Some stuff related to madaidan I wrote and compiled a couple years ago.
i.imgur.com/FiYhbkk.jpg: madaidan being very 4chan-y in terms of blaming the computer language for problems in particular software code (in this case Linux kernel), while dismissing everything when it comes to Windows. His blog page about Linux is a massive piece of “toilet paper” repeatedly debunked at this point. If you think the phrase “toilet paper” is mine, come, have a look.
TL;DR his blog has been dismissed enough at this point to consider it nothing more than digital rag. Security zealots are dangerous to FOSS community, like Brad Spengler/grsecurity, madaidan, GrapheneOS and so on. You can identify them as Big Tech security evangelists trying to shit on FOSS with arguments I would say do not end up being very intelligent and academic, and more reactionary and flakey.
Also a little note on security. You do not need as much security as much as you need privacy, freedom and anonymity. Security is variable, it only buys you the time against attacker, and is the least priority among these 4 things in computing.
Probably to play games, access the internet and maybe do their homework. Most probably, they don’t use Windows because they specifically enjoy working with Windows, but because it easily lets them do whatever they actually want to do on a PC.
Spending 5h on fixing some weird incompatibility between the Nvidia GPU, your DE and Proton might be fun for some, but it’s most probably not what your kid wants to do when they could be gaming or doing whatever they actually want to do. Problems like that can scare them off quickly.
So first setup the PC so that everything they usually do on Windows works without issues.
The next question is, why would your kid want to run Linux instead of Windows?
The usual advantages (FOSS, free to use, better for developers) don’t really matter to most kids. The only things I can think of right now are:
Runs on PCs that aren’t Win11 compatible
Some games like Minecraft run faster (but some games also run slower)
With the setup completed and advantages thought of, you can let the kid use Linux quite similarly to Windows. When the kid wants new software or has an issue, work together with them to get everything running. First do everything and let them watch, later let them do more and more of the process.
Wayland is Wayland. If you use a Wayland compositor, you’re getting a lot of security by virtue of design alone. Things like keyloggers and screenrecorders will not be able to intrude on your session barring vulnerability exploits. I’m not going to touch on the relative vulnerability risk of each environment since a) they’re all relatively new & b) I’ve never implemented Wayland myself
With that being said, here’s what’s not protected by Wayland regardless of the chosen compositor: microphones, webcams, keyrings, and files.
For microphones & webcams, any distro which rolls Pipewire in combination with Wayland will be sufficient to secure these. Pretty much all Wayland environments roll Pipewire so this is only important to consider if you’re running your own customized environment (be sure to disable any pre-existing PulseAudio daemon after setting up Pipewire to close this security hole)
For keyrings, these are handled by your environment’s polkit implementation. Much like Wayland, there are several implementations of polkit and they’re all just about equally secure barring any potential vulnerabilities… Just make sure that you’re using an encrypted database (usually on by default) and that you have it configured to always relock & properly prompt for the unlock key.
For file access, this is actually a core probelm with Linux as a whole – any unsandboxed application you run will be able to read any file that you can read. The solution is to use sandboxed applications whenever possible. The easiest way to achieve this is through using flathub/flatpak applications, since they will always list out and enforce their required permissions on a per-application basis. For non-flatkpak applications, you’ll need to use “jail” environments (e.g.: bubblejail, firejail) in order to artificially restrict application permissions by hand.
Could you provide some criteria for what you’re looking for in the way of security? Wayland is far better for security than Xorg, but it’s hard to say how much it varies between wayland compositors. I can’t imagine it would matter too much, but depending on how much security you’re looking for, choosing more minimal software is probably better. Rust can be better for security but I’m not entirely sure how much can really get compromised through poor memory management in a window manager.
Seems like you’re annoyed that I pointed out that what you were saying was irrelevant? And so you reply with more irrelevant crap (on a very nerdy, not-fun-at-parties internet forum for Linux discussion)? Let me know if I got that wrong.
If you’re doing it for the memes then you don’t really need to worry about malware. Your machine is probably too old for anything that’s still floating out there to even work on it.
Many people browse 4-5 pages a day, see a few emails, print a few pdfs, and a core2duo, or x4, for 40#/$/Eu a box run flawlessly with linux and xfce/lxde for example.
Even video-conferencing works fine.
Driver code is still there, you can add it back if you want, same with ide drivers and such, support was removed but code still exists, just add it and compile your own kernel, there are alot of tutorials in internet about it
The drivers were removed in 6.3. Debian 12 is still running on 6.1. Debian 12 just came out and still has many years of support ahead of it (at least 5). You can get plenty of use out of these cards before they stop working.
