1 |
DENIED
|
ROLE_USER
|
null |
|
Show voter details
|
2 |
DENIED
|
moderate
|
Proxies\__CG__\App\Entity\Entry {#1577
+user: Proxies\__CG__\App\Entity\User {#2363 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1741
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1906 …}
+votes: Doctrine\ORM\PersistentCollection {#2382 …}
+reports: Doctrine\ORM\PersistentCollection {#2383 …}
+favourites: Doctrine\ORM\PersistentCollection {#1362 …}
+notifications: Doctrine\ORM\PersistentCollection {#1401 …}
+badges: Doctrine\ORM\PersistentCollection {#2021 …}
+children: [
1 => App\Entity\EntryComment {#1609
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: null
+root: null
+body: """
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
\n
The irony.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 11
+score: 0
+lastActive: DateTime @1701510560 {#1431
date: 2023-12-02 10:49:20.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
]
+children: Doctrine\ORM\PersistentCollection {#1587 …}
+nested: Doctrine\ORM\PersistentCollection {#1574 …}
+votes: Doctrine\ORM\PersistentCollection {#1588 …}
+reports: Doctrine\ORM\PersistentCollection {#1584 …}
+favourites: Doctrine\ORM\PersistentCollection {#1551 …}
+notifications: Doctrine\ORM\PersistentCollection {#1655 …}
-id: 157122
-bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1721846"
+editedAt: null
+createdAt: DateTimeImmutable @1700793081 {#1694
date: 2023-11-24 03:31:21.0 +01:00
}
+"title": 157122
}
0 => App\Entity\EntryComment {#1550
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+body: """
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
\n
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 2
+score: 0
+lastActive: DateTime @1700809862 {#1668
date: 2023-11-24 08:11:02.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
"@bbbhltz@beehaw.org"
]
+children: Doctrine\ORM\PersistentCollection {#1611 …}
+nested: Doctrine\ORM\PersistentCollection {#1705 …}
+votes: Doctrine\ORM\PersistentCollection {#1692 …}
+reports: Doctrine\ORM\PersistentCollection {#1686 …}
+favourites: Doctrine\ORM\PersistentCollection {#1680 …}
+notifications: Doctrine\ORM\PersistentCollection {#1683 …}
-id: 157623
-bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1722547"
+editedAt: null
+createdAt: DateTimeImmutable @1700809862 {#1567
date: 2023-11-24 08:11:02.0 +01:00
}
+"title": 157623
}
]
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1610
date: 2023-11-24 01:02:05.0 +01:00
}
+__isInitialized__: true
…2
} |
|
Show voter details
|
3 |
DENIED
|
edit
|
Proxies\__CG__\App\Entity\Entry {#1577
+user: Proxies\__CG__\App\Entity\User {#2363 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1741
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1906 …}
+votes: Doctrine\ORM\PersistentCollection {#2382 …}
+reports: Doctrine\ORM\PersistentCollection {#2383 …}
+favourites: Doctrine\ORM\PersistentCollection {#1362 …}
+notifications: Doctrine\ORM\PersistentCollection {#1401 …}
+badges: Doctrine\ORM\PersistentCollection {#2021 …}
+children: [
1 => App\Entity\EntryComment {#1609
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: null
+root: null
+body: """
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
\n
The irony.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 11
+score: 0
+lastActive: DateTime @1701510560 {#1431
date: 2023-12-02 10:49:20.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
]
+children: Doctrine\ORM\PersistentCollection {#1587 …}
+nested: Doctrine\ORM\PersistentCollection {#1574 …}
+votes: Doctrine\ORM\PersistentCollection {#1588 …}
+reports: Doctrine\ORM\PersistentCollection {#1584 …}
+favourites: Doctrine\ORM\PersistentCollection {#1551 …}
+notifications: Doctrine\ORM\PersistentCollection {#1655 …}
-id: 157122
-bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1721846"
+editedAt: null
+createdAt: DateTimeImmutable @1700793081 {#1694
date: 2023-11-24 03:31:21.0 +01:00
}
+"title": 157122
}
0 => App\Entity\EntryComment {#1550
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+body: """
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
\n
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 2
+score: 0
+lastActive: DateTime @1700809862 {#1668
date: 2023-11-24 08:11:02.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
"@bbbhltz@beehaw.org"
]
+children: Doctrine\ORM\PersistentCollection {#1611 …}
+nested: Doctrine\ORM\PersistentCollection {#1705 …}
+votes: Doctrine\ORM\PersistentCollection {#1692 …}
+reports: Doctrine\ORM\PersistentCollection {#1686 …}
+favourites: Doctrine\ORM\PersistentCollection {#1680 …}
