showEntryTitle" => false "showMagazineName" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#8631 +comment: App\Entity\EntryComment {#5254 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +root: App\Entity\EntryComment {#4650} +body: "Thanks yes I forgot to mention that." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700901174 {#5252 : 2023-11-25 09:32:54.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" "@duncesplayed@lemmy.one" ] +children: Doctrine\ORM\PersistentCollection {#5255 …} +nested: Doctrine\ORM\PersistentCollection {#5257 …} +votes: Doctrine\ORM\PersistentCollection {#5259 …} +reports: Doctrine\ORM\PersistentCollection {#5261 …} +favourites: Doctrine\ORM\PersistentCollection {#5263 …} +notifications: Doctrine\ORM\PersistentCollection {#5265 …} -id: 161733 -bodyTs: "'forgot':4 'mention':6 'thank':1 'yes':2" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5132613" +editedAt: null +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 2 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.17 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#8676 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#8731 +date: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.09 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#8785 +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.21 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#8839 +width: 40 +height: 40 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.59 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5254 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +root: App\Entity\EntryComment {#4650} +body: "Thanks yes I forgot to mention that." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700901174 {#5252 : 2023-11-25 09:32:54.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" "@duncesplayed@lemmy.one" ] +children: Doctrine\ORM\PersistentCollection {#5255 …} +nested: Doctrine\ORM\PersistentCollection {#5257 …} +votes: Doctrine\ORM\PersistentCollection {#5259 …} +reports: Doctrine\ORM\PersistentCollection {#5261 …} +favourites: Doctrine\ORM\PersistentCollection {#5263 …} +notifications: Doctrine\ORM\PersistentCollection {#5265 …} -id: 161733 -bodyTs: "'forgot':4 'mention':6 'thank':1 'yes':2" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5132613" +editedAt: null +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#8908 +subject: App\Entity\EntryComment {#5254 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +root: App\Entity\EntryComment {#4650} +body: "Thanks yes I forgot to mention that." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700901174 {#5252 : 2023-11-25 09:32:54.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" "@duncesplayed@lemmy.one" ] +children: Doctrine\ORM\PersistentCollection {#5255 …} +nested: Doctrine\ORM\PersistentCollection {#5257 …} +votes: Doctrine\ORM\PersistentCollection {#5259 …} +reports: Doctrine\ORM\PersistentCollection {#5261 …} +favourites: Doctrine\ORM\PersistentCollection {#5263 …} +notifications: Doctrine\ORM\PersistentCollection {#5265 …} -id: 161733 -bodyTs: "'forgot':4 'mention':6 'thank':1 'yes':2" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5132613" +editedAt: null +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 1.02 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5254 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +root: App\Entity\EntryComment {#4650} +body: "Thanks yes I forgot to mention that." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700901174 {#5252 : 2023-11-25 09:32:54.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" "@duncesplayed@lemmy.one" ] +children: Doctrine\ORM\PersistentCollection {#5255 …} +nested: Doctrine\ORM\PersistentCollection {#5257 …} +votes: Doctrine\ORM\PersistentCollection {#5259 …} +reports: Doctrine\ORM\PersistentCollection {#5261 …} +favourites: Doctrine\ORM\PersistentCollection {#5263 …} +notifications: Doctrine\ORM\PersistentCollection {#5265 …} -id: 161733 -bodyTs: "'forgot':4 'mention':6 'thank':1 'yes':2" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5132613" +editedAt: null +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#8965 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#5254 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +root: App\Entity\EntryComment {#4650} +body: "Thanks yes I forgot to mention that." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700901174 {#5252 : 2023-11-25 09:32:54.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" "@duncesplayed@lemmy.one" ] +children: Doctrine\ORM\PersistentCollection {#5255 …} +nested: Doctrine\ORM\PersistentCollection {#5257 …} +votes: Doctrine\ORM\PersistentCollection {#5259 …} +reports: Doctrine\ORM\PersistentCollection {#5261 …} +favourites: Doctrine\ORM\PersistentCollection {#5263 …} +notifications: Doctrine\ORM\PersistentCollection {#5265 …} -id: 161733 -bodyTs: "'forgot':4 'mention':6 'thank':1 'yes':2" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5132613" +editedAt: null +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 3.31 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5254 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +root: App\Entity\EntryComment {#4650} +body: "Thanks yes I forgot to mention that." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700901174 {#5252 : 2023-11-25 09:32:54.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" "@duncesplayed@lemmy.one" ] +children: Doctrine\ORM\PersistentCollection {#5255 …} +nested: Doctrine\ORM\PersistentCollection {#5257 …} +votes: Doctrine\ORM\PersistentCollection {#5259 …} +reports: Doctrine\ORM\PersistentCollection {#5261 …} +favourites: Doctrine\ORM\PersistentCollection {#5263 …} +notifications: Doctrine\ORM\PersistentCollection {#5265 …} -id: 161733 -bodyTs: "'forgot':4 'mention':6 'thank':1 'yes':2" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5132613" +editedAt: null +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } "level" => 2 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#9205 +comment: App\Entity\EntryComment {#5254 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4650 +user: App\Entity\User {#4663 +avatar: null +cover: null +email: "duncesplayed@lemmy.one" +username: "@duncesplayed@lemmy.one" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1726532952 {#4647 : 2024-09-17 02:29:12.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4664 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4666 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4668 …} +entries: Doctrine\ORM\PersistentCollection {#4670 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4672 …} +entryComments: Doctrine\ORM\PersistentCollection {#4674 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4676 …} +posts: Doctrine\ORM\PersistentCollection {#4678 …} +postVotes: Doctrine\ORM\PersistentCollection {#4680 …} +postComments: Doctrine\ORM\PersistentCollection {#4682 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4684 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4686 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4688 …} +follows: Doctrine\ORM\PersistentCollection {#4690 …} +followers: Doctrine\ORM\PersistentCollection {#4692 …} +blocks: Doctrine\ORM\PersistentCollection {#4694 …} +blockers: Doctrine\ORM\PersistentCollection {#4696 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4698 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4700 …} +reports: Doctrine\ORM\PersistentCollection {#4702 …} +favourites: Doctrine\ORM\PersistentCollection {#4704 …} +violations: Doctrine\ORM\PersistentCollection {#4706 …} +notifications: Doctrine\ORM\PersistentCollection {#4708 …} +awards: Doctrine\ORM\PersistentCollection {#4710 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4712 …} +categories: Doctrine\ORM\PersistentCollection {#4714 …} -id: 8433 -password: "$2y$13$yZWuf5x3jbg8PYxJYpNSVu1UirrBYpX5RdJ/Mt1DEIOEgfW1DXrbK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4716 …} +apId: "duncesplayed@lemmy.one" +apProfileId: "https://lemmy.one/u/duncesplayed" +apPublicUrl: "https://lemmy.one/u/duncesplayed" +apFollowersUrl: null +apInboxUrl: "https://lemmy.one/inbox" +apDomain: "lemmy.one" +apPreferredUsername: "duncesplayed" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1726064732 {#4648 : 2024-09-11 16:25:32.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687499225 {#4649 : 2023-06-23 07:47:05.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ As @BCsven@lemmy.ca mentioned, the talk about stable distributions is not right at all.\n \n Also, the commands you gave in “secure directories and dotfiles” are not doing anything. `sudo chmod 755 ~/.bashrc` doesn’t change the ownership of the file: it’s still owned by you. So setting the permissions 755 just makes it writeable by…you. You will still be able to modify it without sudo.\n \n If you want to make your dotfile require root access to change, you would need to augment the `chmod` with a `sudo chown root ~/.bashrc` """ +lang: "en" +isAdult: false +favouriteCount: 5 +score: 0 +lastActive: DateTime @1701461493 {#4645 : 2023-12-01 21:11:33.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4651 …} +nested: Doctrine\ORM\PersistentCollection {#4653 …} +votes: Doctrine\ORM\PersistentCollection {#4655 …} +reports: Doctrine\ORM\PersistentCollection {#4657 …} +favourites: Doctrine\ORM\PersistentCollection {#4659 …} +notifications: Doctrine\ORM\PersistentCollection {#4661 …} -id: 161649 -bodyTs: "'/.bashrc':31,91 '755':30,50 'abl':61 'access':76 'also':14 'anyth':27 'augment':83 'bcsven@lemmy.ca':2 'chang':34,78 'chmod':29,85 'chown':89 'command':16 'directori':21 'distribut':8 'doesn':32 'dotfil':23,73 'file':39 'gave':18 'make':52,71 'mention':3 'modifi':63 'need':81 'own':43 'ownership':36 'permiss':49 'requir':74 'right':11 'root':75,90 'secur':20 'set':47 'stabl':7 'still':42,59 'sudo':28,66,88 'talk':5 'want':69 'without':65 'would':80 'writeabl':54" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.one/comment/4992642" +editedAt: null +createdAt: DateTimeImmutable @1700898730 {#4646 : 2023-11-25 08:52:10.0 +01:00 } } +root: App\Entity\EntryComment {#4650} +body: "Thanks yes I forgot to mention that." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700901174 {#5252 : 2023-11-25 09:32:54.0 +01:00 } +ip: null +tags: null +mentions: [ "@BCsven@lemmy.ca" "@Pantherina@feddit.de" "@duncesplayed@lemmy.one" ] +children: Doctrine\ORM\PersistentCollection {#5255 …} +nested: Doctrine\ORM\PersistentCollection {#5257 …} +votes: Doctrine\ORM\PersistentCollection {#5259 …} +reports: Doctrine\ORM\PersistentCollection {#5261 …} +favourites: Doctrine\ORM\PersistentCollection {#5263 …} +notifications: Doctrine\ORM\PersistentCollection {#5265 …} -id: 161733 -bodyTs: "'forgot':4 'mention':6 'thank':1 'yes':2" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5132613" +editedAt: null +createdAt: DateTimeImmutable @1700901174 {#5253 : 2023-11-25 09:32:54.0 +01:00 } } +nestedComments: [] +level: 2 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 85.80 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } "showNested" => true "dateAsUrl" => false "showMagazineName" => false "showEntryTitle" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#9281 +comment: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 1 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#9326 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#9381 +date: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.09 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#9435 +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 2.80 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#9489 +width: 40 +height: 40 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.40 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#9576 +subject: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 0.77 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#9633 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 53.49 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } "level" => 1 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#9873 +comment: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +nestedComments: [ 159789 => App\Entity\EntryComment {#5175 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4723} +root: App\Entity\EntryComment {#4723} +body: """ Thats important… are you sure you can delete files without write permission? Couldnt this be avoided? Because if you cant delete or write to a file, it is basically immutable right?\n \n Chown sudo is still missing so currently its useless. But how do you do that without a root account?\n \n Yeah, spectre is really bad… """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856928 {#5182 : 2023-11-24 21:15:28.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@chameleon@kbin.social" ] +children: Doctrine\ORM\PersistentCollection {#5169 …} +nested: Doctrine\ORM\PersistentCollection {#5173 …} +votes: Doctrine\ORM\PersistentCollection {#5171 …} +reports: Doctrine\ORM\PersistentCollection {#5185 …} +favourites: Doctrine\ORM\PersistentCollection {#5187 …} +notifications: Doctrine\ORM\PersistentCollection {#5189 …} -id: 159789 -bodyTs: "'account':50 'avoid':16 'bad':55 'basic':29 'cant':20 'chown':32 'couldnt':13 'current':38 'delet':8,21 'file':9,26 'immut':30 'import':2 'miss':36 'permiss':12 'realli':54 'right':31 'root':49 'spectr':52 'still':35 'sudo':33 'sure':5 'that':1 'useless':40 'without':10,47 'write':11,23 'yeah':51" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116505" +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } ] +level: 1 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 49.31 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5175 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +root: App\Entity\EntryComment {#4723} +body: """ Thats important… are you sure you can delete files without write permission? Couldnt this be avoided? Because if you cant delete or write to a file, it is basically immutable right?\n \n Chown sudo is still missing so currently its useless. But how do you do that without a root account?\n \n Yeah, spectre is really bad… """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856928 {#5182 : 2023-11-24 21:15:28.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@chameleon@kbin.social" ] +children: Doctrine\ORM\PersistentCollection {#5169 …} +nested: Doctrine\ORM\PersistentCollection {#5173 …} +votes: Doctrine\ORM\PersistentCollection {#5171 …} +reports: Doctrine\ORM\PersistentCollection {#5185 …} +favourites: Doctrine\ORM\PersistentCollection {#5187 …} +notifications: Doctrine\ORM\PersistentCollection {#5189 …} -id: 159789 -bodyTs: "'account':50 'avoid':16 'bad':55 'basic':29 'cant':20 'chown':32 'couldnt':13 'current':38 'delet':8,21 'file':9,26 'immut':30 'import':2 'miss':36 'permiss':12 'realli':54 'right':31 'root':49 'spectr':52 'still':35 'sudo':33 'sure':5 'that':1 'useless':40 'without':10,47 'write':11,23 'yeah':51" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116505" +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } "showNested" => true "level" => 2 "showEntryTitle" => false "showMagazineName" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#9933 +comment: App\Entity\EntryComment {#5175 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +root: App\Entity\EntryComment {#4723} +body: """ Thats important… are you sure you can delete files without write permission? Couldnt this be avoided? Because if you cant delete or write to a file, it is basically immutable right?\n \n Chown sudo is still missing so currently its useless. But how do you do that without a root account?\n \n Yeah, spectre is really bad… """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856928 {#5182 : 2023-11-24 21:15:28.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@chameleon@kbin.social" ] +children: Doctrine\ORM\PersistentCollection {#5169 …} +nested: Doctrine\ORM\PersistentCollection {#5173 …} +votes: Doctrine\ORM\PersistentCollection {#5171 …} +reports: Doctrine\ORM\PersistentCollection {#5185 …} +favourites: Doctrine\ORM\PersistentCollection {#5187 …} +notifications: Doctrine\ORM\PersistentCollection {#5189 …} -id: 159789 -bodyTs: "'account':50 'avoid':16 'bad':55 'basic':29 'cant':20 'chown':32 'couldnt':13 'current':38 'delet':8,21 'file':9,26 'immut':30 'import':2 'miss':36 'permiss':12 'realli':54 'right':31 'root':49 'spectr':52 'still':35 'sudo':33 'sure':5 'that':1 'useless':40 'without':10,47 'write':11,23 'yeah':51" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116505" +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 2 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.17 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#9978 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#10033 +date: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 13.07 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } "editedAt" => DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#10087 +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.27 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#10141 +width: 40 +height: 40 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.64 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5175 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +root: App\Entity\EntryComment {#4723} +body: """ Thats important… are you sure you can delete files without write permission? Couldnt this be avoided? Because if you cant delete or write to a file, it is basically immutable right?\n \n Chown sudo is still missing so currently its useless. But how do you do that without a root account?\n \n Yeah, spectre is really bad… """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856928 {#5182 : 2023-11-24 21:15:28.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@chameleon@kbin.social" ] +children: Doctrine\ORM\PersistentCollection {#5169 …} +nested: Doctrine\ORM\PersistentCollection {#5173 …} +votes: Doctrine\ORM\PersistentCollection {#5171 …} +reports: Doctrine\ORM\PersistentCollection {#5185 …} +favourites: Doctrine\ORM\PersistentCollection {#5187 …} +notifications: Doctrine\ORM\PersistentCollection {#5189 …} -id: 159789 -bodyTs: "'account':50 'avoid':16 'bad':55 'basic':29 'cant':20 'chown':32 'couldnt':13 'current':38 'delet':8,21 'file':9,26 'immut':30 'import':2 'miss':36 'permiss':12 'realli':54 'right':31 'root':49 'spectr':52 'still':35 'sudo':33 'sure':5 'that':1 'useless':40 'without':10,47 'write':11,23 'yeah':51" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116505" +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#10218 +subject: App\Entity\EntryComment {#5175 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +root: App\Entity\EntryComment {#4723} +body: """ Thats important… are you sure you can delete files without write permission? Couldnt this be avoided? Because if you cant delete or write to a file, it is basically immutable right?\n \n Chown sudo is still missing so currently its useless. But how do you do that without a root account?\n \n Yeah, spectre is really bad… """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856928 {#5182 : 2023-11-24 21:15:28.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@chameleon@kbin.social" ] +children: Doctrine\ORM\PersistentCollection {#5169 …} +nested: Doctrine\ORM\PersistentCollection {#5173 …} +votes: Doctrine\ORM\PersistentCollection {#5171 …} +reports: Doctrine\ORM\PersistentCollection {#5185 …} +favourites: Doctrine\ORM\PersistentCollection {#5187 …} +notifications: Doctrine\ORM\PersistentCollection {#5189 …} -id: 159789 -bodyTs: "'account':50 'avoid':16 'bad':55 'basic':29 'cant':20 'chown':32 'couldnt':13 'current':38 'delet':8,21 'file':9,26 'immut':30 'import':2 'miss':36 'permiss':12 'realli':54 'right':31 'root':49 'spectr':52 'still':35 'sudo':33 'sure':5 'that':1 'useless':40 'without':10,47 'write':11,23 'yeah':51" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116505" +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 0.98 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5175 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +root: App\Entity\EntryComment {#4723} +body: """ Thats important… are you sure you can delete files without write permission? Couldnt this be avoided? Because if you cant delete or write to a file, it is basically immutable right?