Someone needs to maintain them for them to keep working. Nobody else is willing to do that anymore, but you can still volunteer as a maintainer. If you don’t, it’s as much your fault as anyone elses.
I mean, if it was accidental then… Just turn it off and boot back into Linux? You realise you can just turn it off while it’s downloading updates, right? Heck, you can even pause updates long term if you want! 😱 Crazy!
I never said to do it while it’s in the middle of changing stuff, but if you just booted you can turn it off and nothing will happen because worst case it will just be downloading without installing, as someone else mentioned, once updates are installed you can even turn off without applying updates if you want and you can also tell it to only download and not install unless you tell it to or not download at all.
If you're going that way, Windows is not going to suddenly start updating when you simply boot it. You have to willingly click "Update and Shutdown/Restart" instead of "Shutdown/Restart", assuming your computer even finished downloading the update.
I have a Windows 10 partition on a second machine. I have disabled automatic updates in the options and I never click “Update at restart” or anything. Yet, whenever I need to boot into Windows it decides to automatically start updating itself.
I guess that I use it infrequently so there are always updates available, but it shouldn’t force them on me when I’ve specifically disabled them.
Also, when you choose either of the update or restart/shutdown options, it actually tries to restart, (for me) always boots back into linux because that’s my default. When I’d eventually boot back into Windows, it just continues installing the update I’d long forgotten about.
Honestly, this used to be the case, but the past couple of years Lenovo is going back to their old ways of sub-par upgradability, and sub-sub-par support across models for Linux. I believe the P-series is the current most compatible line.
You might want to consider getting a slightly older refurb you KNOW is very compatible versus a newer one, because it’s a crapshoot. Make sure to avoid any models with soldered memory (they specify on their site), and if you’re buying a modern AMD model, do some research and make sure they haven’t crippled any features in the BIOS.
If you’re not completely sold on Lenovo, look at getting a Framework laptop. It’s the most upgradable and repairable laptop of any kind out there.they also just started an outlet online store where they are selling last-gen models at deep discounts that you could upgrade to current Gen when the time comes.
Hey thanks, this outlet store thing may be just what I need! I wanted a framework but didn’t want to take out a second mortgage on my house! Lol that’s why I was considering Lenovo, black friday deals that I assume aren’t going to be on frameworks (but I’m still gonna check fri/mon) but are on the lenovos.
Correct. In the mission statement, Framework says they won’t be doing random sales, and prefer to keep prices consistent so customers know they are always getting the lowest price. I’m signed for an AMD 16", but those outlet prices are crazy good, so bought one of the 13" Intels as well to play with 😂
Try an ls -l $(which nano) and look at the permissions section of the output.
Most files only have hyphens, r’s, w’s, and x’s. (Like -rwxr-xr-x or some such.)
Particularly if there’s an “s” in the output (it’ll be in place of an “x”), that could explain what’s going on.
Basically, that “s” means “when a user runs me, run me as root even if the user running me isn’t root.” It’s useful on programs like “su” and “sudo” which let you run a command that (after authentication) do things as root.
But if that flag is set on nano, that’s pretty weird.
Maybe try alias nano and LC_ALL=C type nano. Those test whether you have an alias or function named “nano” in bash that might be being run instead of /usr/bin/nano.
Oh, also, whoami and id. Maybe there’s something weird with how you’re logged in and despite not having the username “root” you’re still uid 1 or something strange like that?
Oh! Also maybe while you’ve got nano running, do a ps aux | grep nano and see which user is reported to own that process.
Alright, first one returned me “bash: alias: nano: not found”. Second one, “nano is hashed (/usr/bin/nano)”. Third one, my sudoer username. And the fourth one shows my sudoer username at the top of the list, with both uid and gid at 1000.
And I honestly can’t really think of much to add, other than the username in the docker image being completely nonexistant (It’s just a bunch of numbers, and it doesn’t even have a name). I don’t know, maybe someone managed to breach the container and gave this “nonexistant user” root privileges but haven’t managed to do much or something like that. I’m not that much of a tech savvy, but I guess it doesn’t hurt to try to guess something. Maybe there is something inside the container? Idk, I’m gonna (try to) check it out (It’s a “distroless” image – it doesn’t even have a shell in it.).
It returns that while you have nano running? If so, maybe try ps aux (without the grep part) and just look through until you find “nano” listed. Just to make sure whether it’s running as root or your non-root user.