+notifications: Doctrine\ORM\PersistentCollection {#1683 …}
-id: 157623
-bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1722547"
+editedAt: null
+createdAt: DateTimeImmutable @1700809862 {#1567
date: 2023-11-24 08:11:02.0 +01:00
}
+"title": 157623
}
]
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1610
date: 2023-11-24 01:02:05.0 +01:00
}
+__isInitialized__: true
…2
} |
|
Show voter details
|
4 |
DENIED
|
moderate
|
Proxies\__CG__\App\Entity\Entry {#1577
+user: Proxies\__CG__\App\Entity\User {#2363 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1741
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1906 …}
+votes: Doctrine\ORM\PersistentCollection {#2382 …}
+reports: Doctrine\ORM\PersistentCollection {#2383 …}
+favourites: Doctrine\ORM\PersistentCollection {#1362 …}
+notifications: Doctrine\ORM\PersistentCollection {#1401 …}
+badges: Doctrine\ORM\PersistentCollection {#2021 …}
+children: [
1 => App\Entity\EntryComment {#1609
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: null
+root: null
+body: """
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
\n
The irony.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 11
+score: 0
+lastActive: DateTime @1701510560 {#1431
date: 2023-12-02 10:49:20.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
]
+children: Doctrine\ORM\PersistentCollection {#1587 …}
+nested: Doctrine\ORM\PersistentCollection {#1574 …}
+votes: Doctrine\ORM\PersistentCollection {#1588 …}
+reports: Doctrine\ORM\PersistentCollection {#1584 …}
+favourites: Doctrine\ORM\PersistentCollection {#1551 …}
+notifications: Doctrine\ORM\PersistentCollection {#1655 …}
-id: 157122
-bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1721846"
+editedAt: null
+createdAt: DateTimeImmutable @1700793081 {#1694
date: 2023-11-24 03:31:21.0 +01:00
}
+"title": 157122
}
0 => App\Entity\EntryComment {#1550
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+body: """
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
\n
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 2
+score: 0
+lastActive: DateTime @1700809862 {#1668
date: 2023-11-24 08:11:02.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
"@bbbhltz@beehaw.org"
]
+children: Doctrine\ORM\PersistentCollection {#1611 …}
+nested: Doctrine\ORM\PersistentCollection {#1705 …}
+votes: Doctrine\ORM\PersistentCollection {#1692 …}
+reports: Doctrine\ORM\PersistentCollection {#1686 …}
+favourites: Doctrine\ORM\PersistentCollection {#1680 …}
+notifications: Doctrine\ORM\PersistentCollection {#1683 …}
-id: 157623
-bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1722547"
+editedAt: null
+createdAt: DateTimeImmutable @1700809862 {#1567
date: 2023-11-24 08:11:02.0 +01:00
}
+"title": 157623
}
]
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1610
date: 2023-11-24 01:02:05.0 +01:00
}
+__isInitialized__: true
…2
} |
|
Show voter details
|
5 |
DENIED
|
ROLE_USER
|
null |
|
Show voter details
|
6 |
DENIED
|
moderate
|
App\Entity\EntryComment {#1609
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577
+user: Proxies\__CG__\App\Entity\User {#2363 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1741
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1906 …}
+votes: Doctrine\ORM\PersistentCollection {#2382 …}
+reports: Doctrine\ORM\PersistentCollection {#2383 …}
+favourites: Doctrine\ORM\PersistentCollection {#1362 …}
+notifications: Doctrine\ORM\PersistentCollection {#1401 …}
+badges: Doctrine\ORM\PersistentCollection {#2021 …}
+children: [
1 => App\Entity\EntryComment {#1609}
0 => App\Entity\EntryComment {#1550
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+body: """
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
\n
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 2
+score: 0
+lastActive: DateTime @1700809862 {#1668
date: 2023-11-24 08:11:02.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
"@bbbhltz@beehaw.org"
]
+children: Doctrine\ORM\PersistentCollection {#1611 …}
+nested: Doctrine\ORM\PersistentCollection {#1705 …}
+votes: Doctrine\ORM\PersistentCollection {#1692 …}
+reports: Doctrine\ORM\PersistentCollection {#1686 …}
+favourites: Doctrine\ORM\PersistentCollection {#1680 …}
+notifications: Doctrine\ORM\PersistentCollection {#1683 …}
-id: 157623
-bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1722547"
+editedAt: null
+createdAt: DateTimeImmutable @1700809862 {#1567
date: 2023-11-24 08:11:02.0 +01:00
}
+"title": 157623
}
]
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1610
date: 2023-11-24 01:02:05.0 +01:00
}
+__isInitialized__: true
…2
