
This magazine is from a federated server and may be incomplete. Browse more on the original instance.

kanzalibrary, in Linux Containers From Scratch in C

I just found myself that C is the worst programming language as many people say, but the security and simplicity is more than any language in security. Thank you so much for this!

TimeSquirrel, (edited ) avatar


C: "Lemme just accept anything the user gives me, write beyond the input buffer, glitch out, and start executing whatever the fuck the user injects in there."

Still a decent language though, but like an oxy-acetylene torch, it's powerful tool, but you better know what you're doing.


How is C more secure than Rust? Doesn’t it lack features such as safe memory handling?


In that talk he called C “the worst language” and said he chose it to troll the industry. How does that support your point?

He also said that you should choose “least privilege” whenever possible. That is precisely the value that Rust brings over C. So how does that talk support the idea that C is more secure than Rust?


I think you misunderstood or… don’t get the point “worst language” part from what he said. My point come from his point who’s more expert. If you think like that, what can I say? and I’m not trying convience you to understand too…

Back to your knowledge and understanding. But at least for me, I agree with him that rust is ‘hype-like’ or ‘pop culture’ thing. Like cyrpto (he said in ask session), but from technical perspective, that I personally understand. I just lost the source to explain this, but it’s up to you…

taladar, in Is it actually dangerous to run Firefox as root?

but no one seems to be discussing how risky it actually is.

That is because people stopped doing it ages ago.

But shouldn’t Firefox be sandboxing every website and not allowing anything to access the base system?

Security is always a matter of layers. Any given layer can fail some of the time but you want to set up your security so situations where all the layers fail together are rare.

Ashiette, (edited ) in Linux Hijinks

The POSIFLEX issue might have to do with MBR. On your final linux installation, your partition table should NOT be using gpt but mbr and that might solve the issues.

It has to do with older BIOS not recognising gpt and henceforth being unable to boot from the disk.

N.B. you might have to configure your GRUB/systemd loader accordingly.

MrPhibb, avatar

I sorta understood that, but nothing research can’t answer. I know just enough extra about computers to really bork things. 😜

Attached is a pic of the BIOS, and I think you can see what I mean about it not being the real BIOS

hunger, in Is it actually dangerous to run Firefox as root? avatar

Usig anything as root is a security risk.

Using any UI application as root is a bigger risk. That’s because every UI toolkit loads plugins and what not from all over the place and runs the code from those plugins (e.g. plugins installed system wide and into random places some environment variables point to). Binary plugins get executed in the context of the application running and can do change every aspect of your program. I wrote a small image plugin to debug an issue once that looked at all widgets in the UI and wrote all the contents of all text fields (even those obfuscated to show only dots in the UI) to disk whenever some image was loads. Plugins in JS or other non-native code are more limited, but UI toolkits tend to have binary plugins.

So if somebody manages to set the some env vars and gets root to run some UI application with those set (e.g. using sudo), then that attacker hit the jackpot. In fact some toolkits will not even bring up any UI when run as root to avoid this.

Running any networked UI application as root is the biggest risk. Those process untrusted data by definition with who knows what set of plugins loaded.

Ideally you run the UI as a normal user and then use sudo to run individual commands as root.

HiddenLayer5, avatar

So is the main worry with GUIs that they have potential code execution vulnerabilities? Or is the worry that the plugins themselves are malicious?

hunger, avatar

Plugins are a code execution vulnerability by design;-) Especially with binary plugins you can call/access/inspect everything the program itself can. All UI toolkits make heavy use of plugins, so you can not avoid those with almost all UI applications.

There are non-UI applications with similar problems though.

Running anything with network access as root is an extra risk that effects UI and non-UI applications in the same way.

Dyskolos, in Is it actually dangerous to run Firefox as root?

Just don’t do that 😁

I don’t get it anyway, if you login remotely, why don’t you just open firefox locally but on the remote servers? This makes not much sense.

But If you absolutely have to. … At least be careful with your surf-targets. A search-engine and wiki would most likely be fine. Some pron-, stream- or warez-sites? Nah. Surely not.

dd56, in Thoughts on this?

You will never be a real display server. You have no hardware cursors, you have no xrandr, you have no setxkbmap. You are a toy project twisted by Red Hat and GNOME into a crude mockery of X11’s perfection.

All the “validation” you get is two-faced and half-hearted. Behind your back people mock you. Your developers are disgusted and ashamed of you, your “users” laugh at your lack of features behind closed doors.

