Linux News
Zorin OS 17 Beta Released With Quick Settings, Spatial Desktop & More
Today, the Zorin OS team announced the general availability for public testing of the beta version of the upcoming Zorin OS 17 release, which promises new and exciting features.
The post Zorin OS 17 Beta Released With Quick Settings, Spatial Desktop & More appeared first on Linux Today.
Categories: General News
The "user" namespace headache
So, I know there are sharper heads than mine in here, and I've hit somewhat of a conundrum in regards the "user" namespace. The more I look into this "user" namespace, the less of a good idea I think it is overall and in general. I could ofcourse be wrong, lack some information or overcomplicate things..
The issue with the user namespace pops up in regards to containers, and I'm starting to wonder if it is a bad idea. So, the "user" namespace allows a regular user to pretend to be root inside a container, and set up a kind of virtual root, inside a user. This root however is not as virtual as one might think, it is done with "capabilities" (sys_admin_cap to be specific), which basically allows the user to make what could be thought of as root system calls. To be able to pretend to be root in a container, the user needs these system calls (capabilities).
This also gives the user actual root capabilities through the user namespace in that environment. If the "root" of that environment(any user environment called with unshare user??) is then able to break out of that environment, you now have a user account with root privileges (capabilities/calls)! Normally the user account have none of these capabilities and can't make any of these calls. That's one of the main distinctions between a user account and a root account.
There have been plenty of security issues with this already, and it is written about extensively if you search online for "linux user namespace" or "user namespace security" or such search phrases.
In the end it seems like a very bad idea to me to give a user root capabilities like this, even just to delegate them to a user indirectly. Some security researchers (including grsecurity) already recommend to compile the Kernel without the user namespace alltogether, due to the possible security implications. This is even making me think that I should just not take such an interest in containers anymore and just stick with virtual machines.
So, I'd be interested in hearing what thoughts or knowledge others have about this topic. I know I could have asked it on a general forum, but I like the sharpness of the heads of the people here, and I only use Slackware currently anyways.
Ps. This all hit the forefront of my awareness when I today noticed that Firefox uses the user namespace for its sandboxing.
The issue with the user namespace pops up in regards to containers, and I'm starting to wonder if it is a bad idea. So, the "user" namespace allows a regular user to pretend to be root inside a container, and set up a kind of virtual root, inside a user. This root however is not as virtual as one might think, it is done with "capabilities" (sys_admin_cap to be specific), which basically allows the user to make what could be thought of as root system calls. To be able to pretend to be root in a container, the user needs these system calls (capabilities).
This also gives the user actual root capabilities through the user namespace in that environment. If the "root" of that environment(any user environment called with unshare user??) is then able to break out of that environment, you now have a user account with root privileges (capabilities/calls)! Normally the user account have none of these capabilities and can't make any of these calls. That's one of the main distinctions between a user account and a root account.
There have been plenty of security issues with this already, and it is written about extensively if you search online for "linux user namespace" or "user namespace security" or such search phrases.
In the end it seems like a very bad idea to me to give a user root capabilities like this, even just to delegate them to a user indirectly. Some security researchers (including grsecurity) already recommend to compile the Kernel without the user namespace alltogether, due to the possible security implications. This is even making me think that I should just not take such an interest in containers anymore and just stick with virtual machines.
So, I'd be interested in hearing what thoughts or knowledge others have about this topic. I know I could have asked it on a general forum, but I like the sharpness of the heads of the people here, and I only use Slackware currently anyways.
Ps. This all hit the forefront of my awareness when I today noticed that Firefox uses the user namespace for its sandboxing.
Categories: Software and Help
KDE Plasma 6 Unwrapped: 6 Features to Elevate Your Experience
KDE Plasma 6 sounds impressive. With a major version bump, users should expect major changes that improve the out-of-the-box user experience.
The post KDE Plasma 6 Unwrapped: 6 Features to Elevate Your Experience appeared first on Linux Today.