(And just to be clear, “my sudoer username” means the non-root user that you’re running nano as, right?)
Just a gut feeling, but it feels to me so far like this probably isn’t a hack or security thing. But of course, once the (no pun intended) root issue is found, that’ll provide more info.
No. ps aux remains the same. And yes, “My sudoer username” is my non-root user with sudo privileges. Therefore, the “sudoer”.
And I’m not really “pulling my hair out” because of this, honestly – just curious if this can be mentioned as a hack, a hack attempt, or whatevertheheck. Because this is the first time in my entire life that this happened with me, so yep.
Could I set that for Docker? I often forget to run docker-compose as sudo and it can’t be used without sudo, so it’s a bit silly to always have to prepend sudo there. This magical “s” you describe could solve that.
And, of course, because I want to learn: why is this a really bad idea?
If you can’t run docker-compose without sudo, there’s something wrong with your setup. The specifics would be specific to your distro, but most likely there’s a user group you could add your user to with sudo gpasswd -a user group to make the docker run and docker-compose commands work without sudo. (Might have to log out and back in as well to make it take effect if you’ve ran that command during the current session.) To find the name of the group, you’ll probably have to do some research about your distro in particular. On Arch (insert hate here ;) ), I think the docker group does that, and it’s not unlikely that the equivalent group for your distro has the same name.
The “magical s” (called the “SUID bit”) shouldn’t be required to be able to run docker run and/or docker-compose without sudo. Theoretically if you did want to do that, you could do it with sudo chmod u+s /usr/bin/docker. But again it’s probably better to just add yourself to the proper group (or otherwise take the correct steps for your distro.)
But also, running docker-compose (or the docker run command more directly) without sudo won’t necessarily make things inside the docker container run as your user. Making it do so is a little complex, actually, but I’ll go through it here.
So, most Docker images that you’d get from Docker Hub or whatever usually run by default as root. If you do something like docker run -v /path/to/some/directory/on/your/host:/dir -it python ‘touch /dir/foo’, even if you’ve got your groups set up to be able to run docker run without sudo, it’ll create a file on your host named “foo” owned by root. Why? Because inside the container, the touch /dir/foo command ran as root.
Honestly, I’d be thrilled if Docker had ways to tell it to be smarter about that kind of thing. Something that could make Docker create the file on the host owned by your user rather than root even if inside the container, the command that creates the file runs under the user in the Docker container that is root/uid 1.
But that’s not how it works. If root inside the container creates the file, the host sees it as owned by root, which makes things a little more of a pain. C’est la vie.
Now, this is a bit of an aside, but it helped me understand so I’ll go ahead and include it. It seems impossible that a command run by your user (assuming you’ve got your groups set up correctly) shouldn’t be able to create a file owned by root, right? If without sudo you try to chown root:root some_file.txt, it’ll tell you permission denied. And it’s not the chown command that’s denying you permission. It’s the Linux kernel telling the chown command that that’s not allowed. So how can it be that the docker run command can create files owned by root when docker run wasn’t run by root, but rather by a more restricted user?
Docker has a daemon (called dockerd) that by default runs all the time as root, waiting for the docker command to direct it to do something. The docker run command doesn’t actually run the container. It talks to the daemon which is running as root and tells the daemon to start a container. Since it’s the daemon actually running the container and the daemon is running as root, commands inside the container are able to create files owned by root even if the docker run command is run by your own user.
If you’re wondering, yes this is a security concern. Consider a command like docker run -it -v /etc:/dir/etc alpine vi /dir/etc/sensitive/file. That command, theoretically, could for instance allow a non-root user to change the host’s root password.
How do you get around that? Well, there are ways to go about running the Docker daemon as a non-root user that I haven’t really looked into.
Another concern is if, for instance, you’ve got a web service running as root inside a Docker container with a bind volume to the host and the web app has, for instance, a shell injection vulnerability wherein a user could cause a command to run as root inside the docker container which could affect sensitive files outside. To mitigate that issue, you could either not bind mount to the host filesystem at all or run the web service in the Docker container as a different user.
And there are several ways to go about running a process in Docker as a non-root user.
First, some Docker images will already be configured to ensure that what is run inside the container runs as non-root. (When making a Docker image, you specify that by having a USER directive in the Dockerfile.) Usually if things are done that way, the user will also be present in the relevent files in /etc in the image. But as I mentioned earlier, that’s usually not the case for images on Docker Hub.