Linux users are utterly repulsed by you. Thousands of years of evolution have allowed them to sniff out defective software with incredible efficiency. Even Wayland sessions that “work” look uncanny and unnatural to a seasoned sysadmin. Your bizarre render loop is a dead giveaway. And even if you manage to get a drunk Arch user home with you, he’ll turn tail and bolt the second he gets a whiff of your high latency due to forced VSync.

You will never be happy. You wrench out a fake smile every single morning and tell yourself it’s going to be ok, but deep inside you feel the technical debt creeping up like a weed, ready to crush you under the unbearable weight.

Eventually it’ll be too much to bear - you’ll log into the GitLab instance, select the project, press Delete, and plunge it into the cold abyss. Your users will find the deletion notice, heartbroken but relieved that they no longer have to live with the unbearable shame and disappointment. They’ll remember you as the biggest failure of open source development, and every passerby for the rest of eternity will know a badly run project has failed there. Your code will decay and go to historical archives, and all that will remain of your legacy is a codebase that is unmistakably poorly written.

This is your fate. This is what you chose. There is no turning back.

dbx12, in Is it actually dangerous to run Firefox as root?

Without any judgement: why are your servers running X11? Just because you dislike SSH’ing to them?

HiddenLayer5, avatar

Mainly that. I want to be able to have multiple terminal windows open and have them stay open independent of my main PC. Part of the reason I have a file server instead of plugging all the drives into my PC is so I can offload processor heavy operations onto it (namely making archives and compressing files for long term storage) so I don’t have to use my PC for that.

People have mentioned programs like screen but IMO it’s way more annoying to juggle multiple terminals with it than if they were just windows, and also screen doesn’t scroll so whatever goes beyond the top edge is just inaccessible which I find really annoying. I’ve also been screwed by mistyped file operations on the terminal before (deleting stuff I didn’t mean to mainly) and I just find it safer to use a GUI file manager where it’s a lot harder to subtly mess something up and not notice until it’s too late.


Hmm, I see. The perfectionist in me would want to shed that processor load though ^^


tmux has long been the better replacement to screen. SFTP makes it so you can use desktop software for file system operations.

Hexarei, avatar

screen doesn’t scroll

Screen (and any other muxer) can scroll just fine. You just have to learn how to do it in each one. Tmux, for example, is ctrl+b [ to enter scroll mode.

mistyped file operations

Get a good TUI file manager. I use and recommend ranger.


Screen uses Ctrl-a Esc (you press Ctrl+a, release them and then tap Esc, then you can scroll with arrows or pup/pgdown)

0xtero, (edited ) in Is it actually dangerous to run Firefox as root?

I regularly remote into in order to manage, usually logged into KDE Plasma as root. Usually they just have several command line windows and a file manager open (I personally just find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system)

I’m not going to judge you (too much), it’s your system, but that’s unnecessarily risky setup. You should never need to logon to root desktop like that, even for convenience reasons.

I hope this is done over VPN and that you have 2FA configured on the VPN endpoint? Please don’t tell me it’s just portforward directly to a VNC running on the servers or something similar because then you have bigger problems than just random ‘oops’.

I do also remember using the browser in my main server to figure out how to set up the PiHole

To be honest, you’re most probably OK - malicious ad campaigns are normally not running 24/7 globally. Chances of you randomly tumbling into a malicious drive-by exploit are quite small (normally they redirect you to install fake addons/updates etc), but of course its hard to tell because you don’t remember what sites you visited. Since most of this has gone through PiHole filters, I’d say there’s even smaller chance to get insta-pwned.

But have a look at browser history on the affected root accounts, the sites along with timestamps should be there. You can also examine your system logs and correlate events to your browser history, look for weird login events or anything that doesn’t look like “normal usage”. You can set up some network monitoring stuff (like SecurityOnion) on your routers SPAN, if you’re really paranoid and try to see if there’s any anomalous connections when you’re not using the system. You could also consider setting up ClamAV and doing a scan.

You’re probably OK and that’s just paranoia.

But… having mentioned paranoia… now you’ll always have that nagging lack of trust in your system that won’t go away. I can’t speak to how you deal with that, because it’s all about your own risk appetite and threat model.

Since these are home systems the potential monetary damage from downtime and re-install isn’t huge, so personally I’d just take the hit and wipe/reinstall. I’d learn from my mistakes and build it all up again with better routines and hygiene. But that’s what I’d do. You might choose to do something else and that might be OK too.