}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: null
+root: null
+body: """
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
\n
The irony.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 11
+score: 0
+lastActive: DateTime @1701510560 {#1431
date: 2023-12-02 10:49:20.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
]
+children: Doctrine\ORM\PersistentCollection {#1587 …}
+nested: Doctrine\ORM\PersistentCollection {#1574 …}
+votes: Doctrine\ORM\PersistentCollection {#1588 …}
+reports: Doctrine\ORM\PersistentCollection {#1584 …}
+favourites: Doctrine\ORM\PersistentCollection {#1551 …}
+notifications: Doctrine\ORM\PersistentCollection {#1655 …}
-id: 157122
-bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1721846"
+editedAt: null
+createdAt: DateTimeImmutable @1700793081 {#1694
date: 2023-11-24 03:31:21.0 +01:00
}
+"title": 157122
} |
|
Show voter details
|
7 |
DENIED
|
edit
|
App\Entity\EntryComment {#1609
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577
+user: Proxies\__CG__\App\Entity\User {#2363 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1741
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1906 …}
+votes: Doctrine\ORM\PersistentCollection {#2382 …}
+reports: Doctrine\ORM\PersistentCollection {#2383 …}
+favourites: Doctrine\ORM\PersistentCollection {#1362 …}
+notifications: Doctrine\ORM\PersistentCollection {#1401 …}
+badges: Doctrine\ORM\PersistentCollection {#2021 …}
+children: [
1 => App\Entity\EntryComment {#1609}
0 => App\Entity\EntryComment {#1550
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+body: """
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
\n
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 2
+score: 0
+lastActive: DateTime @1700809862 {#1668
date: 2023-11-24 08:11:02.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
"@bbbhltz@beehaw.org"
]
+children: Doctrine\ORM\PersistentCollection {#1611 …}
+nested: Doctrine\ORM\PersistentCollection {#1705 …}
+votes: Doctrine\ORM\PersistentCollection {#1692 …}
+reports: Doctrine\ORM\PersistentCollection {#1686 …}
+favourites: Doctrine\ORM\PersistentCollection {#1680 …}
+notifications: Doctrine\ORM\PersistentCollection {#1683 …}
-id: 157623
-bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1722547"
+editedAt: null
+createdAt: DateTimeImmutable @1700809862 {#1567
date: 2023-11-24 08:11:02.0 +01:00
}
+"title": 157623
}
]
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1610
date: 2023-11-24 01:02:05.0 +01:00
}
+__isInitialized__: true
…2
}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: null
+root: null
+body: """
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
\n
The irony.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 11
+score: 0
+lastActive: DateTime @1701510560 {#1431
date: 2023-12-02 10:49:20.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
]
+children: Doctrine\ORM\PersistentCollection {#1587 …}
+nested: Doctrine\ORM\PersistentCollection {#1574 …}
+votes: Doctrine\ORM\PersistentCollection {#1588 …}
+reports: Doctrine\ORM\PersistentCollection {#1584 …}
+favourites: Doctrine\ORM\PersistentCollection {#1551 …}
+notifications: Doctrine\ORM\PersistentCollection {#1655 …}
-id: 157122
-bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1721846"
+editedAt: null
+createdAt: DateTimeImmutable @1700793081 {#1694
date: 2023-11-24 03:31:21.0 +01:00
}
+"title": 157122
} |
|
Show voter details
|
8 |
DENIED
|
moderate
|
App\Entity\EntryComment {#1609
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577
+user: Proxies\__CG__\App\Entity\User {#2363 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1741
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1906 …}
+votes: Doctrine\ORM\PersistentCollection {#2382 …}
+reports: Doctrine\ORM\PersistentCollection {#2383 …}
+favourites: Doctrine\ORM\PersistentCollection {#1362 …}
+notifications: Doctrine\ORM\PersistentCollection {#1401 …}
+badges: Doctrine\ORM\PersistentCollection {#2021 …}
+children: [
1 => App\Entity\EntryComment {#1609}
0 => App\Entity\EntryComment {#1550
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+body: """
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
\n
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 2
+score: 0
+lastActive: DateTime @1700809862 {#1668
date: 2023-11-24 08:11:02.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
"@bbbhltz@beehaw.org"
]
+children: Doctrine\ORM\PersistentCollection {#1611 …}
+nested: Doctrine\ORM\PersistentCollection {#1705 …}
+votes: Doctrine\ORM\PersistentCollection {#1692 …}
+reports: Doctrine\ORM\PersistentCollection {#1686 …}