\n \n Chown sudo is still missing so currently its useless. But how do you do that without a root account?\n \n Yeah, spectre is really bad… """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856928 {#5182 : 2023-11-24 21:15:28.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@chameleon@kbin.social" ] +children: Doctrine\ORM\PersistentCollection {#5169 …} +nested: Doctrine\ORM\PersistentCollection {#5173 …} +votes: Doctrine\ORM\PersistentCollection {#5171 …} +reports: Doctrine\ORM\PersistentCollection {#5185 …} +favourites: Doctrine\ORM\PersistentCollection {#5187 …} +notifications: Doctrine\ORM\PersistentCollection {#5189 …} -id: 159789 -bodyTs: "'account':50 'avoid':16 'bad':55 'basic':29 'cant':20 'chown':32 'couldnt':13 'current':38 'delet':8,21 'file':9,26 'immut':30 'import':2 'miss':36 'permiss':12 'realli':54 'right':31 'root':49 'spectr':52 'still':35 'sudo':33 'sure':5 'that':1 'useless':40 'without':10,47 'write':11,23 'yeah':51" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116505" +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#10275 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#5175 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +root: App\Entity\EntryComment {#4723} +body: """ Thats important… are you sure you can delete files without write permission? Couldnt this be avoided? Because if you cant delete or write to a file, it is basically immutable right?\n \n Chown sudo is still missing so currently its useless. But how do you do that without a root account?\n \n Yeah, spectre is really bad… """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856928 {#5182 : 2023-11-24 21:15:28.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@chameleon@kbin.social" ] +children: Doctrine\ORM\PersistentCollection {#5169 …} +nested: Doctrine\ORM\PersistentCollection {#5173 …} +votes: Doctrine\ORM\PersistentCollection {#5171 …} +reports: Doctrine\ORM\PersistentCollection {#5185 …} +favourites: Doctrine\ORM\PersistentCollection {#5187 …} +notifications: Doctrine\ORM\PersistentCollection {#5189 …} -id: 159789 -bodyTs: "'account':50 'avoid':16 'bad':55 'basic':29 'cant':20 'chown':32 'couldnt':13 'current':38 'delet':8,21 'file':9,26 'immut':30 'import':2 'miss':36 'permiss':12 'realli':54 'right':31 'root':49 'spectr':52 'still':35 'sudo':33 'sure':5 'that':1 'useless':40 'without':10,47 'write':11,23 'yeah':51" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116505" +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 3.20 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5175 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +root: App\Entity\EntryComment {#4723} +body: """ Thats important… are you sure you can delete files without write permission? Couldnt this be avoided? Because if you cant delete or write to a file, it is basically immutable right?\n \n Chown sudo is still missing so currently its useless. But how do you do that without a root account?\n \n Yeah, spectre is really bad… """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856928 {#5182 : 2023-11-24 21:15:28.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@chameleon@kbin.social" ] +children: Doctrine\ORM\PersistentCollection {#5169 …} +nested: Doctrine\ORM\PersistentCollection {#5173 …} +votes: Doctrine\ORM\PersistentCollection {#5171 …} +reports: Doctrine\ORM\PersistentCollection {#5185 …} +favourites: Doctrine\ORM\PersistentCollection {#5187 …} +notifications: Doctrine\ORM\PersistentCollection {#5189 …} -id: 159789 -bodyTs: "'account':50 'avoid':16 'bad':55 'basic':29 'cant':20 'chown':32 'couldnt':13 'current':38 'delet':8,21 'file':9,26 'immut':30 'import':2 'miss':36 'permiss':12 'realli':54 'right':31 'root':49 'spectr':52 'still':35 'sudo':33 'sure':5 'that':1 'useless':40 'without':10,47 'write':11,23 'yeah':51" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116505" +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } "level" => 2 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#10515 +comment: App\Entity\EntryComment {#5175 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4723 +user: App\Entity\User {#4736 +avatar: Proxies\__CG__\App\Entity\Image {#4737 …} +cover: null +email: "chameleon@kbin.social" +username: "@chameleon@kbin.social" +roles: [] +followersCount: 0 +homepage: "front" +about: "i'm lizard 🦎" +lastActive: DateTime @1711630376 {#4720 : 2024-03-28 13:52:56.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4738 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4740 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4742 …} +entries: Doctrine\ORM\PersistentCollection {#4744 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4746 …} +entryComments: Doctrine\ORM\PersistentCollection {#4748 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4750 …} +posts: Doctrine\ORM\PersistentCollection {#4752 …} +postVotes: Doctrine\ORM\PersistentCollection {#4754 …} +postComments: Doctrine\ORM\PersistentCollection {#4756 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4758 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4760 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4762 …} +follows: Doctrine\ORM\PersistentCollection {#4764 …} +followers: Doctrine\ORM\PersistentCollection {#4766 …} +blocks: Doctrine\ORM\PersistentCollection {#4768 …} +blockers: Doctrine\ORM\PersistentCollection {#4770 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4772 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4774 …} +reports: Doctrine\ORM\PersistentCollection {#4776 …} +favourites: Doctrine\ORM\PersistentCollection {#4778 …} +violations: Doctrine\ORM\PersistentCollection {#4780 …} +notifications: Doctrine\ORM\PersistentCollection {#4782 …} +awards: Doctrine\ORM\PersistentCollection {#4784 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4786 …} +categories: Doctrine\ORM\PersistentCollection {#4788 …} -id: 10775 -password: "$2y$13$oqj6D4cL9xpx5ZsiH1EjXuc7sRUCcRWl5oM9Erb/EzHIgM2Av0Ps2" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4790 …} +apId: "chameleon@kbin.social" +apProfileId: "https://kbin.social/u/chameleon" +apPublicUrl: "https://kbin.social/u/chameleon" +apFollowersUrl: "https://kbin.social/u/chameleon/followers" +apInboxUrl: "https://kbin.social/f/inbox" +apDomain: "kbin.social" +apPreferredUsername: "chameleon" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1702754715 {#4721 : 2023-12-16 20:25:15.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1687618090 {#4722 : 2023-06-24 16:48:10.0 +02:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. `cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc` or the like will still work if you have write permissions to `/home/username` at all. Marking the file immutable with `chattr +i` as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.\n \n Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though. """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1701395722 {#4718 : 2023-12-01 02:55:22.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4724 …} +nested: Doctrine\ORM\PersistentCollection {#4726 …} +votes: Doctrine\ORM\PersistentCollection {#4728 …} +reports: Doctrine\ORM\PersistentCollection {#4730 …} +favourites: Doctrine\ORM\PersistentCollection {#4732 …} +notifications: Doctrine\ORM\PersistentCollection {#4734 …} -id: 159144 -bodyTs: "'/.bashrc':23,32,35 '/.bashrc.new':24,29,34 '/home/username':48 '10':172 'absolut':118 'accomplish':108 'also':102 'arbitrari':109 'bit':11 'bother':3,125 'buy':126 'case':74 'cat':22 'chattr':56 'code':110 'complet':144 'config/scripting/plugin':114 'cpu':138 'directori':5,18,78 'doesn':119 'editor':99 'effect':64,160 'enough':69 'equal':159 'ever':135 'execut':111 'f':31 'file':21,53,115 'firmwar':134,186 'found':89 'free':133,185 'fruit':96 'get':179 'good':189 'hang':95 'high':148 'high-secur':147 'hit':169 'hold':19 'immut':54 'like':6,38,101 'lot':72 'low':94 'low-hang':93 'machin':143,175 'made':141 'malwar':27 'mark':51 'massiv':168 'meaning':9 'mention':85 'might':60 'mitig':157,163 'mv':33 'new':182 'old':127,142,174 'parent':77 'perform':165 'permiss':10,15,46 'purpos':150 'put':26 'put-malware-in':25 'realist':66 'reason':181 'renam':82 'rm':30 'root':59 'secur':4,149 'sinc':136 'slight':62 'spectr':137 'still':40,67,80 'stop':121 'system':128,183 'take':166 'text':98 'though':190 'time':151,153 'unsuit':145 've':87 'vulner':139 'way':106 'work':41 'write':14,45 'year':173" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://kbin.social/m/linux@lemmy.ml/t/652878/-/comment/3752219" +editedAt: null +createdAt: DateTimeImmutable @1700845023 {#4719 : 2023-11-24 17:57:03.0 +01:00 } } +root: App\Entity\EntryComment {#4723} +body: """ Thats important… are you sure you can delete files without write permission? Couldnt this be avoided? Because if you cant delete or write to a file, it is basically immutable right?\n \n Chown sudo is still missing so currently its useless. But how do you do that without a root account?\n \n Yeah, spectre is really bad… """ +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856928 {#5182 : 2023-11-24 21:15:28.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@chameleon@kbin.social" ] +children: Doctrine\ORM\PersistentCollection {#5169 …} +nested: Doctrine\ORM\PersistentCollection {#5173 …} +votes: Doctrine\ORM\PersistentCollection {#5171 …} +reports: Doctrine\ORM\PersistentCollection {#5185 …} +favourites: Doctrine\ORM\PersistentCollection {#5187 …} +notifications: Doctrine\ORM\PersistentCollection {#5189 …} -id: 159789 -bodyTs: "'account':50 'avoid':16 'bad':55 'basic':29 'cant':20 'chown':32 'couldnt':13 'current':38 'delet':8,21 'file':9,26 'immut':30 'import':2 'miss':36 'permiss':12 'realli':54 'right':31 'root':49 'spectr':52 'still':35 'sudo':33 'sure':5 'that':1 'useless':40 'without':10,47 'write':11,23 'yeah':51" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116505" +editedAt: DateTimeImmutable @1701395739 {#5179 : 2023-12-01 02:55:39.0 +01:00 } +createdAt: DateTimeImmutable @1700856928 {#5181 : 2023-11-24 21:15:28.0 +01:00 } } +nestedComments: [] +level: 2 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 91.00 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } "showNested" => true "dateAsUrl" => false "showMagazineName" => false "showEntryTitle" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#10591 +comment: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 1 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#10636 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#10691 +date: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.09 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#10745 +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.31 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#10799 +width: 40 +height: 40 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.37 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#10880 +subject: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 0.63 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#10937 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 60.66 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } "level" => 1 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#11177 +comment: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +nestedComments: [ 159779 => App\Entity\EntryComment {#5224 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4797} +root: App\Entity\EntryComment {#4797} +body: "Careful with MAC randomization in your local Wifi. DHCP goes brrrr" +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856644 {#5222 : 2023-11-24 21:10:44.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@throwaway2@lemmy.today" ] +children: Doctrine\ORM\PersistentCollection {#5225 …} +nested: Doctrine\ORM\PersistentCollection {#5227 …} +votes: Doctrine\ORM\PersistentCollection {#5229 …} +reports: Doctrine\ORM\PersistentCollection {#5231 …} +favourites: Doctrine\ORM\PersistentCollection {#5233 …} +notifications: Doctrine\ORM\PersistentCollection {#5235 …} -id: 159779 -bodyTs: "'brrrr':11 'care':1 'dhcp':9 'goe':10 'local':7 'mac':3 'random':4 'wifi':8" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116345" +editedAt: null +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } ] +level: 1 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 48.96 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5224 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +root: App\Entity\EntryComment {#4797} +body: "Careful with MAC randomization in your local Wifi. DHCP goes brrrr" +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856644 {#5222 : 2023-11-24 21:10:44.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@throwaway2@lemmy.today" ] +children: Doctrine\ORM\PersistentCollection {#5225 …} +nested: Doctrine\ORM\PersistentCollection {#5227 …} +votes: Doctrine\ORM\PersistentCollection {#5229 …} +reports: Doctrine\ORM\PersistentCollection {#5231 …} +favourites: Doctrine\ORM\PersistentCollection {#5233 …} +notifications: Doctrine\ORM\PersistentCollection {#5235 …} -id: 159779 -bodyTs: "'brrrr':11 'care':1 'dhcp':9 'goe':10 'local':7 'mac':3 'random':4 'wifi':8" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116345" +editedAt: null +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } "showNested" => true "level" => 2 "showEntryTitle" => false "showMagazineName" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#11237 +comment: App\Entity\EntryComment {#5224 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +root: App\Entity\EntryComment {#4797} +body: "Careful with MAC randomization in your local Wifi. DHCP goes brrrr" +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856644 {#5222 : 2023-11-24 21:10:44.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@throwaway2@lemmy.today" ] +children: Doctrine\ORM\PersistentCollection {#5225 …} +nested: Doctrine\ORM\PersistentCollection {#5227 …} +votes: Doctrine\ORM\PersistentCollection {#5229 …} +reports: Doctrine\ORM\PersistentCollection {#5231 …} +favourites: Doctrine\ORM\PersistentCollection {#5233 …} +notifications: Doctrine\ORM\PersistentCollection {#5235 …} -id: 159779 -bodyTs: "'brrrr':11 'care':1 'dhcp':9 'goe':10 'local':7 'mac':3 'random':4 'wifi':8" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116345" +editedAt: null +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 2 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.72 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#11282 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.21 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#11337 +date: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.15 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#11391 +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.22 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#11445 +width: 40 +height: 40 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.49 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5224 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +root: App\Entity\EntryComment {#4797} +body: "Careful with MAC randomization in your local Wifi. DHCP goes brrrr" +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856644 {#5222 : 2023-11-24 21:10:44.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@throwaway2@lemmy.today" ] +children: Doctrine\ORM\PersistentCollection {#5225 …} +nested: Doctrine\ORM\PersistentCollection {#5227 …} +votes: Doctrine\ORM\PersistentCollection {#5229 …} +reports: Doctrine\ORM\PersistentCollection {#5231 …} +favourites: Doctrine\ORM\PersistentCollection {#5233 …} +notifications: Doctrine\ORM\PersistentCollection {#5235 …} -id: 159779 -bodyTs: "'brrrr':11 'care':1 'dhcp':9 'goe':10 'local':7 'mac':3 'random':4 'wifi':8" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116345" +editedAt: null +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#11514 +subject: App\Entity\EntryComment {#5224 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +root: App\Entity\EntryComment {#4797} +body: "Careful with MAC randomization in your local Wifi. DHCP goes brrrr" +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856644 {#5222 : 2023-11-24 21:10:44.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@throwaway2@lemmy.today" ] +children: Doctrine\ORM\PersistentCollection {#5225 …} +nested: Doctrine\ORM\PersistentCollection {#5227 …} +votes: Doctrine\ORM\PersistentCollection {#5229 …} +reports: Doctrine\ORM\PersistentCollection {#5231 …} +favourites: Doctrine\ORM\PersistentCollection {#5233 …} +notifications: Doctrine\ORM\PersistentCollection {#5235 …} -id: 159779 -bodyTs: "'brrrr':11 'care':1 'dhcp':9 'goe':10 'local':7 'mac':3 'random':4 'wifi':8" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116345" +editedAt: null +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 1.11 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5224 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +root: App\Entity\EntryComment {#4797} +body: "Careful with MAC randomization in your local Wifi. DHCP goes brrrr" +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856644 {#5222 : 2023-11-24 21:10:44.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@throwaway2@lemmy.today" ] +children: Doctrine\ORM\PersistentCollection {#5225 …} +nested: Doctrine\ORM\PersistentCollection {#5227 …} +votes: Doctrine\ORM\PersistentCollection {#5229 …} +reports: Doctrine\ORM\PersistentCollection {#5231 …} +favourites: Doctrine\ORM\PersistentCollection {#5233 …} +notifications: Doctrine\ORM\PersistentCollection {#5235 …} -id: 159779 -bodyTs: "'brrrr':11 'care':1 'dhcp':9 'goe':10 'local':7 'mac':3 'random':4 'wifi':8" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116345" +editedAt: null +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#11571 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#5224 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +root: App\Entity\EntryComment {#4797} +body: "Careful with MAC randomization in your local Wifi. DHCP goes brrrr" +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856644 {#5222 : 2023-11-24 21:10:44.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@throwaway2@lemmy.today" ] +children: Doctrine\ORM\PersistentCollection {#5225 …} +nested: Doctrine\ORM\PersistentCollection {#5227 …} +votes: Doctrine\ORM\PersistentCollection {#5229 …} +reports: Doctrine\ORM\PersistentCollection {#5231 …} +favourites: Doctrine\ORM\PersistentCollection {#5233 …} +notifications: Doctrine\ORM\PersistentCollection {#5235 …} -id: 159779 -bodyTs: "'brrrr':11 'care':1 'dhcp':9 'goe':10 'local':7 'mac':3 'random':4 'wifi':8" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116345" +editedAt: null +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 17.81 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5224 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +root: App\Entity\EntryComment {#4797} +body: "Careful with MAC randomization in your local Wifi. DHCP goes brrrr" +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856644 {#5222 : 2023-11-24 21:10:44.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@throwaway2@lemmy.today" ] +children: Doctrine\ORM\PersistentCollection {#5225 …} +nested: Doctrine\ORM\PersistentCollection {#5227 …} +votes: Doctrine\ORM\PersistentCollection {#5229 …} +reports: Doctrine\ORM\PersistentCollection {#5231 …} +favourites: Doctrine\ORM\PersistentCollection {#5233 …} +notifications: Doctrine\ORM\PersistentCollection {#5235 …} -id: 159779 -bodyTs: "'brrrr':11 'care':1 'dhcp':9 'goe':10 'local':7 'mac':3 'random':4 'wifi':8" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116345" +editedAt: null +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } "level" => 2 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#11811 +comment: App\Entity\EntryComment {#5224 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 …2} +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: App\Entity\EntryComment {#4797 +user: App\Entity\User {#4810 +avatar: null +cover: null +email: "throwaway2@lemmy.today" +username: "@throwaway2@lemmy.today" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701384673 {#4794 : 2023-11-30 23:51:13.