Next, if you’re using docker-compose, there’s a “user” option for setting the user.
Another way to do this is with the -u argument on the docker run command. Something like docker run -u 1000 -it alpine /bin/sh will give you a shell process owned by the user with id 1000.
Another way is to create the user and su to that user as part of the command passed to docker run. I’ve been known sometimes to do things like:
<span style="color:#323232;">docker run
</span><span style="color:#323232;"> -it
</span><span style="color:#323232;"> alpine
</span><span style="color:#323232;"> sh -c 'adduser tootsweet ; su tootsweet -c /bin/sh'
</span>
The only other thing I can think to mention. Sometimes you want not just to run something in a Docker container not as root but in fact to run it as a user id that matches the user id of a particular user on the host. For instance so that files written to a bind volume end up being owned by the desired user so we can work with the files on the host. I honestly haven’t found the best way to deal with that. Mostly I’ve been dealing with that situation with the last method above. The useradd command allows you to add a user with a specific user id. But that’s problematic if the needed uid is already taken by a user in the container. So, so far I’ve kindof just been lucky on that score.
Hopefully that all helps!
Edit: P.S. apparently the way lemmy.world is set up, you can’t mention certain standard *nix file paths such as / e t c / p a s s w d in posts. The post just isn’t accepted. The “reply” button grays out and the loading graphic spins forever with no error message and the post doesn’t get saved. I’m sure this is a misguided attempt at a security measure, but it definitely affects our ability to communicate about standard Linux kind of stuff.
PopOS is definitely a great first choice distribution. I would recommend Linux Mint over it for people coming from windows who wants something rock solid with a great community
After trying Linux repeatedly for some 20 years and always returning to Windows for various reasons, Pop! OS finally seems like a Linux distribution I can use as a daily driver. The amount of useful and concise documentation is great, my hardware is all supported and automatically configured, i.e. I don’t have to mess around with obscure config files to get either audio or wifi working, it works on first boot.
As someone who has written client code targetting X11, it’s indeed quite unfortunate that, to properly target Wayland, it’d need to all be replaced, but… good riddance. Working with X11 was fucking hell. X11 has so much broken/unreasonable garbage in, like, most places. Working with X11 has been, by far, my programming worst experience.
This is not to say that Wayland is automatically better at everything (I haven’t looked into it much, and the server-side decoration problem is indeed a problem) but it’d be damn hard to be worse than X11 or be anywhere close to it.
Yeah, I’ve seen libdecor as a solution, but it still feels quite off to have pretty much every wayland client have a whole dependency for such a trivial thing.
Yes, the client is supposed to manage the client content, but the obvious question then is whether the window decorations are part of its content. In some cases (stuff merged into the decorations) it can definitely be the case, but, for most things I’d say the decorations are as much a part of the client content as the apps entry in the taskbar (both contain the title of the app, potentially the icon, options to close/maximize/minimize). The only difference is that decorations always appear immediately above a window, but even that isn’t really a fundamental part.
I have noticed that one of the groups that does not seem to be complaining about Wayland are the toolkit folks. GTK added support back in GTK3. Qt added it. Enlightenment added it. They must have jumped on it for a reason.
When you look at the Wayland readiness docs for things like XFCE, it stands out that all the apps are already ready ( because they are GTK based in this case ).
Looked into some more things, and… base wayland does seem to continue the trend of “lol no not allowing you to do a basic thing, because surely noone has a good reason to” more - no custom positioning of windows (remembering custom window positions on reopen, window moving segments of Rhythm doctor), cursor wrapping (amazing to use in blender, wish more things did it, it feels so much better to use than the cursor being temporarily frozen in place or moving freely through everything).
At least there’s still the chance for extensions (wayland.app/…/pointer-constraints-unstable-v1 plus wayland.app/…/relative-pointer-unstable-v1 I think provide the ability to set the cursor position on wrapping and have that not interrupt the stream of relative position changes) but with things not being in base wayland it means that apps can’t just assume basic features on linux wayland which they can everywhere else (windows, mac, X11) unless they just choose to ignore hypothetical WMs which refuse to implement them.
I believe I also have a situation where ydotool wouldn’t be sufficient too - namely, having scrcpy open in the background and sending it keypresses to play/pause/change volume of the content on my phone from global keypresses (which trigger a shell script that chooses to either forward the presses to scrcpy, or if it’s not open, do some hacks to do what they would have done if not intercepted).
linux
Top
This magazine is from a federated server and may be incomplete. Browse more on the original instance.