+favourites: Doctrine\ORM\PersistentCollection {#1680 …}
+notifications: Doctrine\ORM\PersistentCollection {#1683 …}
-id: 157623
-bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1722547"
+editedAt: null
+createdAt: DateTimeImmutable @1700809862 {#1567
date: 2023-11-24 08:11:02.0 +01:00
}
+"title": 157623
}
]
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1610
date: 2023-11-24 01:02:05.0 +01:00
}
+__isInitialized__: true
…2
}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: null
+root: null
+body: """
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
\n
The irony.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 11
+score: 0
+lastActive: DateTime @1701510560 {#1431
date: 2023-12-02 10:49:20.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
]
+children: Doctrine\ORM\PersistentCollection {#1587 …}
+nested: Doctrine\ORM\PersistentCollection {#1574 …}
+votes: Doctrine\ORM\PersistentCollection {#1588 …}
+reports: Doctrine\ORM\PersistentCollection {#1584 …}
+favourites: Doctrine\ORM\PersistentCollection {#1551 …}
+notifications: Doctrine\ORM\PersistentCollection {#1655 …}
-id: 157122
-bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1721846"
+editedAt: null
+createdAt: DateTimeImmutable @1700793081 {#1694
date: 2023-11-24 03:31:21.0 +01:00
}
+"title": 157122
} |
|
Show voter details
|
9 |
DENIED
|
ROLE_USER
|
null |
|
Show voter details
|
10 |
DENIED
|
moderate
|
App\Entity\EntryComment {#1550
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577
+user: Proxies\__CG__\App\Entity\User {#2363 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1741
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1906 …}
+votes: Doctrine\ORM\PersistentCollection {#2382 …}
+reports: Doctrine\ORM\PersistentCollection {#2383 …}
+favourites: Doctrine\ORM\PersistentCollection {#1362 …}
+notifications: Doctrine\ORM\PersistentCollection {#1401 …}
+badges: Doctrine\ORM\PersistentCollection {#2021 …}
+children: [
1 => App\Entity\EntryComment {#1609
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: null
+root: null
+body: """
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
\n
The irony.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 11
+score: 0
+lastActive: DateTime @1701510560 {#1431
date: 2023-12-02 10:49:20.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
]
+children: Doctrine\ORM\PersistentCollection {#1587 …}
+nested: Doctrine\ORM\PersistentCollection {#1574 …}
+votes: Doctrine\ORM\PersistentCollection {#1588 …}
+reports: Doctrine\ORM\PersistentCollection {#1584 …}
+favourites: Doctrine\ORM\PersistentCollection {#1551 …}
+notifications: Doctrine\ORM\PersistentCollection {#1655 …}
-id: 157122
-bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1721846"
+editedAt: null
+createdAt: DateTimeImmutable @1700793081 {#1694
date: 2023-11-24 03:31:21.0 +01:00
}
+"title": 157122
}
0 => App\Entity\EntryComment {#1550}
]
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1610
date: 2023-11-24 01:02:05.0 +01:00
}
+__isInitialized__: true
…2
}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+body: """
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
\n
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 2
+score: 0
+lastActive: DateTime @1700809862 {#1668
date: 2023-11-24 08:11:02.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
"@bbbhltz@beehaw.org"
]
+children: Doctrine\ORM\PersistentCollection {#1611 …}
+nested: Doctrine\ORM\PersistentCollection {#1705 …}
+votes: Doctrine\ORM\PersistentCollection {#1692 …}
+reports: Doctrine\ORM\PersistentCollection {#1686 …}
+favourites: Doctrine\ORM\PersistentCollection {#1680 …}
+notifications: Doctrine\ORM\PersistentCollection {#1683 …}
-id: 157623
-bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1722547"
+editedAt: null
+createdAt: DateTimeImmutable @1700809862 {#1567
date: 2023-11-24 08:11:02.0 +01:00
}
+"title": 157623
} |
|
Show voter details
|
11 |
DENIED
|
edit
|
App\Entity\EntryComment {#1550
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577
+user: Proxies\__CG__\App\Entity\User {#2363 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1741
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1906 …}
+votes: Doctrine\ORM\PersistentCollection {#2382 …}
+reports: Doctrine\ORM\PersistentCollection {#2383 …}
+favourites: Doctrine\ORM\PersistentCollection {#1362 …}
+notifications: Doctrine\ORM\PersistentCollection {#1401 …}
+badges: Doctrine\ORM\PersistentCollection {#2021 …}
+children: [
1 => App\Entity\EntryComment {#1609
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: null