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4811 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4813 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4815 …} +entries: Doctrine\ORM\PersistentCollection {#4817 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4819 …} +entryComments: Doctrine\ORM\PersistentCollection {#4821 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4823 …} +posts: Doctrine\ORM\PersistentCollection {#4825 …} +postVotes: Doctrine\ORM\PersistentCollection {#4827 …} +postComments: Doctrine\ORM\PersistentCollection {#4829 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4831 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4833 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4835 …} +follows: Doctrine\ORM\PersistentCollection {#4837 …} +followers: Doctrine\ORM\PersistentCollection {#4839 …} +blocks: Doctrine\ORM\PersistentCollection {#4841 …} +blockers: Doctrine\ORM\PersistentCollection {#4843 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4845 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4847 …} +reports: Doctrine\ORM\PersistentCollection {#4849 …} +favourites: Doctrine\ORM\PersistentCollection {#4851 …} +violations: Doctrine\ORM\PersistentCollection {#4853 …} +notifications: Doctrine\ORM\PersistentCollection {#4855 …} +awards: Doctrine\ORM\PersistentCollection {#4857 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4859 …} +categories: Doctrine\ORM\PersistentCollection {#4861 …} -id: 79874 -password: "$2y$13$7Xi3mFqY6aSaqsB2NZexaO4hVhMFGG8CMN6qTHtoPjl1MzWpoozzK" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4863 …} +apId: "throwaway2@lemmy.today" +apProfileId: "https://lemmy.today/u/throwaway2" +apPublicUrl: "https://lemmy.today/u/throwaway2" +apFollowersUrl: null +apInboxUrl: "https://lemmy.today/inbox" +apDomain: "lemmy.today" +apPreferredUsername: "throwaway2" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1701384406 {#4795 : 2023-11-30 23:46:46.0 +01:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1701384405 {#4796 : 2023-11-30 23:46:45.0 +01:00 } } +entry: App\Entity\Entry {#2400} +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "In general, the articles found on [privsec.dev](https://privsec.dev/) are excellent reads and provide both guidance and motivation. With their article on [Desktop Linux Hardening](https://privsec.dev/posts/linux/desktop-linux-hardening/) being my personal favorite." +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1701395338 {#4792 : 2023-12-01 02:48:58.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4798 …} +nested: Doctrine\ORM\PersistentCollection {#4800 …} +votes: Doctrine\ORM\PersistentCollection {#4802 …} +reports: Doctrine\ORM\PersistentCollection {#4804 …} +favourites: Doctrine\ORM\PersistentCollection {#4806 …} +notifications: Doctrine\ORM\PersistentCollection {#4808 …} -id: 159396 -bodyTs: "'/)':10 '/posts/linux/desktop-linux-hardening/)':29 'articl':4,22 'desktop':24 'excel':12 'favorit':33 'found':5 'general':2 'guidanc':17 'harden':26 'linux':25 'motiv':19 'person':32 'privsec.dev':7,9,28 'privsec.dev/)':8 'privsec.dev/posts/linux/desktop-linux-hardening/)':27 'provid':15 'read':13" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.today/comment/3599849" +editedAt: null +createdAt: DateTimeImmutable @1700849610 {#4793 : 2023-11-24 19:13:30.0 +01:00 } } +root: App\Entity\EntryComment {#4797} +body: "Careful with MAC randomization in your local Wifi. DHCP goes brrrr" +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700856644 {#5222 : 2023-11-24 21:10:44.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" "@throwaway2@lemmy.today" ] +children: Doctrine\ORM\PersistentCollection {#5225 …} +nested: Doctrine\ORM\PersistentCollection {#5227 …} +votes: Doctrine\ORM\PersistentCollection {#5229 …} +reports: Doctrine\ORM\PersistentCollection {#5231 …} +favourites: Doctrine\ORM\PersistentCollection {#5233 …} +notifications: Doctrine\ORM\PersistentCollection {#5235 …} -id: 159779 -bodyTs: "'brrrr':11 'care':1 'dhcp':9 'goe':10 'local':7 'mac':3 'random':4 'wifi':8" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5116345" +editedAt: null +createdAt: DateTimeImmutable @1700856644 {#5223 : 2023-11-24 21:10:44.0 +01:00 } } +nestedComments: [] +level: 2 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 54.94 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4871 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Not a single mention of secure boot? Weird.\n \n I would say you are already secure enough if you are using software from official/trusted repositories and updating them on a regular basis.\n \n That said, if you want extra security. Drop all software that cannot run on Wayland and go even further by isolating all desktop applications with the Flatpak sandbox. This is made extremely easy with Flatseal. Maximum points if you setup secure boot. """ +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700898063 {#4865 : 2023-11-25 08:41:03.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4872 …} +nested: Doctrine\ORM\PersistentCollection {#4874 …} +votes: Doctrine\ORM\PersistentCollection {#4876 …} +reports: Doctrine\ORM\PersistentCollection {#4878 …} +favourites: Doctrine\ORM\PersistentCollection {#4880 …} +notifications: Doctrine\ORM\PersistentCollection {#4882 …} -id: 161623 -bodyTs: "'alreadi':14 'applic':55 'basi':31 'boot':7,73 'cannot':43 'desktop':54 'drop':39 'easi':64 'enough':16 'even':49 'extra':37 'extrem':63 'flatpak':58 'flatseal':66 'go':48 'isol':52 'made':62 'maximum':67 'mention':4 'official/trusted':23 'point':68 'regular':30 'repositori':24 'run':44 'said':33 'sandbox':59 'say':11 'secur':6,15,38,72 'setup':71 'singl':3 'softwar':21,41 'updat':26 'use':20 'want':36 'wayland':46 'weird':8 'would':10" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ml/comment/6103636" +editedAt: null +createdAt: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } } "showNested" => true "dateAsUrl" => false "showMagazineName" => false "showEntryTitle" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#11887 +comment: App\Entity\EntryComment {#4871 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Not a single mention of secure boot? Weird.\n \n I would say you are already secure enough if you are using software from official/trusted repositories and updating them on a regular basis.\n \n That said, if you want extra security. Drop all software that cannot run on Wayland and go even further by isolating all desktop applications with the Flatpak sandbox. This is made extremely easy with Flatseal. Maximum points if you setup secure boot. """ +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700898063 {#4865 : 2023-11-25 08:41:03.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4872 …} +nested: Doctrine\ORM\PersistentCollection {#4874 …} +votes: Doctrine\ORM\PersistentCollection {#4876 …} +reports: Doctrine\ORM\PersistentCollection {#4878 …} +favourites: Doctrine\ORM\PersistentCollection {#4880 …} +notifications: Doctrine\ORM\PersistentCollection {#4882 …} -id: 161623 -bodyTs: "'alreadi':14 'applic':55 'basi':31 'boot':7,73 'cannot':43 'desktop':54 'drop':39 'easi':64 'enough':16 'even':49 'extra':37 'extrem':63 'flatpak':58 'flatseal':66 'go':48 'isol':52 'made':62 'maximum':67 'mention':4 'official/trusted':23 'point':68 'regular':30 'repositori':24 'run':44 'said':33 'sandbox':59 'say':11 'secur':6,15,38,72 'setup':71 'singl':3 'softwar':21,41 'updat':26 'use':20 'want':36 'wayland':46 'weird':8 'would':10" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ml/comment/6103636" +editedAt: null +createdAt: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 1 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.22 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#11932 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.15 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#11987 +date: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.09 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#12041 +createdAt: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 12.57 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#12095 +width: 40 +height: 40 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.68 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4871 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Not a single mention of secure boot? Weird.\n \n I would say you are already secure enough if you are using software from official/trusted repositories and updating them on a regular basis.\n \n That said, if you want extra security. Drop all software that cannot run on Wayland and go even further by isolating all desktop applications with the Flatpak sandbox. This is made extremely easy with Flatseal. Maximum points if you setup secure boot. """ +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700898063 {#4865 : 2023-11-25 08:41:03.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4872 …} +nested: Doctrine\ORM\PersistentCollection {#4874 …} +votes: Doctrine\ORM\PersistentCollection {#4876 …} +reports: Doctrine\ORM\PersistentCollection {#4878 …} +favourites: Doctrine\ORM\PersistentCollection {#4880 …} +notifications: Doctrine\ORM\PersistentCollection {#4882 …} -id: 161623 -bodyTs: "'alreadi':14 'applic':55 'basi':31 'boot':7,73 'cannot':43 'desktop':54 'drop':39 'easi':64 'enough':16 'even':49 'extra':37 'extrem':63 'flatpak':58 'flatseal':66 'go':48 'isol':52 'made':62 'maximum':67 'mention':4 'official/trusted':23 'point':68 'regular':30 'repositori':24 'run':44 'said':33 'sandbox':59 'say':11 'secur':6,15,38,72 'setup':71 'singl':3 'softwar':21,41 'updat':26 'use':20 'want':36 'wayland':46 'weird':8 'would':10" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ml/comment/6103636" +editedAt: null +createdAt: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#12172 +subject: App\Entity\EntryComment {#4871 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Not a single mention of secure boot? Weird.\n \n I would say you are already secure enough if you are using software from official/trusted repositories and updating them on a regular basis.\n \n That said, if you want extra security. Drop all software that cannot run on Wayland and go even further by isolating all desktop applications with the Flatpak sandbox. This is made extremely easy with Flatseal. Maximum points if you setup secure boot. """ +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700898063 {#4865 : 2023-11-25 08:41:03.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4872 …} +nested: Doctrine\ORM\PersistentCollection {#4874 …} +votes: Doctrine\ORM\PersistentCollection {#4876 …} +reports: Doctrine\ORM\PersistentCollection {#4878 …} +favourites: Doctrine\ORM\PersistentCollection {#4880 …} +notifications: Doctrine\ORM\PersistentCollection {#4882 …} -id: 161623 -bodyTs: "'alreadi':14 'applic':55 'basi':31 'boot':7,73 'cannot':43 'desktop':54 'drop':39 'easi':64 'enough':16 'even':49 'extra':37 'extrem':63 'flatpak':58 'flatseal':66 'go':48 'isol':52 'made':62 'maximum':67 'mention':4 'official/trusted':23 'point':68 'regular':30 'repositori':24 'run':44 'said':33 'sandbox':59 'say':11 'secur':6,15,38,72 'setup':71 'singl':3 'softwar':21,41 'updat':26 'use':20 'want':36 'wayland':46 'weird':8 'would':10" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ml/comment/6103636" +editedAt: null +createdAt: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 19.38 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4871 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Not a single mention of secure boot? Weird.\n \n I would say you are already secure enough if you are using software from official/trusted repositories and updating them on a regular basis.\n \n That said, if you want extra security. Drop all software that cannot run on Wayland and go even further by isolating all desktop applications with the Flatpak sandbox. This is made extremely easy with Flatseal. Maximum points if you setup secure boot. """ +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700898063 {#4865 : 2023-11-25 08:41:03.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4872 …} +nested: Doctrine\ORM\PersistentCollection {#4874 …} +votes: Doctrine\ORM\PersistentCollection {#4876 …} +reports: Doctrine\ORM\PersistentCollection {#4878 …} +favourites: Doctrine\ORM\PersistentCollection {#4880 …} +notifications: Doctrine\ORM\PersistentCollection {#4882 …} -id: 161623 -bodyTs: "'alreadi':14 'applic':55 'basi':31 'boot':7,73 'cannot':43 'desktop':54 'drop':39 'easi':64 'enough':16 'even':49 'extra':37 'extrem':63 'flatpak':58 'flatseal':66 'go':48 'isol':52 'made':62 'maximum':67 'mention':4 'official/trusted':23 'point':68 'regular':30 'repositori':24 'run':44 'said':33 'sandbox':59 'say':11 'secur':6,15,38,72 'setup':71 'singl':3 'softwar':21,41 'updat':26 'use':20 'want':36 'wayland':46 'weird':8 'would':10" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ml/comment/6103636" +editedAt: null +createdAt: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#12229 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#4871 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Not a single mention of secure boot? Weird.\n \n I would say you are already secure enough if you are using software from official/trusted repositories and updating them on a regular basis.\n \n That said, if you want extra security. Drop all software that cannot run on Wayland and go even further by isolating all desktop applications with the Flatpak sandbox. This is made extremely easy with Flatseal. Maximum points if you setup secure boot. """ +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700898063 {#4865 : 2023-11-25 08:41:03.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4872 …} +nested: Doctrine\ORM\PersistentCollection {#4874 …} +votes: Doctrine\ORM\PersistentCollection {#4876 …} +reports: Doctrine\ORM\PersistentCollection {#4878 …} +favourites: Doctrine\ORM\PersistentCollection {#4880 …} +notifications: Doctrine\ORM\PersistentCollection {#4882 …} -id: 161623 -bodyTs: "'alreadi':14 'applic':55 'basi':31 'boot':7,73 'cannot':43 'desktop':54 'drop':39 'easi':64 'enough':16 'even':49 'extra':37 'extrem':63 'flatpak':58 'flatseal':66 'go':48 'isol':52 'made':62 'maximum':67 'mention':4 'official/trusted':23 'point':68 'regular':30 'repositori':24 'run':44 'said':33 'sandbox':59 'say':11 'secur':6,15,38,72 'setup':71 'singl':3 'softwar':21,41 'updat':26 'use':20 'want':36 'wayland':46 'weird':8 'would':10" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ml/comment/6103636" +editedAt: null +createdAt: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 5.03 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4871 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Not a single mention of secure boot? Weird.\n \n I would say you are already secure enough if you are using software from official/trusted repositories and updating them on a regular basis.\n \n That said, if you want extra security. Drop all software that cannot run on Wayland and go even further by isolating all desktop applications with the Flatpak sandbox. This is made extremely easy with Flatseal. Maximum points if you setup secure boot. """ +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700898063 {#4865 : 2023-11-25 08:41:03.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4872 …} +nested: Doctrine\ORM\PersistentCollection {#4874 …} +votes: Doctrine\ORM\PersistentCollection {#4876 …} +reports: Doctrine\ORM\PersistentCollection {#4878 …} +favourites: Doctrine\ORM\PersistentCollection {#4880 …} +notifications: Doctrine\ORM\PersistentCollection {#4882 …} -id: 161623 -bodyTs: "'alreadi':14 'applic':55 'basi':31 'boot':7,73 'cannot':43 'desktop':54 'drop':39 'easi':64 'enough':16 'even':49 'extra':37 'extrem':63 'flatpak':58 'flatseal':66 'go':48 'isol':52 'made':62 'maximum':67 'mention':4 'official/trusted':23 'point':68 'regular':30 'repositori':24 'run':44 'said':33 'sandbox':59 'say':11 'secur':6,15,38,72 'setup':71 'singl':3 'softwar':21,41 'updat':26 'use':20 'want':36 'wayland':46 'weird':8 'would':10" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ml/comment/6103636" +editedAt: null +createdAt: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } } "level" => 1 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#12469 +comment: App\Entity\EntryComment {#4871 +user: App\Entity\User {#4884 +avatar: null +cover: null +email: "hottari@lemmy.ml" +username: "@hottari@lemmy.ml" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1704786815 {#4867 : 2024-01-09 08:53:35.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4885 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4887 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4889 …} +entries: Doctrine\ORM\PersistentCollection {#4891 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4893 …} +entryComments: Doctrine\ORM\PersistentCollection {#4895 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4897 …} +posts: Doctrine\ORM\PersistentCollection {#4899 …} +postVotes: Doctrine\ORM\PersistentCollection {#4901 …} +postComments: Doctrine\ORM\PersistentCollection {#4903 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4905 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4907 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4909 …} +follows: Doctrine\ORM\PersistentCollection {#4911 …} +followers: Doctrine\ORM\PersistentCollection {#4913 …} +blocks: Doctrine\ORM\PersistentCollection {#4915 …} +blockers: Doctrine\ORM\PersistentCollection {#4917 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4919 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4921 …} +reports: Doctrine\ORM\PersistentCollection {#4923 …} +favourites: Doctrine\ORM\PersistentCollection {#4925 …} +violations: Doctrine\ORM\PersistentCollection {#4927 …} +notifications: Doctrine\ORM\PersistentCollection {#4929 …} +awards: Doctrine\ORM\PersistentCollection {#4931 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#4933 …} +categories: Doctrine\ORM\PersistentCollection {#4935 …} -id: 51775 -password: "$2y$13$Q0I1KgZsEszVrj65iWsFeukoLDYk6ZLK1UTPbb9HhVUq6K9TkSFYG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#4937 …} +apId: "hottari@lemmy.ml" +apProfileId: "https://lemmy.ml/u/hottari" +apPublicUrl: "https://lemmy.ml/u/hottari" +apFollowersUrl: null +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "hottari" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1705428149 {#4868 : 2024-01-16 19:02:29.0 +01:00 } +apDeletedAt: DateTime @1707427956 {#4869 : 2024-02-08 22:32:36.0 +01:00 } +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696599546 {#4870 : 2023-10-06 15:39:06.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ Not a single mention of secure boot? Weird.\n \n I would say you are already secure enough if you are using software from official/trusted repositories and updating them on a regular basis.\n \n That said, if you want extra security. Drop all software that cannot run on Wayland and go even further by isolating all desktop applications with the Flatpak sandbox. This is made extremely easy with Flatseal. Maximum points if you setup secure boot. """ +lang: "en" +isAdult: false +favouriteCount: 2 +score: 0 +lastActive: DateTime @1700898063 {#4865 : 2023-11-25 08:41:03.