| 1 |
DENIED
|
ROLE_USER
|
null |
|
Show voter details
|
| 2 |
DENIED
|
moderate
|
App\Entity\Entry {#1856
+user: Proxies\__CG__\App\Entity\User {#1848 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#2478 …}
+image: null
+domain: App\Entity\Domain {#277 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1836
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1806 …}
+votes: Doctrine\ORM\PersistentCollection {#2427 …}
+reports: Doctrine\ORM\PersistentCollection {#2450 …}
+favourites: Doctrine\ORM\PersistentCollection {#1923 …}
+notifications: Doctrine\ORM\PersistentCollection {#1533 …}
+badges: Doctrine\ORM\PersistentCollection {#1541 …}
+children: []
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1802
date: 2023-11-24 01:02:05.0 +01:00
}
} |
|
Show voter details
|
| 3 |
DENIED
|
edit
|
App\Entity\Entry {#1856
+user: Proxies\__CG__\App\Entity\User {#1848 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#2478 …}
+image: null
+domain: App\Entity\Domain {#277 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1836
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1806 …}
+votes: Doctrine\ORM\PersistentCollection {#2427 …}
+reports: Doctrine\ORM\PersistentCollection {#2450 …}
+favourites: Doctrine\ORM\PersistentCollection {#1923 …}
+notifications: Doctrine\ORM\PersistentCollection {#1533 …}
+badges: Doctrine\ORM\PersistentCollection {#1541 …}
+children: []
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1802
date: 2023-11-24 01:02:05.0 +01:00
}
} |
|
Show voter details
|
| 4 |
DENIED
|
moderate
|
App\Entity\Entry {#1856
+user: Proxies\__CG__\App\Entity\User {#1848 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#2478 …}
+image: null
+domain: App\Entity\Domain {#277 …}
+slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
+title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
+url: "https://www.madaidans-insecurities.github.io/linux.html"
+body: """
Basically\n
\n
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
- X11 is insecure, okay we know that\n
- the kernel is very bloated and everything in there has all the permissions, which is not needed\n
- Kernel bugs are often not fixed quickly or at all\n
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
\n
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
\n
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
\n
This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
\n
`sudo sysctl -w kernel.unprivileged_users_clone=1`\n
\n
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
\n
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
\n
[github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
\n
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
\n
Maybe nix is a solution? Would this be a good idea?\n
\n
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
\n
What do you know about this?
"""
+type: "link"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 8
+favouriteCount: 36
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1700929355 {#1836
date: 2023-11-25 17:22:35.0 +01:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: null
+comments: Doctrine\ORM\PersistentCollection {#1806 …}
+votes: Doctrine\ORM\PersistentCollection {#2427 …}
+reports: Doctrine\ORM\PersistentCollection {#2450 …}
+favourites: Doctrine\ORM\PersistentCollection {#1923 …}
+notifications: Doctrine\ORM\PersistentCollection {#1533 …}
+badges: Doctrine\ORM\PersistentCollection {#1541 …}
+children: []
-id: 16138
-titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
-bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1700870525
+visibility: "visible "
+apId: "https://feddit.de/post/5981126"
+editedAt: null
+createdAt: DateTimeImmutable @1700784125 {#1802
date: 2023-11-24 01:02:05.0 +01:00
}
} |
|
Show voter details
|