HiddenLayer5, avatar

I hope this is done over VPN and that you have 2FA configured on the VPN endpoint? Please don’t tell me it’s just portforward directly to a VNC running on the servers or something similar because then you have bigger problems than just random ‘oops’.

I have never accessed any of my servers from the internet and haven’t even adjusted my router firewall settings to allow this. I kept wanting to but never got around to it.

Since these are home systems the potential monetary damage from downtime and re-install isn’t huge, so personally I’d just take the hit and wipe/reinstall. I’d learn from my mistakes and build it all up again with better routines and hygiene. But that’s what I’d do.

Yeah this and other comments have convinced me to reinstall and start from scratch. Will be super annoying to set everything back up but I am indeed paranoid.

amju_wolf, avatar

I have never accessed any of my servers from the internet and haven’t even adjusted my router firewall settings to allow this. I kept wanting to but never got around to it.

Does that mean you realistically don’t even know your network (router) setup? Because it’s entirely possible your machine is completely open to the internet - say, thanks to IPv6 autoconfiguration - and you wouldn’t even know about it.

It’s pretty unlikely but could potentially happen with some ISPs. Please always set up a firewall, especially for a server type machine. It’s really simple to block incoming outside traffic.

HiddenLayer5, (edited ) avatar

Huh. I never even thought of that. I use my ISP’s router in bridge mode and have my own router running on mostly default settings, IIRC the only thing I explicitly changed was to have it forward DNS requests to my Pihole. I should inspect the settings more closely or as you said just configure the server to block the relevant ports from outside the LAN. Thank you.

amju_wolf, avatar

Oh if you even have your own router then have a firewall (primarily) there, and simply block every incoming forward connection except the ones you actually want (probably forwarded to your server). Similarly even for the router input rules you likely need only ICMP and not much else.

savvywolf, in Friendly reminder avatar

Remember to check your three "B"s; your balls, your breasts and your backups.


I’m using this from now on

MimicJar, in Is it actually dangerous to run Firefox as root? avatar…/mfsa2023-56/

That’s a link to the most recent release of Firefox and the security vulnerabilities that were fixed.

You’ll notice the first one listed says, “This issue could allow an attacker to perform remote code execution and sandbox escape.”

So if you visited a site that exploited that bug, it escaped the sandbox and ran whatever code it wanted to. Since you were running as root it could do anything it wants. Your device is now the property of someone else. Potentially all your data has been stolen. You probably didn’t even notice.

Now. Realistically. You probably didn’t get exploited. Your device may not be vulnerable to that particular bug. But new bugs are found, and fixed, and created every day. Can you be sure you weren’t exploited?

Let’s look at it a different way. Think of it like driving a car with no seatbelt or airbags. As long as you don’t crash, you’re fine. The car still works fine without seatbelts and you have more freedom to move your arms around.

Let’s look at it a different way. Do you ever lock the door to your home/apartment? Heck do you even close the door? Why not leave it wide open?

At the end of the day security is about layers and the trade offs for convenience. You can run KDE as root, and you can run Firefox as root. You’ll probably be fine. It’s like driving without a seatbelt or leaving your front door wide open, but you can do it. If you do drive with a seatbelt and at least close your front door, you can probably run KDE and Firefox as a regular user.

buh, in Friendly reminder avatar

nvidia torvalds-nvidia mentioned

Dirk, avatar

… the single worst company …


I wish. They are not even close.


Nestle has entered the chat.


BP has entered the chat


IG Farben fades away the competition.

Dirk, avatar

Woah, stop! No professionals!

Illecors, in Is it actually dangerous to run Firefox as root?

Is it actually dangerous to run Firefox as root?

Yes, very. This is not specific to Firefox, but anything running as root gets access to everything. Only one thing has to go wrong for the whole system to get busted.

usually logged into KDE Plasma as root.

Please don’t do this! DEs are not tested to be run as root! Millions of lines of code are expected to not have access to anything they shouldn’t have and as such might be built to fail quietly if accessing something they shouldn’t in the first place. Same thing applies to Firefox, really.

HiddenLayer5, avatar

Please don’t do this! DEs are not tested to be run as root! Millions of lines of code are expected to not have access to anything they shouldn’t have and as such might be built to fail quietly if accessing something they shouldn’t in the first place. Same thing applies to Firefox, really.

Could you elaborate on this? I’m genuinely surprised because Fedora just asks you if you want to have the option to log into root from KDE during installation, so I always just assumed that it’s intended to be used that way.