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4872 …} +nested: Doctrine\ORM\PersistentCollection {#4874 …} +votes: Doctrine\ORM\PersistentCollection {#4876 …} +reports: Doctrine\ORM\PersistentCollection {#4878 …} +favourites: Doctrine\ORM\PersistentCollection {#4880 …} +notifications: Doctrine\ORM\PersistentCollection {#4882 …} -id: 161623 -bodyTs: "'alreadi':14 'applic':55 'basi':31 'boot':7,73 'cannot':43 'desktop':54 'drop':39 'easi':64 'enough':16 'even':49 'extra':37 'extrem':63 'flatpak':58 'flatseal':66 'go':48 'isol':52 'made':62 'maximum':67 'mention':4 'official/trusted':23 'point':68 'regular':30 'repositori':24 'run':44 'said':33 'sandbox':59 'say':11 'secur':6,15,38,72 'setup':71 'singl':3 'softwar':21,41 'updat':26 'use':20 'want':36 'wayland':46 'weird':8 'would':10" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.ml/comment/6103636" +editedAt: null +createdAt: DateTimeImmutable @1700898063 {#4866 : 2023-11-25 08:41:03.0 +01:00 } } +nestedComments: [] +level: 1 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 40.42 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4945 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ I don’t agree with avoiding stable distros. In the case of Debian for example stable gets priority on security patches. Just subscribe to the security mailing list and have auto updates on.\n \n Also download any disto or bleeding edge container and scan it and you’ll have vulnerabilities in some library. The ecosystem is always moving. The question is how exposed are you.\n \n Use a firewall, secure your browser and whitelist sites you trust to run JS. Stick to repos. Scan downloaded files via virus total or open In a vm. Dont install what you dont need.\n \n You are far more likely to get compromised in a site breach than to get hacked. The browser is the main attack vector that you need to secure.\n \n Also dont run servers if you dont know what you are doing. Use a non networked VM to practice.\n \n Dont blindly paste commands and be sure to read the source before you compile and run some random program.\n \n Watch out for rogue containers and libraries . """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1700851663 {#4939 : 2023-11-24 19:47:43.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4946 …} +nested: Doctrine\ORM\PersistentCollection {#4948 …} +votes: Doctrine\ORM\PersistentCollection {#4950 …} +reports: Doctrine\ORM\PersistentCollection {#4952 …} +favourites: Doctrine\ORM\PersistentCollection {#4954 …} +notifications: Doctrine\ORM\PersistentCollection {#4956 …} -id: 159508 -bodyTs: "'agre':4 'also':34,127 'alway':56 'attack':120 'auto':31 'avoid':6 'bleed':39 'blind':147 'breach':110 'browser':70,116 'case':11 'command':149 'compil':159 'compromis':106 'contain':41,169 'debian':13 'disto':37 'distro':8 'dont':93,97,128,133,146 'download':35,83 'ecosystem':54 'edg':40 'exampl':15 'expos':62 'far':101 'file':84 'firewal':67 'get':17,105,113 'hack':114 'instal':94 'js':78 'know':134 'librari':52,171 'like':103 'list':28 'll':47 'mail':27 'main':119 'move':57 'need':98,124 'network':142 'non':141 'open':89 'past':148 'patch':21 'practic':145 'prioriti':18 'program':164 'question':59 'random':163 'read':154 'repo':81 'rogu':168 'run':77,129,161 'scan':43,82 'secur':20,26,68,126 'server':130 'site':73,109 'sourc':156 'stabl':7,16 'stick':79 'subscrib':23 'sure':152 'total':87 'trust':75 'updat':32 'use':65,139 'vector':121 'via':85 'virus':86 'vm':92,143 'vulner':49 'watch':165 'whitelist':72" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5554988" +editedAt: DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } +createdAt: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } } "showNested" => true "dateAsUrl" => false "showMagazineName" => false "showEntryTitle" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#12539 +comment: App\Entity\EntryComment {#4945 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ I don’t agree with avoiding stable distros. In the case of Debian for example stable gets priority on security patches. Just subscribe to the security mailing list and have auto updates on.\n \n Also download any disto or bleeding edge container and scan it and you’ll have vulnerabilities in some library. The ecosystem is always moving. The question is how exposed are you.\n \n Use a firewall, secure your browser and whitelist sites you trust to run JS. Stick to repos. Scan downloaded files via virus total or open In a vm. Dont install what you dont need.\n \n You are far more likely to get compromised in a site breach than to get hacked. The browser is the main attack vector that you need to secure.\n \n Also dont run servers if you dont know what you are doing. Use a non networked VM to practice.\n \n Dont blindly paste commands and be sure to read the source before you compile and run some random program.\n \n Watch out for rogue containers and libraries . """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1700851663 {#4939 : 2023-11-24 19:47:43.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4946 …} +nested: Doctrine\ORM\PersistentCollection {#4948 …} +votes: Doctrine\ORM\PersistentCollection {#4950 …} +reports: Doctrine\ORM\PersistentCollection {#4952 …} +favourites: Doctrine\ORM\PersistentCollection {#4954 …} +notifications: Doctrine\ORM\PersistentCollection {#4956 …} -id: 159508 -bodyTs: "'agre':4 'also':34,127 'alway':56 'attack':120 'auto':31 'avoid':6 'bleed':39 'blind':147 'breach':110 'browser':70,116 'case':11 'command':149 'compil':159 'compromis':106 'contain':41,169 'debian':13 'disto':37 'distro':8 'dont':93,97,128,133,146 'download':35,83 'ecosystem':54 'edg':40 'exampl':15 'expos':62 'far':101 'file':84 'firewal':67 'get':17,105,113 'hack':114 'instal':94 'js':78 'know':134 'librari':52,171 'like':103 'list':28 'll':47 'mail':27 'main':119 'move':57 'need':98,124 'network':142 'non':141 'open':89 'past':148 'patch':21 'practic':145 'prioriti':18 'program':164 'question':59 'random':163 'read':154 'repo':81 'rogu':168 'run':77,129,161 'scan':43,82 'secur':20,26,68,126 'server':130 'site':73,109 'sourc':156 'stabl':7,16 'stick':79 'subscrib':23 'sure':152 'total':87 'trust':75 'updat':32 'use':65,139 'vector':121 'via':85 'virus':86 'vm':92,143 'vulner':49 'watch':165 'whitelist':72" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5554988" +editedAt: DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } +createdAt: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 1 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.17 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#12584 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.17 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#12639 +date: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.17 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } "editedAt" => DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#12693 +createdAt: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } +editedAt: DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 6.69 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#12747 +width: 40 +height: 40 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.53 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4945 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ I don’t agree with avoiding stable distros. In the case of Debian for example stable gets priority on security patches. Just subscribe to the security mailing list and have auto updates on.\n \n Also download any disto or bleeding edge container and scan it and you’ll have vulnerabilities in some library. The ecosystem is always moving. The question is how exposed are you.\n \n Use a firewall, secure your browser and whitelist sites you trust to run JS. Stick to repos. Scan downloaded files via virus total or open In a vm. Dont install what you dont need.\n \n You are far more likely to get compromised in a site breach than to get hacked. The browser is the main attack vector that you need to secure.\n \n Also dont run servers if you dont know what you are doing. Use a non networked VM to practice.\n \n Dont blindly paste commands and be sure to read the source before you compile and run some random program.\n \n Watch out for rogue containers and libraries . """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1700851663 {#4939 : 2023-11-24 19:47:43.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4946 …} +nested: Doctrine\ORM\PersistentCollection {#4948 …} +votes: Doctrine\ORM\PersistentCollection {#4950 …} +reports: Doctrine\ORM\PersistentCollection {#4952 …} +favourites: Doctrine\ORM\PersistentCollection {#4954 …} +notifications: Doctrine\ORM\PersistentCollection {#4956 …} -id: 159508 -bodyTs: "'agre':4 'also':34,127 'alway':56 'attack':120 'auto':31 'avoid':6 'bleed':39 'blind':147 'breach':110 'browser':70,116 'case':11 'command':149 'compil':159 'compromis':106 'contain':41,169 'debian':13 'disto':37 'distro':8 'dont':93,97,128,133,146 'download':35,83 'ecosystem':54 'edg':40 'exampl':15 'expos':62 'far':101 'file':84 'firewal':67 'get':17,105,113 'hack':114 'instal':94 'js':78 'know':134 'librari':52,171 'like':103 'list':28 'll':47 'mail':27 'main':119 'move':57 'need':98,124 'network':142 'non':141 'open':89 'past':148 'patch':21 'practic':145 'prioriti':18 'program':164 'question':59 'random':163 'read':154 'repo':81 'rogu':168 'run':77,129,161 'scan':43,82 'secur':20,26,68,126 'server':130 'site':73,109 'sourc':156 'stabl':7,16 'stick':79 'subscrib':23 'sure':152 'total':87 'trust':75 'updat':32 'use':65,139 'vector':121 'via':85 'virus':86 'vm':92,143 'vulner':49 'watch':165 'whitelist':72" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5554988" +editedAt: DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } +createdAt: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#12842 +subject: App\Entity\EntryComment {#4945 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ I don’t agree with avoiding stable distros. In the case of Debian for example stable gets priority on security patches. Just subscribe to the security mailing list and have auto updates on.\n \n Also download any disto or bleeding edge container and scan it and you’ll have vulnerabilities in some library. The ecosystem is always moving. The question is how exposed are you.\n \n Use a firewall, secure your browser and whitelist sites you trust to run JS. Stick to repos. Scan downloaded files via virus total or open In a vm. Dont install what you dont need.\n \n You are far more likely to get compromised in a site breach than to get hacked. The browser is the main attack vector that you need to secure.\n \n Also dont run servers if you dont know what you are doing. Use a non networked VM to practice.\n \n Dont blindly paste commands and be sure to read the source before you compile and run some random program.\n \n Watch out for rogue containers and libraries . """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1700851663 {#4939 : 2023-11-24 19:47:43.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4946 …} +nested: Doctrine\ORM\PersistentCollection {#4948 …} +votes: Doctrine\ORM\PersistentCollection {#4950 …} +reports: Doctrine\ORM\PersistentCollection {#4952 …} +favourites: Doctrine\ORM\PersistentCollection {#4954 …} +notifications: Doctrine\ORM\PersistentCollection {#4956 …} -id: 159508 -bodyTs: "'agre':4 'also':34,127 'alway':56 'attack':120 'auto':31 'avoid':6 'bleed':39 'blind':147 'breach':110 'browser':70,116 'case':11 'command':149 'compil':159 'compromis':106 'contain':41,169 'debian':13 'disto':37 'distro':8 'dont':93,97,128,133,146 'download':35,83 'ecosystem':54 'edg':40 'exampl':15 'expos':62 'far':101 'file':84 'firewal':67 'get':17,105,113 'hack':114 'instal':94 'js':78 'know':134 'librari':52,171 'like':103 'list':28 'll':47 'mail':27 'main':119 'move':57 'need':98,124 'network':142 'non':141 'open':89 'past':148 'patch':21 'practic':145 'prioriti':18 'program':164 'question':59 'random':163 'read':154 'repo':81 'rogu':168 'run':77,129,161 'scan':43,82 'secur':20,26,68,126 'server':130 'site':73,109 'sourc':156 'stabl':7,16 'stick':79 'subscrib':23 'sure':152 'total':87 'trust':75 'updat':32 'use':65,139 'vector':121 'via':85 'virus':86 'vm':92,143 'vulner':49 'watch':165 'whitelist':72" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5554988" +editedAt: DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } +createdAt: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 0.74 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#4945 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ I don’t agree with avoiding stable distros. In the case of Debian for example stable gets priority on security patches. Just subscribe to the security mailing list and have auto updates on.\n \n Also download any disto or bleeding edge container and scan it and you’ll have vulnerabilities in some library. The ecosystem is always moving. The question is how exposed are you.\n \n Use a firewall, secure your browser and whitelist sites you trust to run JS. Stick to repos. Scan downloaded files via virus total or open In a vm. Dont install what you dont need.\n \n You are far more likely to get compromised in a site breach than to get hacked. The browser is the main attack vector that you need to secure.\n \n Also dont run servers if you dont know what you are doing. Use a non networked VM to practice.\n \n Dont blindly paste commands and be sure to read the source before you compile and run some random program.\n \n Watch out for rogue containers and libraries . """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1700851663 {#4939 : 2023-11-24 19:47:43.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4946 …} +nested: Doctrine\ORM\PersistentCollection {#4948 …} +votes: Doctrine\ORM\PersistentCollection {#4950 …} +reports: Doctrine\ORM\PersistentCollection {#4952 …} +favourites: Doctrine\ORM\PersistentCollection {#4954 …} +notifications: Doctrine\ORM\PersistentCollection {#4956 …} -id: 159508 -bodyTs: "'agre':4 'also':34,127 'alway':56 'attack':120 'auto':31 'avoid':6 'bleed':39 'blind':147 'breach':110 'browser':70,116 'case':11 'command':149 'compil':159 'compromis':106 'contain':41,169 'debian':13 'disto':37 'distro':8 'dont':93,97,128,133,146 'download':35,83 'ecosystem':54 'edg':40 'exampl':15 'expos':62 'far':101 'file':84 'firewal':67 'get':17,105,113 'hack':114 'instal':94 'js':78 'know':134 'librari':52,171 'like':103 'list':28 'll':47 'mail':27 'main':119 'move':57 'need':98,124 'network':142 'non':141 'open':89 'past':148 'patch':21 'practic':145 'prioriti':18 'program':164 'question':59 'random':163 'read':154 'repo':81 'rogu':168 'run':77,129,161 'scan':43,82 'secur':20,26,68,126 'server':130 'site':73,109 'sourc':156 'stabl':7,16 'stick':79 'subscrib':23 'sure':152 'total':87 'trust':75 'updat':32 'use':65,139 'vector':121 'via':85 'virus':86 'vm':92,143 'vulner':49 'watch':165 'whitelist':72" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5554988" +editedAt: DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } +createdAt: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#12899 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#4945 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ I don’t agree with avoiding stable distros. In the case of Debian for example stable gets priority on security patches. Just subscribe to the security mailing list and have auto updates on.\n \n Also download any disto or bleeding edge container and scan it and you’ll have vulnerabilities in some library. The ecosystem is always moving. The question is how exposed are you.\n \n Use a firewall, secure your browser and whitelist sites you trust to run JS. Stick to repos. Scan downloaded files via virus total or open In a vm. Dont install what you dont need.\n \n You are far more likely to get compromised in a site breach than to get hacked. The browser is the main attack vector that you need to secure.\n \n Also dont run servers if you dont know what you are doing. Use a non networked VM to practice.\n \n Dont blindly paste commands and be sure to read the source before you compile and run some random program.\n \n Watch out for rogue containers and libraries . """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1700851663 {#4939 : 2023-11-24 19:47:43.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4946 …} +nested: Doctrine\ORM\PersistentCollection {#4948 …} +votes: Doctrine\ORM\PersistentCollection {#4950 …} +reports: Doctrine\ORM\PersistentCollection {#4952 …} +favourites: Doctrine\ORM\PersistentCollection {#4954 …} +notifications: Doctrine\ORM\PersistentCollection {#4956 …} -id: 159508 -bodyTs: "'agre':4 'also':34,127 'alway':56 'attack':120 'auto':31 'avoid':6 'bleed':39 'blind':147 'breach':110 'browser':70,116 'case':11 'command':149 'compil':159 'compromis':106 'contain':41,169 'debian':13 'disto':37 'distro':8 'dont':93,97,128,133,146 'download':35,83 'ecosystem':54 'edg':40 'exampl':15 'expos':62 'far':101 'file':84 'firewal':67 'get':17,105,113 'hack':114 'instal':94 'js':78 'know':134 'librari':52,171 'like':103 'list':28 'll':47 'mail':27 'main':119 'move':57 'need':98,124 'network':142 'non':141 'open':89 'past':148 'patch':21 'practic':145 'prioriti':18 'program':164 'question':59 'random':163 'read':154 'repo':81 'rogu':168 'run':77,129,161 'scan':43,82 'secur':20,26,68,126 'server':130 'site':73,109 'sourc':156 'stabl':7,16 'stick':79 'subscrib':23 'sure':152 'total':87 'trust':75 'updat':32 'use':65,139 'vector':121 'via':85 'virus':86 'vm':92,143 'vulner':49 'watch':165 'whitelist':72" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5554988" +editedAt: DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } +createdAt: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 5.36 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#4945 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ I don’t agree with avoiding stable distros. In the case of Debian for example stable gets priority on security patches. Just subscribe to the security mailing list and have auto updates on.\n \n Also download any disto or bleeding edge container and scan it and you’ll have vulnerabilities in some library. The ecosystem is always moving. The question is how exposed are you.\n \n Use a firewall, secure your browser and whitelist sites you trust to run JS. Stick to repos. Scan downloaded files via virus total or open In a vm. Dont install what you dont need.\n \n You are far more likely to get compromised in a site breach than to get hacked. The browser is the main attack vector that you need to secure.\n \n Also dont run servers if you dont know what you are doing. Use a non networked VM to practice.\n \n Dont blindly paste commands and be sure to read the source before you compile and run some random program.\n \n Watch out for rogue containers and libraries . """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1700851663 {#4939 : 2023-11-24 19:47:43.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4946 …} +nested: Doctrine\ORM\PersistentCollection {#4948 …} +votes: Doctrine\ORM\PersistentCollection {#4950 …} +reports: Doctrine\ORM\PersistentCollection {#4952 …} +favourites: Doctrine\ORM\PersistentCollection {#4954 …} +notifications: Doctrine\ORM\PersistentCollection {#4956 …} -id: 159508 -bodyTs: "'agre':4 'also':34,127 'alway':56 'attack':120 'auto':31 'avoid':6 'bleed':39 'blind':147 'breach':110 'browser':70,116 'case':11 'command':149 'compil':159 'compromis':106 'contain':41,169 'debian':13 'disto':37 'distro':8 'dont':93,97,128,133,146 'download':35,83 'ecosystem':54 'edg':40 'exampl':15 'expos':62 'far':101 'file':84 'firewal':67 'get':17,105,113 'hack':114 'instal':94 'js':78 'know':134 'librari':52,171 'like':103 'list':28 'll':47 'mail':27 'main':119 'move':57 'need':98,124 'network':142 'non':141 'open':89 'past':148 'patch':21 'practic':145 'prioriti':18 'program':164 'question':59 'random':163 'read':154 'repo':81 'rogu':168 'run':77,129,161 'scan':43,82 'secur':20,26,68,126 'server':130 'site':73,109 'sourc':156 'stabl':7,16 'stick':79 'subscrib':23 'sure':152 'total':87 'trust':75 'updat':32 'use':65,139 'vector':121 'via':85 'virus':86 'vm':92,143 'vulner':49 'watch':165 'whitelist':72" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5554988" +editedAt: DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } +createdAt: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } } "level" => 1 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#13139 +comment: App\Entity\EntryComment {#4945 +user: App\Entity\User {#4958 +avatar: Proxies\__CG__\App\Entity\Image {#4959 …} +cover: null +email: "JoeKrogan@lemmy.world" +username: "@JoeKrogan@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: """ Served in the Krogan uprisings. Now I run a podcast\n \n [bdsmovement.net/get-involved/what-to-boycott](https://bdsmovement.net/get-involved/what-to-boycott) """ +lastActive: DateTime @1729433101 {#4942 : 2024-10-20 16:05:01.