+root: null
+body: """
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
\n
The irony.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 11
+score: 0
+lastActive: DateTime @1701510560 {#1431
date: 2023-12-02 10:49:20.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
]
+children: Doctrine\ORM\PersistentCollection {#1587 …}
+nested: Doctrine\ORM\PersistentCollection {#1574 …}
+votes: Doctrine\ORM\PersistentCollection {#1588 …}
+reports: Doctrine\ORM\PersistentCollection {#1584 …}
+favourites: Doctrine\ORM\PersistentCollection {#1551 …}
+notifications: Doctrine\ORM\PersistentCollection {#1655 …}
-id: 157122
-bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1721846"
+editedAt: null
+createdAt: DateTimeImmutable @1700793081 {#1694
date: 2023-11-24 03:31:21.0 +01:00
}
+"title": 157122
}
0 => App\Entity\EntryComment {#1550}
]
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1610
date: 2023-11-24 01:02:05.0 +01:00
}
+__isInitialized__: true
…2
}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+body: """
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
\n
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 2
+score: 0
+lastActive: DateTime @1700809862 {#1668
date: 2023-11-24 08:11:02.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
"@bbbhltz@beehaw.org"
]
+children: Doctrine\ORM\PersistentCollection {#1611 …}
+nested: Doctrine\ORM\PersistentCollection {#1705 …}
+votes: Doctrine\ORM\PersistentCollection {#1692 …}
+reports: Doctrine\ORM\PersistentCollection {#1686 …}
+favourites: Doctrine\ORM\PersistentCollection {#1680 …}
+notifications: Doctrine\ORM\PersistentCollection {#1683 …}
-id: 157623
-bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1722547"
+editedAt: null
+createdAt: DateTimeImmutable @1700809862 {#1567
date: 2023-11-24 08:11:02.0 +01:00
}
+"title": 157623
} |
|
Show voter details
|
12 |
DENIED
|
moderate
|
App\Entity\EntryComment {#1550
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577
+user: Proxies\__CG__\App\Entity\User {#2363 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1741
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1906 …}
+votes: Doctrine\ORM\PersistentCollection {#2382 …}
+reports: Doctrine\ORM\PersistentCollection {#2383 …}
+favourites: Doctrine\ORM\PersistentCollection {#1362 …}
+notifications: Doctrine\ORM\PersistentCollection {#1401 …}
+badges: Doctrine\ORM\PersistentCollection {#2021 …}
+children: [
1 => App\Entity\EntryComment {#1609
+user: App\Entity\User {#261 …}
+entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: null
+root: null
+body: """
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
\n
The irony.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 11
+score: 0
+lastActive: DateTime @1701510560 {#1431
date: 2023-12-02 10:49:20.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
]
+children: Doctrine\ORM\PersistentCollection {#1587 …}
+nested: Doctrine\ORM\PersistentCollection {#1574 …}
+votes: Doctrine\ORM\PersistentCollection {#1588 …}
+reports: Doctrine\ORM\PersistentCollection {#1584 …}
+favourites: Doctrine\ORM\PersistentCollection {#1551 …}
+notifications: Doctrine\ORM\PersistentCollection {#1655 …}
-id: 157122
-bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1721846"
+editedAt: null
+createdAt: DateTimeImmutable @1700793081 {#1694
date: 2023-11-24 03:31:21.0 +01:00
}
+"title": 157122
}
0 => App\Entity\EntryComment {#1550}
]
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1610
date: 2023-11-24 01:02:05.0 +01:00
}
+__isInitialized__: true
…2
}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
+body: """
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
\n
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 2
+score: 0
+lastActive: DateTime @1700809862 {#1668
date: 2023-11-24 08:11:02.0 +01:00
}
+ip: null
+tags: null
+mentions: [
"@Pantherina@feddit.de"
"@bbbhltz@beehaw.org"
]
+children: Doctrine\ORM\PersistentCollection {#1611 …}
+nested: Doctrine\ORM\PersistentCollection {#1705 …}
+votes: Doctrine\ORM\PersistentCollection {#1692 …}
+reports: Doctrine\ORM\PersistentCollection {#1686 …}
+favourites: Doctrine\ORM\PersistentCollection {#1680 …}
+notifications: Doctrine\ORM\PersistentCollection {#1683 …}
-id: 157623
-bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://beehaw.org/comment/1722547"
+editedAt: null
+createdAt: DateTimeImmutable @1700809862 {#1567
date: 2023-11-24 08:11:02.0 +01:00
}
+"title": 157623
} |
|
Show voter details
|
13 |
DENIED
|
ROLE_ADMIN
|
null |
|
Show voter details
|
14 |
DENIED
|
ROLE_MODERATOR
|
null |
|
Show voter details
|