Illecors, (edited )

I don’t know the specifics on Fedora’s installer, but normally that question is about disabling root account, not logging into a DE.

Not sure what else to elaborate here. There’s a bunch of code that is not tested to be run as root. A whole class of exploits becomes unavailable, if you stick to an unprivileged user.

Say there’s some exploit that allows some component of KDE to be used to read a file. If it’s running under an unprivileged user - it sucks. Everything in user’s homedir becomes fair game. But if it runs as root - it’s simply game over. Everything on the system is accessible. All config, all bad config, files of all applications (databases come to mind). Everything.

HiddenLayer5, (edited ) avatar

Thank you.

Say there’s some exploit that allows some component of KDE to be used to read a file. If it’s running under an unprivileged user - it sucks. Everything in user’s homedir becomes fair game. But if it runs as root - it’s simply game over. Everything on the system is accessible. All config, all bad config, files of all applications (databases come to mind). Everything.

This is also something I’m thinking about: All the hard drives mounted on the server is accessible to the only regular user as that is what my other computers use to access them. I’m the only one with access to the server so everything is accessible under one user. The data on those drives is what I want to protect, so wouldn’t a vulnerability in either KDE or Firefox be just as dangerous to those files even running as the regular user?

Also, since my PC has those drives mounted through the server and accessible to the regular user that I use my PC as, wouldn’t a vulnerability in a program running as the regular user of my PC also compromise those files even if the server only hosted the files and did absolutely nothing else? Going back to the Firefox thing, if I had a sandbox breach on my PC, it would still be able to read the files on the server right? Wouldn’t that be just as bad as if I had been running Firefox as root on the server itself? Really feels like the only way to 100% keep those files safe is to never access them from an internet accessible computer, and everything else just falls short and is just as bad as the worst case scenario, though maybe I’m missing something. Am I just being paranoid about the non-root scenarios?

How does a “professional” NAS setup handle this?


You never log in as root. On every new VM/LXC I create, I delete the root password after setting it up so that my regular user can use sudo.

Run as your regular user and sudo the commands that need privileges.

Also if these are servers, run them headless. There’s no need for a GUI or a browser (use wget or curl for downloads, use your local browser for browsing)


You keep your files safe by having backups. Multiple copies. Set up the backups to gets copied to another server or other system your regular user doesn’t have access to. Ideally, you follow the 3-2-1 backup standard if the files are important. That is 3 copies, on 2 different media, and 1 offsite. There are many ways of accomplishing that and its up to you to figure out what works best.

amju_wolf, (edited ) in Is it actually dangerous to run Firefox as root? avatar

I don’t want to step on your workflow too much since it somehow seems to work for you but your main issue stems from the fact that you clearly don’t work with your server as if it actually was a server.

You shouldn’t really have a desktop interface running there in the first place (let alone as root and then using it as a regular user). You should ask yourself what it actually solves for you and be open to trying different (and more standard) solutions to what you’re trying to achieve.

It’d probably consist of less clicking and using the CLI a bit more, but for stuff like file management you can still easily use

If you need terminal sessions that keep scrollback and don’t stop when you disconnect you should learn to use tmux or screen or something like that. But then again if you’re running actual software in there then you should probably use a service (daemon) for that.

As for whether it’s a security issue, yeah it most definitely is. Just like it’s a security issue to run literally any networked application as root. Security isn’t black and white and there are trade offs to be made but most people wouldn’t consider what you’re doing a reasonable tradeoff.

HiddenLayer5, (edited ) avatar

I had actually moved from a fully CLI server to one with a full desktop when I upgraded from a single board computer to x86. The issue is that it’s not just a NAS, but I regularly use it to offload long operations (moving, copying, or compressing files, mostly) so I don’t need to use my PC for those. To do that I just remote into it and type in the command, then I can turn my PC off or do whatever without affecting the operation. So in a way it’s a second PC that also happens to be a server for my other machines.

I use screen occasionally, and I used to use it a lot more when it was CLI only, but I find it really unwieldy due to how it manages multiple active terminals where you have to type in the ID of each screen to go back into it, and also because it refuses to scroll even when run in a terminal emulator that supports scrolling, where it just cycles between recent commands when you move the scroll wheel.

Not trying to make excuses, just trying to explain my reasoning. I know it’s bad practice and none of these are things I’d do if I was managing an actual production server, but since it’s only accessible from my LAN I tend to be a lot more lax with it.