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#4960 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#4962 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#4964 …} +entries: Doctrine\ORM\PersistentCollection {#4966 …} +entryVotes: Doctrine\ORM\PersistentCollection {#4968 …} +entryComments: Doctrine\ORM\PersistentCollection {#4970 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#4972 …} +posts: Doctrine\ORM\PersistentCollection {#4974 …} +postVotes: Doctrine\ORM\PersistentCollection {#4976 …} +postComments: Doctrine\ORM\PersistentCollection {#4978 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#4980 …} +subscriptions: Doctrine\ORM\PersistentCollection {#4982 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#4984 …} +follows: Doctrine\ORM\PersistentCollection {#4986 …} +followers: Doctrine\ORM\PersistentCollection {#4988 …} +blocks: Doctrine\ORM\PersistentCollection {#4990 …} +blockers: Doctrine\ORM\PersistentCollection {#4992 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#4994 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#4996 …} +reports: Doctrine\ORM\PersistentCollection {#4998 …} +favourites: Doctrine\ORM\PersistentCollection {#5000 …} +violations: Doctrine\ORM\PersistentCollection {#5002 …} +notifications: Doctrine\ORM\PersistentCollection {#5004 …} +awards: Doctrine\ORM\PersistentCollection {#5006 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5008 …} +categories: Doctrine\ORM\PersistentCollection {#5010 …} -id: 631 -password: "$2y$13$7CyDw2HCd1FueY2hsPclmeoRialnw74IYeVSakPJLpDzVmGnf8GCC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5012 …} +apId: "JoeKrogan@lemmy.world" +apProfileId: "https://lemmy.world/u/JoeKrogan" +apPublicUrl: "https://lemmy.world/u/JoeKrogan" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "JoeKrogan" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727412283 {#4943 : 2024-09-27 06:44:43.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686953184 {#4944 : 2023-06-17 00:06:24.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: """ I don’t agree with avoiding stable distros. In the case of Debian for example stable gets priority on security patches. Just subscribe to the security mailing list and have auto updates on.\n \n Also download any disto or bleeding edge container and scan it and you’ll have vulnerabilities in some library. The ecosystem is always moving. The question is how exposed are you.\n \n Use a firewall, secure your browser and whitelist sites you trust to run JS. Stick to repos. Scan downloaded files via virus total or open In a vm. Dont install what you dont need.\n \n You are far more likely to get compromised in a site breach than to get hacked. The browser is the main attack vector that you need to secure.\n \n Also dont run servers if you dont know what you are doing. Use a non networked VM to practice.\n \n Dont blindly paste commands and be sure to read the source before you compile and run some random program.\n \n Watch out for rogue containers and libraries . """ +lang: "en" +isAdult: false +favouriteCount: 9 +score: 0 +lastActive: DateTime @1700851663 {#4939 : 2023-11-24 19:47:43.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#4946 …} +nested: Doctrine\ORM\PersistentCollection {#4948 …} +votes: Doctrine\ORM\PersistentCollection {#4950 …} +reports: Doctrine\ORM\PersistentCollection {#4952 …} +favourites: Doctrine\ORM\PersistentCollection {#4954 …} +notifications: Doctrine\ORM\PersistentCollection {#4956 …} -id: 159508 -bodyTs: "'agre':4 'also':34,127 'alway':56 'attack':120 'auto':31 'avoid':6 'bleed':39 'blind':147 'breach':110 'browser':70,116 'case':11 'command':149 'compil':159 'compromis':106 'contain':41,169 'debian':13 'disto':37 'distro':8 'dont':93,97,128,133,146 'download':35,83 'ecosystem':54 'edg':40 'exampl':15 'expos':62 'far':101 'file':84 'firewal':67 'get':17,105,113 'hack':114 'instal':94 'js':78 'know':134 'librari':52,171 'like':103 'list':28 'll':47 'mail':27 'main':119 'move':57 'need':98,124 'network':142 'non':141 'open':89 'past':148 'patch':21 'practic':145 'prioriti':18 'program':164 'question':59 'random':163 'read':154 'repo':81 'rogu':168 'run':77,129,161 'scan':43,82 'secur':20,26,68,126 'server':130 'site':73,109 'sourc':156 'stabl':7,16 'stick':79 'subscrib':23 'sure':152 'total':87 'trust':75 'updat':32 'use':65,139 'vector':121 'via':85 'virus':86 'vm':92,143 'vulner':49 'watch':165 'whitelist':72" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5554988" +editedAt: DateTimeImmutable @1701403267 {#4940 : 2023-12-01 05:01:07.0 +01:00 } +createdAt: DateTimeImmutable @1700851663 {#4941 : 2023-11-24 19:47:43.0 +01:00 } } +nestedComments: [] +level: 1 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 38.69 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5019 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Great List. I’m not to much into security so I can’t add anything" +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1700844713 {#5014 : 2023-11-24 17:51:53.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5020 …} +nested: Doctrine\ORM\PersistentCollection {#5022 …} +votes: Doctrine\ORM\PersistentCollection {#5024 …} +reports: Doctrine\ORM\PersistentCollection {#5026 …} +favourites: Doctrine\ORM\PersistentCollection {#5028 …} +notifications: Doctrine\ORM\PersistentCollection {#5030 …} -id: 159119 -bodyTs: "'add':14 'anyth':15 'great':1 'list':2 'm':4 'much':7 'secur':9" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5110654" +editedAt: null +createdAt: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } } "showNested" => true "dateAsUrl" => false "showMagazineName" => false "showEntryTitle" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#13209 +comment: App\Entity\EntryComment {#5019 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Great List. I’m not to much into security so I can’t add anything" +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1700844713 {#5014 : 2023-11-24 17:51:53.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5020 …} +nested: Doctrine\ORM\PersistentCollection {#5022 …} +votes: Doctrine\ORM\PersistentCollection {#5024 …} +reports: Doctrine\ORM\PersistentCollection {#5026 …} +favourites: Doctrine\ORM\PersistentCollection {#5028 …} +notifications: Doctrine\ORM\PersistentCollection {#5030 …} -id: 159119 -bodyTs: "'add':14 'anyth':15 'great':1 'list':2 'm':4 'much':7 'secur':9" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5110654" +editedAt: null +createdAt: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 1 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.19 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#13254 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.22 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#13309 +date: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.10 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#13363 +createdAt: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 0.18 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#13417 +width: 40 +height: 40 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.47 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5019 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Great List. I’m not to much into security so I can’t add anything" +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1700844713 {#5014 : 2023-11-24 17:51:53.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5020 …} +nested: Doctrine\ORM\PersistentCollection {#5022 …} +votes: Doctrine\ORM\PersistentCollection {#5024 …} +reports: Doctrine\ORM\PersistentCollection {#5026 …} +favourites: Doctrine\ORM\PersistentCollection {#5028 …} +notifications: Doctrine\ORM\PersistentCollection {#5030 …} -id: 159119 -bodyTs: "'add':14 'anyth':15 'great':1 'list':2 'm':4 'much':7 'secur':9" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5110654" +editedAt: null +createdAt: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#13486 +subject: App\Entity\EntryComment {#5019 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Great List. I’m not to much into security so I can’t add anything" +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1700844713 {#5014 : 2023-11-24 17:51:53.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5020 …} +nested: Doctrine\ORM\PersistentCollection {#5022 …} +votes: Doctrine\ORM\PersistentCollection {#5024 …} +reports: Doctrine\ORM\PersistentCollection {#5026 …} +favourites: Doctrine\ORM\PersistentCollection {#5028 …} +notifications: Doctrine\ORM\PersistentCollection {#5030 …} -id: 159119 -bodyTs: "'add':14 'anyth':15 'great':1 'list':2 'm':4 'much':7 'secur':9" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5110654" +editedAt: null +createdAt: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 0.68 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5019 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Great List. I’m not to much into security so I can’t add anything" +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1700844713 {#5014 : 2023-11-24 17:51:53.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5020 …} +nested: Doctrine\ORM\PersistentCollection {#5022 …} +votes: Doctrine\ORM\PersistentCollection {#5024 …} +reports: Doctrine\ORM\PersistentCollection {#5026 …} +favourites: Doctrine\ORM\PersistentCollection {#5028 …} +notifications: Doctrine\ORM\PersistentCollection {#5030 …} -id: 159119 -bodyTs: "'add':14 'anyth':15 'great':1 'list':2 'm':4 'much':7 'secur':9" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5110654" +editedAt: null +createdAt: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#13543 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#5019 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Great List. I’m not to much into security so I can’t add anything" +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1700844713 {#5014 : 2023-11-24 17:51:53.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5020 …} +nested: Doctrine\ORM\PersistentCollection {#5022 …} +votes: Doctrine\ORM\PersistentCollection {#5024 …} +reports: Doctrine\ORM\PersistentCollection {#5026 …} +favourites: Doctrine\ORM\PersistentCollection {#5028 …} +notifications: Doctrine\ORM\PersistentCollection {#5030 …} -id: 159119 -bodyTs: "'add':14 'anyth':15 'great':1 'list':2 'm':4 'much':7 'secur':9" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5110654" +editedAt: null +createdAt: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 3.81 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5019 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Great List. I’m not to much into security so I can’t add anything" +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1700844713 {#5014 : 2023-11-24 17:51:53.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5020 …} +nested: Doctrine\ORM\PersistentCollection {#5022 …} +votes: Doctrine\ORM\PersistentCollection {#5024 …} +reports: Doctrine\ORM\PersistentCollection {#5026 …} +favourites: Doctrine\ORM\PersistentCollection {#5028 …} +notifications: Doctrine\ORM\PersistentCollection {#5030 …} -id: 159119 -bodyTs: "'add':14 'anyth':15 'great':1 'list':2 'm':4 'much':7 'secur':9" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5110654" +editedAt: null +createdAt: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } } "level" => 1 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#13783 +comment: App\Entity\EntryComment {#5019 +user: App\Entity\User {#5032 +avatar: null +cover: null +email: "slice@feddit.de" +username: "@slice@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1701376723 {#5016 : 2023-11-30 21:38:43.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5033 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5035 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5037 …} +entries: Doctrine\ORM\PersistentCollection {#5039 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5041 …} +entryComments: Doctrine\ORM\PersistentCollection {#5043 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5045 …} +posts: Doctrine\ORM\PersistentCollection {#5047 …} +postVotes: Doctrine\ORM\PersistentCollection {#5049 …} +postComments: Doctrine\ORM\PersistentCollection {#5051 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5053 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5055 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5057 …} +follows: Doctrine\ORM\PersistentCollection {#5059 …} +followers: Doctrine\ORM\PersistentCollection {#5061 …} +blocks: Doctrine\ORM\PersistentCollection {#5063 …} +blockers: Doctrine\ORM\PersistentCollection {#5065 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5067 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5069 …} +reports: Doctrine\ORM\PersistentCollection {#5071 …} +favourites: Doctrine\ORM\PersistentCollection {#5073 …} +violations: Doctrine\ORM\PersistentCollection {#5075 …} +notifications: Doctrine\ORM\PersistentCollection {#5077 …} +awards: Doctrine\ORM\PersistentCollection {#5079 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5081 …} +categories: Doctrine\ORM\PersistentCollection {#5083 …} -id: 50269 -password: "$2y$13$rE2bNVLvB1huKZDmnM4jSuLvVutg7xv7vcK7mzOVxK4ItbVFMQ37." -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5085 …} +apId: "slice@feddit.de" +apProfileId: "https://feddit.de/u/slice" +apPublicUrl: "https://feddit.de/u/slice" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "slice" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721261449 {#5017 : 2024-07-18 02:10:49.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696502558 {#5018 : 2023-10-05 12:42:38.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Great List. I’m not to much into security so I can’t add anything" +lang: "en" +isAdult: false +favouriteCount: 1 +score: 0 +lastActive: DateTime @1700844713 {#5014 : 2023-11-24 17:51:53.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5020 …} +nested: Doctrine\ORM\PersistentCollection {#5022 …} +votes: Doctrine\ORM\PersistentCollection {#5024 …} +reports: Doctrine\ORM\PersistentCollection {#5026 …} +favourites: Doctrine\ORM\PersistentCollection {#5028 …} +notifications: Doctrine\ORM\PersistentCollection {#5030 …} -id: 159119 -bodyTs: "'add':14 'anyth':15 'great':1 'list':2 'm':4 'much':7 'secur':9" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://feddit.de/comment/5110654" +editedAt: null +createdAt: DateTimeImmutable @1700844713 {#5015 : 2023-11-24 17:51:53.0 +01:00 } } +nestedComments: [] +level: 1 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| entry_comment | App\Twig\Components\EntryCommentComponent | 14.0 MiB | 51.61 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5092 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Eh, I don’t have anything “complex” to add, other than buying a raspberry pi and using it as a DNS sinkhole/recursive dns under docker/ipvlan network, and then “hiding” it behind a macvlan connection + ufw. Been doing this over several years and never had any problems with it. You can even use it as a music player of sorts by configuring a hotkey to bring up mpv with a playlist, and another one to close it. Oh, and even as a “live stream player 24/7” if you are into it." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700842891 {#5087 : 2023-11-24 17:21:31.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5093 …} +nested: Doctrine\ORM\PersistentCollection {#5095 …} +votes: Doctrine\ORM\PersistentCollection {#5097 …} +reports: Doctrine\ORM\PersistentCollection {#5099 …} +favourites: Doctrine\ORM\PersistentCollection {#5101 …} +notifications: Doctrine\ORM\PersistentCollection {#5103 …} -id: 159030 -bodyTs: "'24/7':85 'add':9 'anoth':72 'anyth':6 'behind':31 'bring':65 'buy':12 'close':75 'complex':7 'configur':61 'connect':34 'dns':21,23 'docker/ipvlan':25 'eh':1 'even':51,79 'hide':29 'hotkey':63 'live':82 'macvlan':33 'mpv':67 'music':56 'network':26 'never':43 'oh':77 'one':73 'pi':15 'player':57,84 'playlist':70 'problem':46 'raspberri':14 'sever':40 'sinkhole/recursive':22 'sort':59 'stream':83 'ufw':35 'use':17,52 'year':41" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5552128" +editedAt: null +createdAt: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } } "showNested" => true "dateAsUrl" => false "showMagazineName" => false "showEntryTitle" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\EntryCommentComponent {#13853 +comment: App\Entity\EntryComment {#5092 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Eh, I don’t have anything “complex” to add, other than buying a raspberry pi and using it as a DNS sinkhole/recursive dns under docker/ipvlan network, and then “hiding” it behind a macvlan connection + ufw. Been doing this over several years and never had any problems with it. You can even use it as a music player of sorts by configuring a hotkey to bring up mpv with a playlist, and another one to close it. Oh, and even as a “live stream player 24/7” if you are into it." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700842891 {#5087 : 2023-11-24 17:21:31.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5093 …} +nested: Doctrine\ORM\PersistentCollection {#5095 …} +votes: Doctrine\ORM\PersistentCollection {#5097 …} +reports: Doctrine\ORM\PersistentCollection {#5099 …} +favourites: Doctrine\ORM\PersistentCollection {#5101 …} +notifications: Doctrine\ORM\PersistentCollection {#5103 …} -id: 159030 -bodyTs: "'24/7':85 'add':9 'anoth':72 'anyth':6 'behind':31 'bring':65 'buy':12 'close':75 'complex':7 'configur':61 'connect':34 'dns':21,23 'docker/ipvlan':25 'eh':1 'even':51,79 'hide':29 'hotkey':63 'live':82 'macvlan':33 'mpv':67 'music':56 'network':26 'never':43 'oh':77 'one':73 'pi':15 'player':57,84 'playlist':70 'problem':46 'raspberri':14 'sever':40 'sinkhole/recursive':22 'sort':59 'stream':83 'ufw':35 'use':17,52 'year':41" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5552128" +editedAt: null +createdAt: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } } +showMagazineName: false +showEntryTitle: false +showNested: true +level: 1 +canSeeTrash: false +dateAsUrl: false -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -authorizationChecker: Symfony\Component\Security\Core\Authorization\AuthorizationChecker {#931 …} } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } "showAvatar" => false ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#13898 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +showAvatar: false } |
|||
| date | App\Twig\Components\DateComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#13953 +date: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } } |
|||
| date_edited | App\Twig\Components\DateEditedComponent | 14.0 MiB | 0.09 ms | |
|---|---|---|---|---|
| Input props | [ "createdAt" => DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } "editedAt" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateEditedComponent {#14007 +createdAt: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } +editedAt: null } |
|||
| user_avatar | App\Twig\Components\UserAvatarComponent | 14.0 MiB | 10.00 ms | |
|---|---|---|---|---|
| Input props | [ "user" => App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } "width" => 40 "height" => 40 "asLink" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserAvatarComponent {#14061 +width: 40 +height: 40 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +asLink: true } |