I’m wondering if I could benefit from some kind of virtualized setup that separates the server stuff while still letting me remote into a desktop on the same machine for doing stuff, or if I can get away with just remoting into not the root user. Though I’ve never used a hypervisor and have no idea how to so I’m not sure how well that would go, since the well-known open source ones like Xen seem really technical and really feels like something not meant to be used outside an actual data centre.


I’d go for remoting in as not root as the first (and maybe only) step for better security.

From there, running the services in VMs would probably be the next step. Docker might be better, but I have gotten into that yet myself.

As for hypervisor, KVM has worked great for me.

pbjamm, avatar

KVM is awesome. It is the core of Proxmox which is my preferred way to manage VMs and LXC containers now. I used to run debian+KVM+virt-manager or cockpit but Proxmox does all the noodling setup for me and then just works.

Illecors, (edited )

Sorry, this is very much a PEBKAC issue. This is a excerpt from my tmux config:

<span style="color:#323232;"># Start windows and panes at 1, not 0
</span><span style="color:#323232;">set -g base-index 1
</span><span style="color:#323232;">setw -g pane-base-index 1
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Use Alt-arrow keys without prefix key to switch panes
</span><span style="color:#323232;">bind -n M-Left select-pane -L
</span><span style="color:#323232;">bind -n M-Right select-pane -R
</span><span style="color:#323232;">bind -n M-Up select-pane -U
</span><span style="color:#323232;">bind -n M-Down select-pane -D
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Shift arrow to switch windows
</span><span style="color:#323232;">bind -n S-Left  previous-window
</span><span style="color:#323232;">bind -n S-Right next-window
</span><span style="color:#323232;">
</span><span style="color:#323232;"># No delay for escape key press
</span><span style="color:#323232;">set -sg escape-time 0
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Increase scrollback buffer size from 2000 to 50000 lines
</span><span style="color:#323232;">set -g history-limit 50000
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Increase tmux messages display duration from 750ms to 4s
</span><span style="color:#323232;">set -g display-time 4000
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Bind pane creation keys to reuse current directory
</span><span style="color:#323232;">bind % split-window -h -c "#{pane_current_path}"
</span><span style="color:#323232;">bind '"' split-window -v -c "#{pane_current_path}"

I hope the comments are self explanatory.

Scrolling works with Ctrl+b Page Up/Down. There are other shortcuts, but this is probably the most obvious. q to quit scrolling.

Ctrl+b d to detach from a session. tmux a to attach. As always, many options are available to have many named sessions running simultaneously, but that is for a later time.

amju_wolf, (edited ) avatar

I see. In that case you should really try tmux; I didn’t vibe with screen either but I find tmux quite usable.

For the most part I just open several terminal windows/tabs on my local machine and remote with each one to the server, and I use tmux only when I explicitly need to keep something running. Since that’s usually just one thing I can use like two tmux commands and don’t need anything else.

Oh and for stuff like copying and such I’d use rsync instead of primitive cp so that in case it gets interrupted I only copy what’s needed.

I wouldn’t bother with virtualization and such; you’d only complicate things for yourself. Try to keep it simple but do it properly: learn some command line basics and you’ll see that in a year it’ll become second nature.

rufus, (edited ) in Is it actually dangerous to run Firefox as root?

Yes. Running anything as root is potentially dangerous. And a browser is a complex and big piece of software with many security issues that can be (potentially) triggered remotely. So it’s bad because of two reasons.

Btw a desktop environment also is a complex and big piece of software with potential issues. Running the whole desktop as root is another thing you wouldn’t do for extra security.

The proper way is to just create a user account and run the desktop and browser as a user. Open a terminal and ‘su’ or ‘sudo’ to limit root rights to the operations that actually need those permissions.

Just running everything as root certainly works. But you do away with all the extra layers of security and end up with something as secure as MS-DOS or a Windows in the 90s or early 2000s.

gnuhaut, in Is it actually dangerous to run Firefox as root?

On a typical home user desktop linux setup, there’s virtually no difference between your regular user and root.

Access to your data, emails, passwords, installing software (in /home), access to LAN and so on are already possible without root permissions, so there really is not a whole lot that an attacker cannot do even without root.

And then, if you use sudo or su (or whatever) to switch to root with a password, escalating to root privileges is basically trivial for an attacker. An attacker can divert your PATH to compromised binaries. They could just replace “sudo” with their own little script that steals your password.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • localhost
  • All magazines
  • Loading…
    Loading the web debug toolbar…
    Attempt #