|||
| vote | App\Twig\Components\VoteComponent | 14.0 MiB | 0.47 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5092 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Eh, I don’t have anything “complex” to add, other than buying a raspberry pi and using it as a DNS sinkhole/recursive dns under docker/ipvlan network, and then “hiding” it behind a macvlan connection + ufw. Been doing this over several years and never had any problems with it. You can even use it as a music player of sorts by configuring a hotkey to bring up mpv with a playlist, and another one to close it. Oh, and even as a “live stream player 24/7” if you are into it." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700842891 {#5087 : 2023-11-24 17:21:31.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5093 …} +nested: Doctrine\ORM\PersistentCollection {#5095 …} +votes: Doctrine\ORM\PersistentCollection {#5097 …} +reports: Doctrine\ORM\PersistentCollection {#5099 …} +favourites: Doctrine\ORM\PersistentCollection {#5101 …} +notifications: Doctrine\ORM\PersistentCollection {#5103 …} -id: 159030 -bodyTs: "'24/7':85 'add':9 'anoth':72 'anyth':6 'behind':31 'bring':65 'buy':12 'close':75 'complex':7 'configur':61 'connect':34 'dns':21,23 'docker/ipvlan':25 'eh':1 'even':51,79 'hide':29 'hotkey':63 'live':82 'macvlan':33 'mpv':67 'music':56 'network':26 'never':43 'oh':77 'one':73 'pi':15 'player':57,84 'playlist':70 'problem':46 'raspberri':14 'sever':40 'sinkhole/recursive':22 'sort':59 'stream':83 'ufw':35 'use':17,52 'year':41" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5552128" +editedAt: null +createdAt: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\VoteComponent {#14132 +subject: App\Entity\EntryComment {#5092 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Eh, I don’t have anything “complex” to add, other than buying a raspberry pi and using it as a DNS sinkhole/recursive dns under docker/ipvlan network, and then “hiding” it behind a macvlan connection + ufw. Been doing this over several years and never had any problems with it. You can even use it as a music player of sorts by configuring a hotkey to bring up mpv with a playlist, and another one to close it. Oh, and even as a “live stream player 24/7” if you are into it." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700842891 {#5087 : 2023-11-24 17:21:31.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5093 …} +nested: Doctrine\ORM\PersistentCollection {#5095 …} +votes: Doctrine\ORM\PersistentCollection {#5097 …} +reports: Doctrine\ORM\PersistentCollection {#5099 …} +favourites: Doctrine\ORM\PersistentCollection {#5101 …} +notifications: Doctrine\ORM\PersistentCollection {#5103 …} -id: 159030 -bodyTs: "'24/7':85 'add':9 'anoth':72 'anyth':6 'behind':31 'bring':65 'buy':12 'close':75 'complex':7 'configur':61 'connect':34 'dns':21,23 'docker/ipvlan':25 'eh':1 'even':51,79 'hide':29 'hotkey':63 'live':82 'macvlan':33 'mpv':67 'music':56 'network':26 'never':43 'oh':77 'one':73 'pi':15 'player':57,84 'playlist':70 'problem':46 'raspberri':14 'sever':40 'sinkhole/recursive':22 'sort':59 'stream':83 'ufw':35 'use':17,52 'year':41" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5552128" +editedAt: null +createdAt: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } } +formDest: "entry_comment" +showDownvote: true -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| boost | App\Twig\Components\BoostComponent | 14.0 MiB | 9.37 ms | |
|---|---|---|---|---|
| Input props | [ "subject" => App\Entity\EntryComment {#5092 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Eh, I don’t have anything “complex” to add, other than buying a raspberry pi and using it as a DNS sinkhole/recursive dns under docker/ipvlan network, and then “hiding” it behind a macvlan connection + ufw. Been doing this over several years and never had any problems with it. You can even use it as a music player of sorts by configuring a hotkey to bring up mpv with a playlist, and another one to close it. Oh, and even as a “live stream player 24/7” if you are into it." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700842891 {#5087 : 2023-11-24 17:21:31.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5093 …} +nested: Doctrine\ORM\PersistentCollection {#5095 …} +votes: Doctrine\ORM\PersistentCollection {#5097 …} +reports: Doctrine\ORM\PersistentCollection {#5099 …} +favourites: Doctrine\ORM\PersistentCollection {#5101 …} +notifications: Doctrine\ORM\PersistentCollection {#5103 …} -id: 159030 -bodyTs: "'24/7':85 'add':9 'anoth':72 'anyth':6 'behind':31 'bring':65 'buy':12 'close':75 'complex':7 'configur':61 'connect':34 'dns':21,23 'docker/ipvlan':25 'eh':1 'even':51,79 'hide':29 'hotkey':63 'live':82 'macvlan':33 'mpv':67 'music':56 'network':26 'never':43 'oh':77 'one':73 'pi':15 'player':57,84 'playlist':70 'problem':46 'raspberri':14 'sever':40 'sinkhole/recursive':22 'sort':59 'stream':83 'ufw':35 'use':17,52 'year':41" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5552128" +editedAt: null +createdAt: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\BoostComponent {#14189 +formDest: "entry_comment" +subject: App\Entity\EntryComment {#5092 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Eh, I don’t have anything “complex” to add, other than buying a raspberry pi and using it as a DNS sinkhole/recursive dns under docker/ipvlan network, and then “hiding” it behind a macvlan connection + ufw. Been doing this over several years and never had any problems with it. You can even use it as a music player of sorts by configuring a hotkey to bring up mpv with a playlist, and another one to close it. Oh, and even as a “live stream player 24/7” if you are into it." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700842891 {#5087 : 2023-11-24 17:21:31.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5093 …} +nested: Doctrine\ORM\PersistentCollection {#5095 …} +votes: Doctrine\ORM\PersistentCollection {#5097 …} +reports: Doctrine\ORM\PersistentCollection {#5099 …} +favourites: Doctrine\ORM\PersistentCollection {#5101 …} +notifications: Doctrine\ORM\PersistentCollection {#5103 …} -id: 159030 -bodyTs: "'24/7':85 'add':9 'anoth':72 'anyth':6 'behind':31 'bring':65 'buy':12 'close':75 'complex':7 'configur':61 'connect':34 'dns':21,23 'docker/ipvlan':25 'eh':1 'even':51,79 'hide':29 'hotkey':63 'live':82 'macvlan':33 'mpv':67 'music':56 'network':26 'never':43 'oh':77 'one':73 'pi':15 'player':57,84 'playlist':70 'problem':46 'raspberri':14 'sever':40 'sinkhole/recursive':22 'sort':59 'stream':83 'ufw':35 'use':17,52 'year':41" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5552128" +editedAt: null +createdAt: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } } -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} } |
|||
| entry_comments_nested | App\Twig\Components\EntryCommentsNestedComponent | 14.0 MiB | 15.74 ms | |
|---|---|---|---|---|
| Input props | [ "comment" => App\Entity\EntryComment {#5092 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Eh, I don’t have anything “complex” to add, other than buying a raspberry pi and using it as a DNS sinkhole/recursive dns under docker/ipvlan network, and then “hiding” it behind a macvlan connection + ufw. Been doing this over several years and never had any problems with it. You can even use it as a music player of sorts by configuring a hotkey to bring up mpv with a playlist, and another one to close it. Oh, and even as a “live stream player 24/7” if you are into it." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700842891 {#5087 : 2023-11-24 17:21:31.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5093 …} +nested: Doctrine\ORM\PersistentCollection {#5095 …} +votes: Doctrine\ORM\PersistentCollection {#5097 …} +reports: Doctrine\ORM\PersistentCollection {#5099 …} +favourites: Doctrine\ORM\PersistentCollection {#5101 …} +notifications: Doctrine\ORM\PersistentCollection {#5103 …} -id: 159030 -bodyTs: "'24/7':85 'add':9 'anoth':72 'anyth':6 'behind':31 'bring':65 'buy':12 'close':75 'complex':7 'configur':61 'connect':34 'dns':21,23 'docker/ipvlan':25 'eh':1 'even':51,79 'hide':29 'hotkey':63 'live':82 'macvlan':33 'mpv':67 'music':56 'network':26 'never':43 'oh':77 'one':73 'pi':15 'player':57,84 'playlist':70 'problem':46 'raspberri':14 'sever':40 'sinkhole/recursive':22 'sort':59 'stream':83 'ufw':35 'use':17,52 'year':41" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5552128" +editedAt: null +createdAt: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } } "level" => 1 "showNested" => true "view" => "tree" ] |
|||
| Attributes | [ "showNested" => true ] |
|||
| Component | App\Twig\Components\EntryCommentsNestedComponent {#14429 +comment: App\Entity\EntryComment {#5092 +user: App\Entity\User {#5105 +avatar: Proxies\__CG__\App\Entity\Image {#5106 …} +cover: Proxies\__CG__\App\Entity\Image {#5107 …} +email: "GustavoM@lemmy.world" +username: "@GustavoM@lemmy.world" +roles: [] +followersCount: 0 +homepage: "front" +about: "Definitely Not GustavoM. :^)" +lastActive: DateTime @1719679748 {#5089 : 2024-06-29 18:49:08.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#5108 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#5110 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#5112 …} +entries: Doctrine\ORM\PersistentCollection {#5114 …} +entryVotes: Doctrine\ORM\PersistentCollection {#5116 …} +entryComments: Doctrine\ORM\PersistentCollection {#5118 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#5120 …} +posts: Doctrine\ORM\PersistentCollection {#5122 …} +postVotes: Doctrine\ORM\PersistentCollection {#5124 …} +postComments: Doctrine\ORM\PersistentCollection {#5126 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#5128 …} +subscriptions: Doctrine\ORM\PersistentCollection {#5130 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#5132 …} +follows: Doctrine\ORM\PersistentCollection {#5134 …} +followers: Doctrine\ORM\PersistentCollection {#5136 …} +blocks: Doctrine\ORM\PersistentCollection {#5138 …} +blockers: Doctrine\ORM\PersistentCollection {#5140 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#5142 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#5144 …} +reports: Doctrine\ORM\PersistentCollection {#5146 …} +favourites: Doctrine\ORM\PersistentCollection {#5148 …} +violations: Doctrine\ORM\PersistentCollection {#5150 …} +notifications: Doctrine\ORM\PersistentCollection {#5152 …} +awards: Doctrine\ORM\PersistentCollection {#5154 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#5156 …} +categories: Doctrine\ORM\PersistentCollection {#5158 …} -id: 55594 -password: "$2y$13$3rtBI4j23F.4f2HFNduFZ.ylG7FHwAbghmxkem/xJ.FpSGPS6xPYO" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#5160 …} +apId: "GustavoM@lemmy.world" +apProfileId: "https://lemmy.world/u/GustavoM" +apPublicUrl: "https://lemmy.world/u/GustavoM" +apFollowersUrl: null +apInboxUrl: "https://lemmy.world/inbox" +apDomain: "lemmy.world" +apPreferredUsername: "GustavoM" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1727835761 {#5090 : 2024-10-02 04:22:41.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696981499 {#5091 : 2023-10-11 01:44:59.0 +02:00 } } +entry: App\Entity\Entry {#2400 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +image: null +domain: Proxies\__CG__\App\Entity\Domain {#1889 …} +slug: "Security-advise-collection-what-do-you-recommend" +title: "Security advise collection - what do you recommend?" +url: null +body: """ I use Linux for quite a while and would like to gather some security advice, well known and lesser known.\n \n ### Well known\n \n #### Dont install random apps from the internet\n \n This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.\n \n So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after `-i`.\n \n `distrobox-create NAME -i IMAGE-NAME`\n \n This also goes for\n \n - Ubuntu PPAs\n - Arch AUR\n - Opensuse Build service repos\n - Fedora COPR\n - Random external repos\n \n Some repos are more or less controlled, so be careful!\n \n Some “external ones” are trusted, like:\n \n - Fedora/Derivates: rpmfusion\n - Flathub\n - Steam Fedora Repo\n - Google Chrome Fedora Repo (dont use Chrome lol)\n - Open-h264 from Cisco\n - …\n \n [Not all Flathub repos are controlled, but here is a list](https://github.com/trytomakeyouprivate/Flatpak-remotes)\n \n #### Update, update, update\n \n Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.\n \n #### Wayland\n \n X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like\n \n - using your Camera\n - using your Microphone\n - viewing your screen or specific app Windows\n - simulating input devices\n - watching for keypresses\n \n Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means\n \n - XFCE\n - LXQt, LXDE\n - Budgie\n - Mate\n - Cinnamon\n - …\n \n Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.\n \n Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).\n \n All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.\n \n ### Less known\n \n #### Avoid stable Distributions\n \n Stable Distros dont get regular updates of every package that… gets an update, but they get ***backported*** security fixes.\n \n Correct me if I am wrong, but not all security related bugs get a CVE ([Common Vulnerabilities and Exposures](https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) and thus dont get backported.\n \n Stable Distributions are used everywhere on the internet though, so this could be debatable.\n \n #### Use an “immutable” distro\n \n Immutability is implemented in various ways, there is no standard at all\n \n - Android, Chromeos\n - Fedora Atomic (Silverblue, Kinoite, …)\n - Opensuse microOS (now Kalpa, Aeon)\n - VanillaOS\n - SteamOS\n \n They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.\n \n VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.\n \n Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple `rpm-ostree reset` will reset your base system. It is the most secure of the customizable ones to my knowledge.\n \n Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.\n \n Also, changes to the core system through malware are not possible, at least not directly.\n \n #### secure directories and dotfiles\n \n An exception here is, if a malware would simply create a bash alias to ***anything***. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.\n \n [madaidans-insecurities.github.io/linux.html#examp…](https://madaidans-insecurities.github.io/linux.html#examples)\n \n So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.\n \n ```\n \n <span style="color:#323232;">sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh\n </span><span style="color:#323232;">sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg\n </span><span style="color:#323232;">sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/\n </span><span style="color:#323232;">sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart\n </span><span style="color:#323232;">#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications\n </span>\n ```\n \n (7: **r**ead **w**rite e**x**execute, 5: read execute, “-R”, recursively)\n \n This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.\n \n Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in `~/.local/share/applications/ons` anyways for some reason.\n \n #### SELinux or Apparmor\n \n I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.\n \n #### Sandboxing\n \n I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.\n \n It is in early stages though.\n \n Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.\n \n For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.\n \n Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.\n \n #### Firmware updates & Coreboot\n \n While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?\n \n In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!\n \n My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.\n \n And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!\n \n - [Novacustom](configurelaptop.eu) for EU people, they partner with [3mdeb](3mdeb.com) to support and ship Dasharo, a secure Coreboot Distro similar to Heads\n - System76 for US People\n - Starlabs also ships coreboot\n - [3mdeb](shop.3mdeb.com) sells PCs with Coreboot\n \n Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.\n \n #### Secureboot\n \n Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.\n \n Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.\n \n ---\n \n What other tips do you know? """ +type: "article" +lang: "en" +isOc: false +hasEmbed: false +commentCount: 15 +favouriteCount: 28 +score: 0 +isAdult: false +sticky: false +lastActive: DateTime @1710702956 {#2414 : 2024-03-17 20:15:56.0 +01:00 } +ip: null +adaAmount: 0 +tags: null +mentions: null +comments: Doctrine\ORM\PersistentCollection {#1688 …} +votes: Doctrine\ORM\PersistentCollection {#1966 …} +reports: Doctrine\ORM\PersistentCollection {#1965 …} +favourites: Doctrine\ORM\PersistentCollection {#1368 …} +notifications: Doctrine\ORM\PersistentCollection {#2426 …} +badges: Doctrine\ORM\PersistentCollection {#2439 …} +children: [] -id: 16322 -titleTs: "'advis':2 'collect':3 'recommend':7 'secur':1" -bodyTs: "'/.bashrc':746,750 '/.config/autostart':793,798 '/.config/fish':783,788 '/.gnupg':729,765,770 '/.local/share/applications':803,808 '/.local/share/applications/ons':889 '/.ssh':731,755,760 '/.zshrc':774,778 '/linux.html#examp':704 '/linux.html#examples)':707 '/trytomakeyouprivate/flatpak-remotes)':171 '/wiki/common_vulnerabilities_and_exposures))':453 '11':1225 '3mdeb':1169,1191 '3mdeb.com':1170 '5':817 '7':809 '700':754,764 '755':745,773,782,792,802 'add':204 'advic':15 'aeon':499 'agreement':1267 'alia':680 'allow':516,528 'alon':1296 'along':279 'also':50,107,355,587,603,649,967,1146,1188,1245 'alway':1036 'android':489,512 'anoth':1143 'antivirus':52 'anymor':1109 'anyth':682,1129 'anyway':890 'app':26,69,190,193,245,261,348,357,367,403,532,887,993,1000,1034 'apparmor':896 'appli':553,565 'applic':864 'arch':112 'atom':492,547,569 'aur':113 'automat':179,643 'avail':92 'avoid':297,410 'backport':429,458 'backward':343 'base':578,614 'bash':679 'best':176,194,1021 'better':902,1293 'big':224 'bloat':1116 'box':1275 'break':211,859,878,1043 'browser':964 'bubblejail':947 'bubblewrap':949,985 'budgi':292 'bug':443 'build':115 'bundl':48 'camera':252 'cannot':1131 'care':43,132,227 'case':742,1083 'chang':550,604,650 'check':1291 'chmod':744,752,762,772,780,790,800 'chown':748,757,767,776,785,795,805 'chrome':146,151 'chromeo':490,510 'chromium':990,996 'cinnamon':294 'cisco':157 'clone':561 'cloud':572 'combin':335 'command':694 'common':447 'compani':1097 'compat':344,1090 'complex':1239 'compositor':339 'concern':1012 'config':714 'configurelaptop.eu':1162 'connect':1123 'contain':79 'control':129,163 'copr':119 'core':653 'coreboot':1061,1178,1190,1196,1199 'correct':432 'could':470 'creat':77,100,234,677 'customiz':623 'cve':446 'dasharo':1175,1286 'debat':472 'decommiss':1096 'depend':738 'desast':219 'design':221,942 'desktop':319,336,389 'detail':934 'develop':1155 'deviat':518 'devic':265,1098,1144 'differ':505,540 'direct':203,663 'directori':665,842,865 'disabl':919 'display':89 'distribut':412,460 'distro':73,414,476,1179,1200,1257 'distrobox':76,99 'distrobox-cr':98 'done':642 'dont':23,149,372,415,456,898,1105 'dotfil':667 'download':58,583 'dynam':1052 'e':814 'ead':811 'earli':961 'easi':969 'easili':640,688 'editor':883 'efford':334 'electron':992 'en.m.wikipedia.org':452 'en.m.wikipedia.org/wiki/common_vulnerabilities_and_exposures))':451 'enabl':178 'enforc':912 'enough':931 'especi':995,1010,1084 'etc':340 'eu':1164 'even':733,1260 'everi':420,596,634,1050 'everyon':870 'everyth':849 'everywher':463,1150 'evolv':399 'exampl':880,976 'except':669 'exclus':64 'execut':695,816,819 'exist':338 'expect':327 'explain':933 'exposur':450 'extern':121,134 'featur':365 'fedora':118,143,147,491,568,908 'fedora/derivates':139 'feel':905 'file':56 'firefox':970,973 'firejail':936 'firmwar':1059,1076,1107,1118,1119,1148,1284 'fix':229,431 'flathub':141,160 'flathub.org':201 'flatpak':192,531,954,971,977,1013,1033 'flatseal':1030 'flaw':222,832,943 'forc':356 'form':541 'full':274,306,1073 'fulli':514 'futur':1046 'gather':12 'generat':1278 'get':416,423,428,444,457,1106 'github.com':170 'github.com/trytomakeyouprivate/flatpak-remotes)':169 'gnome':272 'goe':108,570,988 'gone':1058 'good':875,1088,1213 'googl':145 'grab':690 'graphic':1027 'great':1235 'gui':882 'h264':155 'harden':1017 'hardwar':1204 'head':1182,1288 'hope':329 'i.e':1051 'imag':82,91,104,577 'image-bas':576 'image-nam':103 'immut':475,477,515,628 'implement':479 'import':850,1246 'includ':382 'incomplet':826 'input':264 'insecur':378 'instal':24,84,188,1283 'instead':231 'integr':1028,1290 'intern':982 'internet':29,466,1126 'isol':1038 'kalpa':498 'kde':270,1023 'kdes':881 'keep':593,1217 'kernel':1070 'key':1281 'keypress':268 'kinoit':494 'know':899,1302 'knowledg':627 'known':17,20,22,409 'laptop':1086,1095 'least':300,332,661 'lenovo':1117 'less':128,408 'lesser':19 'libr':1069 'like':10,138,249,1205,1241,1285 'linux':3,1068,1089 'linux-libr':1067 'list':168 'live':1072 'local':863 'lol':152 'long':834,847 'look':199 'lose':364 'lot':386,1197 'lxde':291 'lxqt':290 'machin':1222 'madaidans-insecurities.github.io':703,706 'madaidans-insecurities.github.io/linux.html#examp':702 'madaidans-insecurities.github.io/linux.html#examples)':705 'make':631,861,1040 'malwar':656,674 'manag':283,545 'mani':941,1256 'manual':1016 'mate':293 'may':823,1064,1092,1263 'mayb':732 'mean':288,710 'method':379 'microo':496,537 'microphon':255 'microsoft':1269 'might':873 'mind':1219 'mitm':1140 'modern':240 'modifi':588 'monitor':1132 'most':1015 'multipl':1242 'name':101,105 'nativ':533,974,999 'near':63,929 'need':978,1138 'never':210 'new':313 'nice':1032 'nitrokey':1210 'nobodi':226 'noth':1042 'novacustom':1161 'offici':61 'often':47 'old':33,1203,1227 'older':1094,1099 'one':135,624,1231 'open':154 'open-h264':153 'opensus':114,495,536 'oper':629 'os':41,286,521,1136,1251 'ostre':591,609 'other':722 'otherwis':363,1029 'outdat':217,1115 'outsourc':51 'packag':421,544,598 'partner':1167 'password':686 'pc':1079 'pcs':1194 'peopl':1154,1165,1186 'permiss':1018,1026,1053,1055 'pleas':854 'poor':380,923 'portal':243,1048 'possibl':659 'ppas':111 'prefer':957 'press':94 'pretti':831 'privaci':1011 'probabl':1104 'proprietari':1147 'protocol':314 'proxi':1141 'put':886 'quit':5 'r':753,758,763,768,781,786,791,797,801,806,810,820 'ram':1122 'random':25,120,836 'raspberrypi':285 'read':725,818,867,1121 'read-on':866 'readabl':735 'reader':384 'reason':893,945 'reboot':567 'record':395 'recurs':821 'regular':417,543,1008 'relat':442 'remot':388 'replac':980 'repo':62,74,117,122,124,144,148,161,207 'report':855 'requir':242,318,916 'reset':610,612 'restrict':241 'result':38 'rite':813 'root':749,759,769,777,787,796,807,872 'rpm':608 'rpm-ostre':607 'rpmfusion':140 'run':349,530,556,647 'said':938,1002 'sandbox':925,965,983 'scan':54 'screen':258,383,394 'second':693 'secur':14,218,430,441,620,664,829,906,1006,1177 'secureboot':1244,1295 'selinux':894,910 'sell':1193 'servic':116 'set':858 'shell':713 'ship':1174,1189 'shop.3mdeb.com':1192 'silverblu':493 'similar':526,1180 'simpl':606 'simpli':676 'simul':263 'singl':597 'slim':185 'softwar':46,390,837 'someth':212,699,860 'specif':260 'stabl':411,413,459 'stage':962 'stallman':1074 'standard':486 'starlab':1187 'static':1054 'steam':142 'steamo':501,524 'still':824,1229 'store':852 'stuff':248,375,1240 'sudo':685,701,720,737,743,747,751,756,761,766,771,775,779,784,789,794,799,804 'support':276,308,406,1172,1202,1258 'sure':632,1041 'swap':584 'system':186,557,579,601,615,630,648,654 'system76':1183 't430':1209 't495':1112 'tab':95 'technic':930 'temper':1254 'thing':397 'thinkpad':1100,1111,1206 'though':467,963,1261 'thus':455 'tighter':237 'tip':1299 'tool':915 'track':594 'tri':75 'trust':137 'ubuntu':110 'updat':172,173,174,180,208,418,425,635,1060,1108 'us':1185 'use':2,60,150,250,253,337,359,377,462,473,538,590,741,948,952,1065,1080,1142 'vanillao':500,534 'various':481 'vendor':1214 'verifi':198,206,1248 'vew':1153 'view':256 'vms':1243 'vs':972 'vulner':448 'w':812 'watch':266 'way':35,236,482,573,1022 'wayland':213,232,275,307,309,341,370,407 'weak':1037 'weird':374 'well':16,21,392 'whenev':696 'window':34,262,282 'work':323,368,636,1234,1271 'would':9,675 'writabl':718 'write':839 'written':924 'wrong':437 'x':815 'x11':214,346 'x11-only':345 'xfce':289 'xwayland':351,360 'year':302,1226" +cross: false +upVotes: 0 +downVotes: 0 +ranking: 1700928097 +visibility: "visible " +apId: "https://feddit.de/post/6001973" +editedAt: DateTimeImmutable @1701462094 {#1793 : 2023-12-01 21:21:34.0 +01:00 } +createdAt: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } +magazine: App\Entity\Magazine {#265} +image: null +parent: null +root: null +body: "Eh, I don’t have anything “complex” to add, other than buying a raspberry pi and using it as a DNS sinkhole/recursive dns under docker/ipvlan network, and then “hiding” it behind a macvlan connection + ufw. Been doing this over several years and never had any problems with it. You can even use it as a music player of sorts by configuring a hotkey to bring up mpv with a playlist, and another one to close it. Oh, and even as a “live stream player 24/7” if you are into it." +lang: "en" +isAdult: false +favouriteCount: 0 +score: 0 +lastActive: DateTime @1700842891 {#5087 : 2023-11-24 17:21:31.0 +01:00 } +ip: null +tags: null +mentions: [ "@Pantherina@feddit.de" ] +children: Doctrine\ORM\PersistentCollection {#5093 …} +nested: Doctrine\ORM\PersistentCollection {#5095 …} +votes: Doctrine\ORM\PersistentCollection {#5097 …} +reports: Doctrine\ORM\PersistentCollection {#5099 …} +favourites: Doctrine\ORM\PersistentCollection {#5101 …} +notifications: Doctrine\ORM\PersistentCollection {#5103 …} -id: 159030 -bodyTs: "'24/7':85 'add':9 'anoth':72 'anyth':6 'behind':31 'bring':65 'buy':12 'close':75 'complex':7 'configur':61 'connect':34 'dns':21,23 'docker/ipvlan':25 'eh':1 'even':51,79 'hide':29 'hotkey':63 'live':82 'macvlan':33 'mpv':67 'music':56 'network':26 'never':43 'oh':77 'one':73 'pi':15 'player':57,84 'playlist':70 'problem':46 'raspberri':14 'sever':40 'sinkhole/recursive':22 'sort':59 'stream':83 'ufw':35 'use':17,52 'year':41" +ranking: 0 +commentCount: 0 +upVotes: 0 +downVotes: 0 +visibility: "visible " +apId: "https://lemmy.world/comment/5552128" +editedAt: null +createdAt: DateTimeImmutable @1700842891 {#5088 : 2023-11-24 17:21:31.0 +01:00 } } +nestedComments: [] +level: 1 +view: "tree" -entryCommentRepository: App\Repository\EntryCommentRepository {#556 …} -twig: Twig\Environment {#1252 …} -security: Symfony\Bundle\SecurityBundle\Security {#1101 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| settings_row_enum | App\Twig\Components\SettingsRowEnumComponent | 14.0 MiB | 0.33 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Sidebar position" "settingsKey" => "KBIN_GENERAL_SIDEBAR_POSITION" "values" => [ [ "name" => "Left" "value" => "LEFT" ] [ "name" => "Right" "value" => "RIGHT" ] ] "defaultValue" => "RIGHT" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowEnumComponent {#8242 +label: "Sidebar position" +help: "" +settingsKey: "KBIN_GENERAL_SIDEBAR_POSITION" +values: [ [ "name" => "Left" "value" => "LEFT" ] [ "name" => "Right" "value" => "RIGHT" ] ] +defaultValue: "RIGHT" +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.23 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Dynamic lists" "settingsKey" => "KBIN_GENERAL_DYNAMIC_LISTS" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#12161 +label: "Dynamic lists" +help: "" +settingsKey: "KBIN_GENERAL_DYNAMIC_LISTS" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Rounded edges" "settingsKey" => "KBIN_GENERAL_ROUNDED_EDGES" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#8425 +label: "Rounded edges" +help: "" +settingsKey: "KBIN_GENERAL_ROUNDED_EDGES" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Infinite scrolling" "help" => "Automatically load more content when you reach the bottom of the page." "settingsKey" => "KBIN_GENERAL_INFINITE_SCROLL" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#11316 +label: "Infinite scrolling" +help: "Automatically load more content when you reach the bottom of the page." +settingsKey: "KBIN_GENERAL_INFINITE_SCROLL" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.18 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Sticky navbar" "help" => "The navbar will stick to the top of the page when you scroll down." "settingsKey" => "KBIN_GENERAL_FIXED_NAVBAR" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#14119 +label: "Sticky navbar" +help: "The navbar will stick to the top of the page when you scroll down." +settingsKey: "KBIN_GENERAL_FIXED_NAVBAR" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.15 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show top bar" "settingsKey" => "KBIN_GENERAL_TOPBAR" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#14572 +label: "Show top bar" +help: "" +settingsKey: "KBIN_GENERAL_TOPBAR" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Turbo mode (experimental)" "settingsKey" => "KBIN_GENERAL_TURBO" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#14628 +label: "Turbo mode (experimental)" +help: "" +settingsKey: "KBIN_GENERAL_TURBO" +defaultValue: false +reloadRequired: true } |
|||
| user_settings_row_switch | App\Twig\Components\UserSettingsRowSwitchComponent | 14.0 MiB | 0.28 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Mark new comments" "settingsKey" => "KBIN_MARK_NEW_COMMENTS" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserSettingsRowSwitchComponent {#14686 +label: "Mark new comments" +help: "" +settingsKey: "KBIN_MARK_NEW_COMMENTS" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show "Support Us" block" "settingsKey" => "KBIN_GENERAL_SUPPORT_US_BLOCK" "defaultValue" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#14749 +label: "Show "Support Us" block" +help: "" +settingsKey: "KBIN_GENERAL_SUPPORT_US_BLOCK" +defaultValue: true +reloadRequired: true } |
|||
| user_settings_row_switch | App\Twig\Components\UserSettingsRowSwitchComponent | 14.0 MiB | 0.17 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show subscribed users" "settingsKey" => "KBIN_SUB_CHANNEL_USERS" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserSettingsRowSwitchComponent {#14807 +label: "Show subscribed users" +help: "" +settingsKey: "KBIN_SUB_CHANNEL_USERS" +defaultValue: false +reloadRequired: true } |
|||
| user_settings_row_switch | App\Twig\Components\UserSettingsRowSwitchComponent | 14.0 MiB | 0.15 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show subscribed magazines" "settingsKey" => "KBIN_SUB_CHANNEL_MAGAZINES" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserSettingsRowSwitchComponent {#14863 +label: "Show subscribed magazines" +help: "" +settingsKey: "KBIN_SUB_CHANNEL_MAGAZINES" +defaultValue: false +reloadRequired: true } |
|||
| user_settings_row_switch | App\Twig\Components\UserSettingsRowSwitchComponent | 14.0 MiB | 0.18 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show subscribed domains" "settingsKey" => "KBIN_SUB_CHANNEL_DOMAINS" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserSettingsRowSwitchComponent {#14919 +label: "Show subscribed domains" +help: "" +settingsKey: "KBIN_SUB_CHANNEL_DOMAINS" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Auto media preview" "help" => "Automatically expand media previews." "settingsKey" => "KBIN_ENTRIES_SHOW_PREVIEW" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#14975 +label: "Auto media preview" +help: "Automatically expand media previews." +settingsKey: "KBIN_ENTRIES_SHOW_PREVIEW" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 64.25 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Compact view" "settingsKey" => "KBIN_ENTRIES_COMPACT" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#15031 +label: "Compact view" +help: "" +settingsKey: "KBIN_ENTRIES_COMPACT" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.16 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show users’ avatars" "settingsKey" => "KBIN_ENTRIES_SHOW_USERS_AVATARS" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#15087 +label: "Show users’ avatars" +help: "" +settingsKey: "KBIN_ENTRIES_SHOW_USERS_AVATARS" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.17 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show magazines’ icons" "settingsKey" => "KBIN_ENTRIES_SHOW_MAGAZINES_ICONS" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#15143 +label: "Show magazines’ icons" +help: "" +settingsKey: "KBIN_ENTRIES_SHOW_MAGAZINES_ICONS" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.15 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show thumbnails" "settingsKey" => "KBIN_ENTRIES_SHOW_THUMBNAILS" "defaultValue" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#15199 +label: "Show thumbnails" +help: "" +settingsKey: "KBIN_ENTRIES_SHOW_THUMBNAILS" +defaultValue: true +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Auto media preview" "help" => "Automatically expand media previews." "settingsKey" => "KBIN_POSTS_SHOW_PREVIEW" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#15255 +label: "Auto media preview" +help: "Automatically expand media previews." +settingsKey: "KBIN_POSTS_SHOW_PREVIEW" +defaultValue: false +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show users’ avatars" "settingsKey" => "KBIN_POSTS_SHOW_USERS_AVATARS" "defaultValue" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#15311 +label: "Show users’ avatars" +help: "" +settingsKey: "KBIN_POSTS_SHOW_USERS_AVATARS" +defaultValue: true +reloadRequired: true } |
|||
| settings_row_enum | App\Twig\Components\SettingsRowEnumComponent | 14.0 MiB | 0.18 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Comment reply position" "help" => "Display the comment reply form either at the top or bottom of the page. When 'infinite scroll' is enabled the position will always appear at the top." "settingsKey" => "KBIN_COMMENTS_REPLY_POSITION" "values" => [ [ "name" => "top" "value" => "TOP" ] [ "name" => "bottom" "value" => "BOTTOM" ] ] "defaultValue" => "TOP" ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowEnumComponent {#15367 +label: "Comment reply position" +help: "Display the comment reply form either at the top or bottom of the page. When 'infinite scroll' is enabled the position will always appear at the top." +settingsKey: "KBIN_COMMENTS_REPLY_POSITION" +values: [ [ "name" => "top" "value" => "TOP" ] [ "name" => "bottom" "value" => "BOTTOM" ] ] +defaultValue: "TOP" +reloadRequired: true } |
|||
| settings_row_switch | App\Twig\Components\SettingsRowSwitchComponent | 14.0 MiB | 0.14 ms | |
|---|---|---|---|---|
| Input props | [ "label" => "Show Comment Avatars" "help" => "Display/hide user avatars when viewing comments on a single thread or post." "settingsKey" => "KBIN_COMMENTS_SHOW_USER_AVATAR" "defaultValue" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SettingsRowSwitchComponent {#15425 +label: "Show Comment Avatars" +help: "Display/hide user avatars when viewing comments on a single thread or post." +settingsKey: "KBIN_COMMENTS_SHOW_USER_AVATAR" +defaultValue: true +reloadRequired: true } |
|||
| user_actions | App\Twig\Components\UserActionsComponent | 16.0 MiB | 0.46 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserActionsComponent {#15502 +user: Proxies\__CG__\App\Entity\User {#1978 +avatar: null +cover: null +email: "Pantherina@feddit.de" +username: "@Pantherina@feddit.de" +roles: [] +followersCount: 0 +homepage: "front" +about: null +lastActive: DateTime @1721498243 {#1515 : 2024-07-20 19:57:23.0 +02:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: false +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: true +notifyOnNewEntryCommentReply: true +notifyOnNewPost: false +notifyOnNewPostReply: true +notifyOnNewPostCommentReply: true +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: false +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#1519 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#1517 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#1623 …} +entries: Doctrine\ORM\PersistentCollection {#1406 …} +entryVotes: Doctrine\ORM\PersistentCollection {#1713 …} +entryComments: Doctrine\ORM\PersistentCollection {#1710 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#1474 …} +posts: Doctrine\ORM\PersistentCollection {#1745 …} +postVotes: Doctrine\ORM\PersistentCollection {#1485 …} +postComments: Doctrine\ORM\PersistentCollection {#1759 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#1637 …} +subscriptions: Doctrine\ORM\PersistentCollection {#1475 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#1636 …} +follows: Doctrine\ORM\PersistentCollection {#1409 …} +followers: Doctrine\ORM\PersistentCollection {#1624 …} +blocks: Doctrine\ORM\PersistentCollection {#1425 …} +blockers: Doctrine\ORM\PersistentCollection {#1441 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#1460 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#1439 …} +reports: Doctrine\ORM\PersistentCollection {#1416 …} +favourites: Doctrine\ORM\PersistentCollection {#1430 …} +violations: Doctrine\ORM\PersistentCollection {#1694 …} +notifications: Doctrine\ORM\PersistentCollection {#1700 …} +awards: Doctrine\ORM\PersistentCollection {#1434 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#1610 …} +categories: Doctrine\ORM\PersistentCollection {#1640 …} -id: 48318 -password: "$2y$13$ltFqzTJ0eHIMY8NTIUV0JOoX1AZlaj64ntUxYh5oQTJrg6.lxQmuC" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#1669 …} +apId: "Pantherina@feddit.de" +apProfileId: "https://feddit.de/u/Pantherina" +apPublicUrl: "https://feddit.de/u/Pantherina" +apFollowersUrl: null +apInboxUrl: "https://feddit.de/inbox" +apDomain: "feddit.de" +apPreferredUsername: "Pantherina" +apDiscoverable: true +apManuallyApprovesFollowers: false +privateKey: null +publicKey: null +apFetchedAt: DateTime @1721236644 {#1516 : 2024-07-17 19:17:24.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1696428300 {#1518 : 2023-10-04 16:05:00.0 +02:00 } +__isInitialized__: true …2 } } |
|||
| date | App\Twig\Components\DateComponent | 16.0 MiB | 0.18 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#15563 +date: DateTimeImmutable @1700841697 {#2402 : 2023-11-24 17:01:37.0 +01:00 } } |
|||
| magazine_box | App\Twig\Components\MagazineBoxComponent | 16.0 MiB | 60.01 ms | |
|---|---|---|---|---|
| Input props | [ "magazine" => App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } "showSectionTitle" => true ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\MagazineBoxComponent {#15619 +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } +showCover: true +showDescription: true +showRules: true +showSubscribeButton: true +showInfo: true +showMeta: true +showSectionTitle: true +stretchedLink: true } |
|||
| magazine_sub | App\Twig\Components\MagazineSubComponent | 16.0 MiB | 0.46 ms | |
|---|---|---|---|---|
| Input props | [ "magazine" => App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\MagazineSubComponent {#15677 +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } } |
|||
| date | App\Twig\Components\DateComponent | 16.0 MiB | 0.21 ms | |
|---|---|---|---|---|
| Input props | [ "date" => DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\DateComponent {#15851 +date: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } |
|||
| user_inline | App\Twig\Components\UserInlineComponent | 16.0 MiB | 11.55 ms | |
|---|---|---|---|---|
| Input props | [ "user" => Proxies\__CG__\App\Entity\User {#15910 +avatar: null +cover: null +email: "kbin@j0h.nl" +username: "Sprite_tm" +roles: [ "ROLE_ADMIN" ] +followersCount: 0 +homepage: "front" +about: "Hi! I'm Sprite_tm. You may know me from sites like https://spritesmods.com." +lastActive: DateTime @1707547382 {#15957 : 2024-02-10 07:43:02.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: true +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#15959 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#15961 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#15963 …} +entries: Doctrine\ORM\PersistentCollection {#15965 …} +entryVotes: Doctrine\ORM\PersistentCollection {#15967 …} +entryComments: Doctrine\ORM\PersistentCollection {#15969 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#15971 …} +posts: Doctrine\ORM\PersistentCollection {#15973 …} +postVotes: Doctrine\ORM\PersistentCollection {#15975 …} +postComments: Doctrine\ORM\PersistentCollection {#15977 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#15979 …} +subscriptions: Doctrine\ORM\PersistentCollection {#15981 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#15983 …} +follows: Doctrine\ORM\PersistentCollection {#15985 …} +followers: Doctrine\ORM\PersistentCollection {#15987 …} +blocks: Doctrine\ORM\PersistentCollection {#15989 …} +blockers: Doctrine\ORM\PersistentCollection {#15991 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#15993 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#15995 …} +reports: Doctrine\ORM\PersistentCollection {#15997 …} +favourites: Doctrine\ORM\PersistentCollection {#15999 …} +violations: Doctrine\ORM\PersistentCollection {#16001 …} +notifications: Doctrine\ORM\PersistentCollection {#16003 …} +awards: Doctrine\ORM\PersistentCollection {#16005 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#16007 …} +categories: Doctrine\ORM\PersistentCollection {#16009 …} -id: 1 -password: "$2y$13$ZX7Aou2QOPRGkHPp4y5x8OWfxZMoT1BGH7bRLlPP7mwZFTkfiaPGG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#16011 …} +apId: null +apProfileId: null +apPublicUrl: null +apFollowersUrl: null +apInboxUrl: null +apDomain: null +apPreferredUsername: null +apDiscoverable: null +apManuallyApprovesFollowers: null +privateKey: """ -----BEGIN PRIVATE KEY-----\r\n MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDleeotz5TBiMlC\r\n YsJYJHVNxjvnvt0qsQA282B7vdqBTbARfD49iKPiMIwgU2yhCI0oTSQwc2Zy9AQ+\r\n 31rwmvBx8VvcLgQvKpNzPVhMQjelK7k5iPiPc/W1soaauepq3YwQKgGod4c5Vh9f\r\n MInSANfOLOUSo3pUzfaQaGEvQc5DbKjDgIjsv/OKI1acbzu067KQzIThu+1BvcqQ\r\n Ypo2Ux5W23nNqkrRZ++z/r1MI2jS3vwi5OSwz4fWhLPJXE6lwokc6b/uAZe7sLT6\r\n QQtjevLnmMyRIVnmxbtHPMSfhLdz8ssQhoNCfAkMnBjDUX31SSs67pU8v5O3Fn2H\r\n d+qFWCjrREwSpBAd24INJqKsjSa6j3oLL8Xw8HZf+x6QRPJch/c3FNWRtM2b9n8V\r\n sAQiD985pafyeQ1TqIe4iSjI0iUgy2WgwO0C1Z0PNbQzQmRk0EOAlxIXjPmB229P\r\n V4+OcZxLT9phP/rid1Qt9Ro+2LdkS9Zqe8c2JHeJKc5Nv/8OOX5uQ/B82JXnuXYi\r\n /oVEJb5t42G8u3IIkYM5G/Gt033WU6dbyKOBmdnbXaPw9LC3M7oop3yyCb3UDLfg\r\n g/XnZVvZxSPCPlh5G1Lb0r47siKq/0k9YRua0AFsVg0dhqfuwsb6G9Hx5EicuPsu\r\n OIjXINBTjlnE4SdMz0ZJt7bLjwlKdQIDAQABAoICAAlWo8QHfYs+sMoF0Njbavam\r\n SYvNxZxWJacW0mdWu4ylh7O+dZ31cI3k4d7y5inLeksYkI90MsgczAtu9XlzJLPO\r\n WamlKcBtoCCBb5Vy4GbVV61SuKLF2krxn+6uAC8nIusJepXLf3JC4fXyuLkWFbIr\r\n O4s9od3Pn+gSh1nv+J/fzSJfmbLgwN1vQLgPAsQDD3o7CHFTP318ZsDnclUhnst0\r\n FQnckzzgWO3fQP7XNg3WyzX0UKYtW97L+bEJE55FQ2Us0gWyhOU7dLH2casztqzc\r\n F/8T91+fzlZAz9OaCAks6Tyb7L2I5KlhtNRF/bU8rAiy6tnVBgLeZG9d3upcQxX0\r\n L+SMPWg55qERGI5mO+BxFdUnVtcmswziKmySYtzgm+c4jmPS5cWhGB9HFCTW2S0x\r\n GoVA2cZGWjMTrbZQhgJjBqzp76fhLtXTufd328sYmX7fBYKEWFYNwrEJaWYUNl/V\r\n yEyl0aMQWKhVokx6eCqnuDZUc77LeuGuCleIdhQ53NYHrXMCmgVyLfmGdrOS3Uh6\r\n RrAYmnvvMkAUTOQajW2csC345PmgBOjE7vB7349ylKUkXvN4L+9xZCYaVjBt3O24\r\n aRoQSQDGhk+NIaYleiFx+u7dJSryxdx/6ut6dQ2S+jKlm1oN1qq6ppO5y/TFRQ1e\r\n qn7kjIGzUT80fANDFqdhAoIBAQD1+cGiWXRQhUrJc5X3ngH1zHoLWpmSZcUUDFn/\r\n bV/CChd2M43fOpneIQETZ1oS7BsU3y92kTw63ytYOUg7C5iT5/r9ZoBGq0HZSbll\r\n riRJWGiajr2aYCmIes++CrfUvCcD6+l8QMZ3s8eXdk80GX+vt1xEfRpWV9e9huJK\r\n K1e8wXfFmPAmxUi63IePscdc+SVQGeooMYDnMwLWvxpAtp5mGOaQc4D5dviWXjSE\r\n Z/PJa+gectpD1iDIPUXm3o17ivE2UYFia8/FCGUN6Yz7ucRKF+2SPO8hLefk5UvJ\r\n Lxlkh67MXKkneDqRU9C82Qmcfz5nQLQadC0nbE44YeXrnlIdAoIBAQDu1AWMIe6f\r\n 7TZYCWnTa3nT6penJ9CMaGDPI/62dKTmGnI4oo3u9DGGrnuWbcFFCQA02vcYdpuw\r\n CVy6mkP/yqN5VSV3EHZiJUA0aKIxot3o3YOiobpVYn9hwvzzOdMZO4SOuevNfY1c\r\n qmnLGhYoDvR1c2yaudCf/BDwQqlLoSg9F5X57bRtwaRyUjhtXVKXWb59qtiwwrvp\r\n 1vPjxciEIxAtgSXtIUQz3ljDRNUHjpyfYM3ska5jkxMIPNYUYFMX2x+Gxn9PZEG3\r\n Im391BRynZsnkvJO6i4i5N1xsPK5SyPiKBnlMxW/6ZLi5aAQHV3cc2KLzV+T+s2B\r\n v9LTAyO7nWo5AoIBAASA/jqqyKZwyl3F8AkIq6CEjfeHQSidFG65iyxSJF65MJTJ\r\n fN+Jgye+Evb3/X47NIO9UnEpV6D8VR7YbaonHDQZG09ogRDKMfp4jxx9g8yUAdZS\r\n psYc3KXTGdqw94y9pTk9KJlN1lR6xjzPvcOGdAATq2zVnZXXJewifCI/iOu73yWP\r\n F1aeZiaFwzWuW6goJ7a/wrnZrjKNjI/CEAj/TwcvjYk3lDT9KLAYKX4DKUOW5jko\r\n gTacxRzlglIn4Q9SC/iipWvX7YX+EVuf2yUA0cdJiOAUnYxN+uEGEc0tP5nHoju7\r\n tp0yZmAi2L+cecCT0+CwHpwdZHZEVWpS4JLf40ECggEBALFSZIgGDZlaU5YL7zHV\r\n Q5APRugKDLKjMPW7IPwxINnj2tioAL/hOQBpfkNTXEM4ipmz1fCo57FNUjcOINzD\r\n hJqqmHWNmIgIZmJDKeG2rhKenYTblXCeADwCvTKNxWmfoi0iZ6ybwqCBuqjcxoSZ\r\n jfHCcGl0+yw9yAnLRM1ta2XopCb70ZIIS2PCHjk9J/xN2ryNY/PhsgnN2ilMiTNq\r\n oTFYCWPF5lCojrj020KQJUPEaUBzbcpqwZ/FI6HfXvKAdCjqKk40/wHNI2Np2oC6\r\n +h7o4NWs0/J+gNhP6/edjZf19DwTsNtbvf6PRUeRtkXeudVY99T0Sy9B0HNxik9b\r\n cikCggEAM2wassiP1i0Gc3wrbNLHyQN+yqMaAp0xF+8l0fU3T8zPL/tYDcITnZPY\r\n pEFV/aodP9X7XFuQD0iGTOTGDXiMSLPOLI/ifmwbT41rgIN9x14MpU2EtWeVz7sx\r\n ZIFMt98rHx6BsZx/DnSFDQ8iqrKF3u+OOv7s6j+8odz4Rq53+16vMev5VUMOPq+E\r\n aQn8SDKkOjZzwb9QGB9bXS5s9yyj4pLyggQ0O5S2ugZjUcmCecNpktN8bUR3I9VQ\r\n KWkcQa9yCpidp/JYrQtlbqAPiIzptA4T4RNh+F6pKbmw7hNMIPipPzbQezEMaBOn\r\n Cgb38EldyAVGjCzRGfhu9SNU9B03bg==\r\n -----END PRIVATE KEY----- """ +publicKey: """ -----BEGIN PUBLIC KEY-----\r\n MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5XnqLc+UwYjJQmLCWCR1\r\n TcY7577dKrEANvNge73agU2wEXw+PYij4jCMIFNsoQiNKE0kMHNmcvQEPt9a8Jrw\r\n cfFb3C4ELyqTcz1YTEI3pSu5OYj4j3P1tbKGmrnqat2MECoBqHeHOVYfXzCJ0gDX\r\n zizlEqN6VM32kGhhL0HOQ2yow4CI7L/ziiNWnG87tOuykMyE4bvtQb3KkGKaNlMe\r\n Vtt5zapK0Wfvs/69TCNo0t78IuTksM+H1oSzyVxOpcKJHOm/7gGXu7C0+kELY3ry\r\n 55jMkSFZ5sW7RzzEn4S3c/LLEIaDQnwJDJwYw1F99UkrOu6VPL+TtxZ9h3fqhVgo\r\n 60RMEqQQHduCDSairI0muo96Cy/F8PB2X/sekETyXIf3NxTVkbTNm/Z/FbAEIg/f\r\n OaWn8nkNU6iHuIkoyNIlIMtloMDtAtWdDzW0M0JkZNBDgJcSF4z5gdtvT1ePjnGc\r\n S0/aYT/64ndULfUaPti3ZEvWanvHNiR3iSnOTb//Djl+bkPwfNiV57l2Iv6FRCW+\r\n beNhvLtyCJGDORvxrdN91lOnW8ijgZnZ212j8PSwtzO6KKd8sgm91Ay34IP152Vb\r\n 2cUjwj5YeRtS29K+O7Iiqv9JPWEbmtABbFYNHYan7sLG+hvR8eRInLj7LjiI1yDQ\r\n U45ZxOEnTM9GSbe2y48JSnUCAwEAAQ==\r\n -----END PUBLIC KEY----- """ +apFetchedAt: null +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686560440 {#15958 : 2023-06-12 11:00:40.0 +02:00 } +__isInitialized__: true …2 } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\UserInlineComponent {#15928 +user: Proxies\__CG__\App\Entity\User {#15910 +avatar: null +cover: null +email: "kbin@j0h.nl" +username: "Sprite_tm" +roles: [ "ROLE_ADMIN" ] +followersCount: 0 +homepage: "front" +about: "Hi! I'm Sprite_tm. You may know me from sites like https://spritesmods.com." +lastActive: DateTime @1707547382 {#15957 : 2024-02-10 07:43:02.0 +01:00 } +markedForDeletionAt: null +fields: null +oauthGithubId: null +oauthGoogleId: null +oauthFacebookId: null +oauthKeycloakId: null +hideAdult: true +showSubscribedUsers: true +showSubscribedMagazines: true +showSubscribedDomains: true +preferredLanguages: [] +featuredMagazines: null +showProfileSubscriptions: true +showProfileFollowings: true +markNewComments: false +notifyOnNewEntry: false +notifyOnNewEntryReply: false +notifyOnNewEntryCommentReply: false +notifyOnNewPost: false +notifyOnNewPostReply: false +notifyOnNewPostCommentReply: false +addMentionsEntries: false +addMentionsPosts: true +isBanned: false +isVerified: true +isDeleted: false +isBot: false +spamProtection: true +customCss: null +ignoreMagazinesCustomCss: false +moderatorTokens: Doctrine\ORM\PersistentCollection {#15959 …} +magazineOwnershipRequests: Doctrine\ORM\PersistentCollection {#15961 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#15963 …} +entries: Doctrine\ORM\PersistentCollection {#15965 …} +entryVotes: Doctrine\ORM\PersistentCollection {#15967 …} +entryComments: Doctrine\ORM\PersistentCollection {#15969 …} +entryCommentVotes: Doctrine\ORM\PersistentCollection {#15971 …} +posts: Doctrine\ORM\PersistentCollection {#15973 …} +postVotes: Doctrine\ORM\PersistentCollection {#15975 …} +postComments: Doctrine\ORM\PersistentCollection {#15977 …} +postCommentVotes: Doctrine\ORM\PersistentCollection {#15979 …} +subscriptions: Doctrine\ORM\PersistentCollection {#15981 …} +subscribedDomains: Doctrine\ORM\PersistentCollection {#15983 …} +follows: Doctrine\ORM\PersistentCollection {#15985 …} +followers: Doctrine\ORM\PersistentCollection {#15987 …} +blocks: Doctrine\ORM\PersistentCollection {#15989 …} +blockers: Doctrine\ORM\PersistentCollection {#15991 …} +blockedMagazines: Doctrine\ORM\PersistentCollection {#15993 …} +blockedDomains: Doctrine\ORM\PersistentCollection {#15995 …} +reports: Doctrine\ORM\PersistentCollection {#15997 …} +favourites: Doctrine\ORM\PersistentCollection {#15999 …} +violations: Doctrine\ORM\PersistentCollection {#16001 …} +notifications: Doctrine\ORM\PersistentCollection {#16003 …} +awards: Doctrine\ORM\PersistentCollection {#16005 …} +subscribedCategories: Doctrine\ORM\PersistentCollection {#16007 …} +categories: Doctrine\ORM\PersistentCollection {#16009 …} -id: 1 -password: "$2y$13$ZX7Aou2QOPRGkHPp4y5x8OWfxZMoT1BGH7bRLlPP7mwZFTkfiaPGG" -totpSecret: null -totpBackupCodes: [] -oAuth2UserConsents: Doctrine\ORM\PersistentCollection {#16011 …} +apId: null +apProfileId: null +apPublicUrl: null +apFollowersUrl: null +apInboxUrl: null +apDomain: null +apPreferredUsername: null +apDiscoverable: null +apManuallyApprovesFollowers: null +privateKey: """ -----BEGIN PRIVATE KEY-----\r\n MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDleeotz5TBiMlC\r\n YsJYJHVNxjvnvt0qsQA282B7vdqBTbARfD49iKPiMIwgU2yhCI0oTSQwc2Zy9AQ+\r\n 31rwmvBx8VvcLgQvKpNzPVhMQjelK7k5iPiPc/W1soaauepq3YwQKgGod4c5Vh9f\r\n MInSANfOLOUSo3pUzfaQaGEvQc5DbKjDgIjsv/OKI1acbzu067KQzIThu+1BvcqQ\r\n Ypo2Ux5W23nNqkrRZ++z/r1MI2jS3vwi5OSwz4fWhLPJXE6lwokc6b/uAZe7sLT6\r\n QQtjevLnmMyRIVnmxbtHPMSfhLdz8ssQhoNCfAkMnBjDUX31SSs67pU8v5O3Fn2H\r\n d+qFWCjrREwSpBAd24INJqKsjSa6j3oLL8Xw8HZf+x6QRPJch/c3FNWRtM2b9n8V\r\n sAQiD985pafyeQ1TqIe4iSjI0iUgy2WgwO0C1Z0PNbQzQmRk0EOAlxIXjPmB229P\r\n V4+OcZxLT9phP/rid1Qt9Ro+2LdkS9Zqe8c2JHeJKc5Nv/8OOX5uQ/B82JXnuXYi\r\n /oVEJb5t42G8u3IIkYM5G/Gt033WU6dbyKOBmdnbXaPw9LC3M7oop3yyCb3UDLfg\r\n g/XnZVvZxSPCPlh5G1Lb0r47siKq/0k9YRua0AFsVg0dhqfuwsb6G9Hx5EicuPsu\r\n OIjXINBTjlnE4SdMz0ZJt7bLjwlKdQIDAQABAoICAAlWo8QHfYs+sMoF0Njbavam\r\n SYvNxZxWJacW0mdWu4ylh7O+dZ31cI3k4d7y5inLeksYkI90MsgczAtu9XlzJLPO\r\n WamlKcBtoCCBb5Vy4GbVV61SuKLF2krxn+6uAC8nIusJepXLf3JC4fXyuLkWFbIr\r\n O4s9od3Pn+gSh1nv+J/fzSJfmbLgwN1vQLgPAsQDD3o7CHFTP318ZsDnclUhnst0\r\n FQnckzzgWO3fQP7XNg3WyzX0UKYtW97L+bEJE55FQ2Us0gWyhOU7dLH2casztqzc\r\n F/8T91+fzlZAz9OaCAks6Tyb7L2I5KlhtNRF/bU8rAiy6tnVBgLeZG9d3upcQxX0\r\n L+SMPWg55qERGI5mO+BxFdUnVtcmswziKmySYtzgm+c4jmPS5cWhGB9HFCTW2S0x\r\n GoVA2cZGWjMTrbZQhgJjBqzp76fhLtXTufd328sYmX7fBYKEWFYNwrEJaWYUNl/V\r\n yEyl0aMQWKhVokx6eCqnuDZUc77LeuGuCleIdhQ53NYHrXMCmgVyLfmGdrOS3Uh6\r\n RrAYmnvvMkAUTOQajW2csC345PmgBOjE7vB7349ylKUkXvN4L+9xZCYaVjBt3O24\r\n aRoQSQDGhk+NIaYleiFx+u7dJSryxdx/6ut6dQ2S+jKlm1oN1qq6ppO5y/TFRQ1e\r\n qn7kjIGzUT80fANDFqdhAoIBAQD1+cGiWXRQhUrJc5X3ngH1zHoLWpmSZcUUDFn/\r\n bV/CChd2M43fOpneIQETZ1oS7BsU3y92kTw63ytYOUg7C5iT5/r9ZoBGq0HZSbll\r\n riRJWGiajr2aYCmIes++CrfUvCcD6+l8QMZ3s8eXdk80GX+vt1xEfRpWV9e9huJK\r\n K1e8wXfFmPAmxUi63IePscdc+SVQGeooMYDnMwLWvxpAtp5mGOaQc4D5dviWXjSE\r\n Z/PJa+gectpD1iDIPUXm3o17ivE2UYFia8/FCGUN6Yz7ucRKF+2SPO8hLefk5UvJ\r\n Lxlkh67MXKkneDqRU9C82Qmcfz5nQLQadC0nbE44YeXrnlIdAoIBAQDu1AWMIe6f\r\n 7TZYCWnTa3nT6penJ9CMaGDPI/62dKTmGnI4oo3u9DGGrnuWbcFFCQA02vcYdpuw\r\n CVy6mkP/yqN5VSV3EHZiJUA0aKIxot3o3YOiobpVYn9hwvzzOdMZO4SOuevNfY1c\r\n qmnLGhYoDvR1c2yaudCf/BDwQqlLoSg9F5X57bRtwaRyUjhtXVKXWb59qtiwwrvp\r\n 1vPjxciEIxAtgSXtIUQz3ljDRNUHjpyfYM3ska5jkxMIPNYUYFMX2x+Gxn9PZEG3\r\n Im391BRynZsnkvJO6i4i5N1xsPK5SyPiKBnlMxW/6ZLi5aAQHV3cc2KLzV+T+s2B\r\n v9LTAyO7nWo5AoIBAASA/jqqyKZwyl3F8AkIq6CEjfeHQSidFG65iyxSJF65MJTJ\r\n fN+Jgye+Evb3/X47NIO9UnEpV6D8VR7YbaonHDQZG09ogRDKMfp4jxx9g8yUAdZS\r\n psYc3KXTGdqw94y9pTk9KJlN1lR6xjzPvcOGdAATq2zVnZXXJewifCI/iOu73yWP\r\n F1aeZiaFwzWuW6goJ7a/wrnZrjKNjI/CEAj/TwcvjYk3lDT9KLAYKX4DKUOW5jko\r\n gTacxRzlglIn4Q9SC/iipWvX7YX+EVuf2yUA0cdJiOAUnYxN+uEGEc0tP5nHoju7\r\n tp0yZmAi2L+cecCT0+CwHpwdZHZEVWpS4JLf40ECggEBALFSZIgGDZlaU5YL7zHV\r\n Q5APRugKDLKjMPW7IPwxINnj2tioAL/hOQBpfkNTXEM4ipmz1fCo57FNUjcOINzD\r\n hJqqmHWNmIgIZmJDKeG2rhKenYTblXCeADwCvTKNxWmfoi0iZ6ybwqCBuqjcxoSZ\r\n jfHCcGl0+yw9yAnLRM1ta2XopCb70ZIIS2PCHjk9J/xN2ryNY/PhsgnN2ilMiTNq\r\n oTFYCWPF5lCojrj020KQJUPEaUBzbcpqwZ/FI6HfXvKAdCjqKk40/wHNI2Np2oC6\r\n +h7o4NWs0/J+gNhP6/edjZf19DwTsNtbvf6PRUeRtkXeudVY99T0Sy9B0HNxik9b\r\n cikCggEAM2wassiP1i0Gc3wrbNLHyQN+yqMaAp0xF+8l0fU3T8zPL/tYDcITnZPY\r\n pEFV/aodP9X7XFuQD0iGTOTGDXiMSLPOLI/ifmwbT41rgIN9x14MpU2EtWeVz7sx\r\n ZIFMt98rHx6BsZx/DnSFDQ8iqrKF3u+OOv7s6j+8odz4Rq53+16vMev5VUMOPq+E\r\n aQn8SDKkOjZzwb9QGB9bXS5s9yyj4pLyggQ0O5S2ugZjUcmCecNpktN8bUR3I9VQ\r\n KWkcQa9yCpidp/JYrQtlbqAPiIzptA4T4RNh+F6pKbmw7hNMIPipPzbQezEMaBOn\r\n Cgb38EldyAVGjCzRGfhu9SNU9B03bg==\r\n -----END PRIVATE KEY----- """ +publicKey: """ -----BEGIN PUBLIC KEY-----\r\n MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5XnqLc+UwYjJQmLCWCR1\r\n TcY7577dKrEANvNge73agU2wEXw+PYij4jCMIFNsoQiNKE0kMHNmcvQEPt9a8Jrw\r\n cfFb3C4ELyqTcz1YTEI3pSu5OYj4j3P1tbKGmrnqat2MECoBqHeHOVYfXzCJ0gDX\r\n zizlEqN6VM32kGhhL0HOQ2yow4CI7L/ziiNWnG87tOuykMyE4bvtQb3KkGKaNlMe\r\n Vtt5zapK0Wfvs/69TCNo0t78IuTksM+H1oSzyVxOpcKJHOm/7gGXu7C0+kELY3ry\r\n 55jMkSFZ5sW7RzzEn4S3c/LLEIaDQnwJDJwYw1F99UkrOu6VPL+TtxZ9h3fqhVgo\r\n 60RMEqQQHduCDSairI0muo96Cy/F8PB2X/sekETyXIf3NxTVkbTNm/Z/FbAEIg/f\r\n OaWn8nkNU6iHuIkoyNIlIMtloMDtAtWdDzW0M0JkZNBDgJcSF4z5gdtvT1ePjnGc\r\n S0/aYT/64ndULfUaPti3ZEvWanvHNiR3iSnOTb//Djl+bkPwfNiV57l2Iv6FRCW+\r\n beNhvLtyCJGDORvxrdN91lOnW8ijgZnZ212j8PSwtzO6KKd8sgm91Ay34IP152Vb\r\n 2cUjwj5YeRtS29K+O7Iiqv9JPWEbmtABbFYNHYan7sLG+hvR8eRInLj7LjiI1yDQ\r\n U45ZxOEnTM9GSbe2y48JSnUCAwEAAQ==\r\n -----END PUBLIC KEY----- """ +apFetchedAt: null +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1686560440 {#15958 : 2023-06-12 11:00:40.0 +02:00 } +__isInitialized__: true …2 } +showAvatar: true } |
|||
| related_magazines | App\Twig\Components\RelatedMagazinesComponent | 16.0 MiB | 12.68 ms | |
|---|---|---|---|---|
| Input props | [ "magazine" => "linux@lemmy.ml" "tag" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\RelatedMagazinesComponent {#16119 +limit: 4 +tag: null +magazine: "linux@lemmy.ml" +type: "magazine" +title: "related_magazines" +refreshedRandom: false -repository: App\Repository\MagazineRepository {#333 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -twig: Twig\Environment {#1252 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| active_users | App\Twig\Components\ActiveUsersComponent | 16.0 MiB | 2.82 ms | |
|---|---|---|---|---|
| Input props | [ "magazine" => App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\ActiveUsersComponent {#16206 +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } -userRepository: App\Repository\UserRepository {#603 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -twig: Twig\Environment {#1252 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| related_categories | App\Twig\Components\RelatedCategoriesComponent | 16.0 MiB | 14.36 ms | |
|---|---|---|---|---|
| Input props | [ "magazine" => "linux@lemmy.ml" "tag" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\RelatedCategoriesComponent {#16265 +limit: 4 +tag: null +magazine: "linux@lemmy.ml" +type: "related" +title: "related_categories" +refreshedRandom: false -repository: App\Repository\CategoryRepository {#16266 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -twig: Twig\Environment {#1252 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} } |
|||
| related_posts | App\Twig\Components\RelatedPostsComponent | 16.0 MiB | 18.43 ms | |
|---|---|---|---|---|
| Input props | [ "magazine" => "linux@lemmy.ml" "tag" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\RelatedPostsComponent {#16336 +limit: 4 +tag: null +magazine: "linux@lemmy.ml" +type: "magazine" +post: null +title: "related_posts" +refreshedRandom: false -repository: App\Repository\PostRepository {#16335 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -twig: Twig\Environment {#1252 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -mentionManager: App\Service\MentionManager {#389 …} } |
|||
| related_entries | App\Twig\Components\RelatedEntriesComponent | 16.0 MiB | 13.24 ms | |
|---|---|---|---|---|
| Input props | [ "magazine" => "linux@lemmy.ml" "tag" => null ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\RelatedEntriesComponent {#16405 +limit: 4 +tag: null +magazine: "linux@lemmy.ml" +type: "magazine" +entry: null +title: "related_entries" +refreshedRandom: false -repository: App\Repository\EntryRepository {#270 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -twig: Twig\Environment {#1252 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -mentionManager: App\Service\MentionManager {#389 …} } |
|||
| support_us_block | App\Twig\Components\SupportUsBlock | 16.0 MiB | 19.60 ms | |
|---|---|---|---|---|
| Input props | [] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\SupportUsBlock {#16474 +subject: ? App\Entity\Contracts\VotableInterface +url: ? string -twig: Twig\Environment {#1252 …} -cache: Symfony\Component\Cache\Adapter\TraceableTagAwareAdapter {#600 …} -requestStack: Symfony\Component\HttpFoundation\RequestStack {#1328 …} -partnerBlockRepository: App\Repository\PartnerBlockRepository {#16475 …} } |
|||
| featured_magazines | App\Twig\Components\FeaturedMagazinesComponent | 16.0 MiB | 15.17 ms | |
|---|---|---|---|---|
| Input props | [ "magazine" => App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } ] |
|||
| Attributes | [] |
|||
| Component | App\Twig\Components\FeaturedMagazinesComponent {#16563 +magazine: App\Entity\Magazine {#265 +icon: Proxies\__CG__\App\Entity\Image {#246 …} +name: "linux@lemmy.ml" +title: "linux" +description: """ From Wikipedia, the free encyclopedia\n \n Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n \n Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n \n ### Rules\n \n - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n - No misinformation\n - No NSFW content\n - No hate speech, bigotry, etc\n \n ### Related Communities\n \n - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n \n Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/) """ +rules: null +subscriptionsCount: 1 +entryCount: 1406 +entryCommentCount: 28632 +postCount: 6 +postCommentCount: 214 +isAdult: false +customCss: null +lastActive: DateTime @1729583542 {#275 : 2024-10-22 09:52:22.0 +02:00 } +markedForDeletionAt: null +tags: null +moderators: Doctrine\ORM\PersistentCollection {#237 …} +ownershipRequests: Doctrine\ORM\PersistentCollection {#233 …} +moderatorRequests: Doctrine\ORM\PersistentCollection {#222 …} +entries: Doctrine\ORM\PersistentCollection {#180 …} +posts: Doctrine\ORM\PersistentCollection {#138 …} +subscriptions: Doctrine\ORM\PersistentCollection {#200 …} +bans: Doctrine\ORM\PersistentCollection {#117 …} +reports: Doctrine\ORM\PersistentCollection {#103 …} +badges: Doctrine\ORM\PersistentCollection {#81 …} +logs: Doctrine\ORM\PersistentCollection {#71 …} +awards: Doctrine\ORM\PersistentCollection {#1346 …} +categories: Doctrine\ORM\PersistentCollection {#1823 …} -id: 73 +apId: "linux@lemmy.ml" +apProfileId: "https://lemmy.ml/c/linux" +apPublicUrl: "https://lemmy.ml/c/linux" +apFollowersUrl: "https://lemmy.ml/c/linux/followers" +apInboxUrl: "https://lemmy.ml/inbox" +apDomain: "lemmy.ml" +apPreferredUsername: "linux" +apDiscoverable: true +apManuallyApprovesFollowers: null +privateKey: null +publicKey: null +apFetchedAt: DateTime @1729583596 {#269 : 2024-10-22 09:53:16.0 +02:00 } +apDeletedAt: null +apTimeoutAt: null +visibility: "visible " +createdAt: DateTimeImmutable @1698929468 {#271 : 2023-11-02 13:51:08.0 +01:00 } } -twig: Twig\Environment {#1252 …} -repository: App\Repository\MagazineRepository {#333 …} } |
|||