Categories: General News
LXer: ASUSTOR Data Master Operating System (ADM OS) v4.2.5 Review
Published at LXer:
The ASUSTOR Data Master Operating System (ADM for short) is a Linux-based operating system developed by ASUSTOR exclusively for their NAS servers. I�m reviewing version 4.2.5, the latest release.
Read More...
The ASUSTOR Data Master Operating System (ADM for short) is a Linux-based operating system developed by ASUSTOR exclusively for their NAS servers. I�m reviewing version 4.2.5, the latest release.
Read More...
Categories: Software and Help
ASUSTOR Data Master Operating System (ADM OS) v4.2.5 Review
The ASUSTOR Data Master Operating System (ADM for short) is a Linux-based operating system developed by ASUSTOR exclusively for their NAS servers. I’m reviewing version 4.2.5, the latest release.
Categories: General News
Copy only the fill space using DD
Hello,
I have a 1TB hard drive that is only 512GB full. I want to clone only the filled spaces using DD tool. Is it possible?
Thank you.
I have a 1TB hard drive that is only 512GB full. I want to clone only the filled spaces using DD tool. Is it possible?
Thank you.
Categories: Software and Help
systemd: why or why not: a video overview
Systemd has a lot to like, nicely explained here in 16 minutes.
Categories: Software and Help
Who used D programming language?
Hello,
Is there anyone here who has used D programming language? What are the advantages and disadvantages of this language?
Thank you.
Is there anyone here who has used D programming language? What are the advantages and disadvantages of this language?
Thank you.
Categories: Software and Help
SSH as VPN
Hello,
Can SSH be used as a VPN to tunnel connections? I know it can be done using something like below:
Code: ssh -L PORT:Local_IP:PORT User_Name@Remote_IP -p PORT -N Or:
Code: ssh -D 8080 Remote_Host but my question is that why someone prefers OpenVPN or other solutions? Is it because of the capabilities of other solutions?
Thank you.
Can SSH be used as a VPN to tunnel connections? I know it can be done using something like below:
Code: ssh -L PORT:Local_IP:PORT User_Name@Remote_IP -p PORT -N Or:
Code: ssh -D 8080 Remote_Host but my question is that why someone prefers OpenVPN or other solutions? Is it because of the capabilities of other solutions?
Thank you.
Categories: Software and Help
LXer: A Web Application Firewall for Nginx
Published at LXer:
Find out how to configure a web application firewall (WAF) for Nginx on Fedora Linux 39.
Read More...
Find out how to configure a web application firewall (WAF) for Nginx on Fedora Linux 39.
Read More...
Categories: Software and Help
A Web Application Firewall for Nginx
Find out how to configure a web application firewall (WAF) for Nginx on Fedora Linux 39.
Categories: General News
[SOLVED] kernel-6.1.65 crashing
Slack64-current fully updated. I have been using the stable kernel 6.1.6x versions (huge config) and they have been rock solid. When I upgraded from 6.1.63 to 6.1.64 my system started suddenly stopping (turned completely off - black screen, no fans or anything). I checked my .config file with the one issued in the official release and found differences so I rebuilt 6.1.64 with the proper .config file and it is rock solid. Problems started with 6.1.65. The .config file is the official 6.1.65 .config file but the sudden turning off is now worse. Occasionally it will reboot but usually suddenly turns completely off. Can't spot anything in log files (/var/log,messages or dmesg) at all to offer a clue to the problem.
Move back to 6.1.64 and everything is perfectly stable. Haven't found anything similar in searching. Any ideas or where to look???
Move back to 6.1.64 and everything is perfectly stable. Haven't found anything similar in searching. Any ideas or where to look???
Categories: Software and Help
LXer: Cinnamon 6 Desktop: Best New Features
Published at LXer:
A new release of the Cinnamon 6 desktop environment is now available with experimental Wayland support.
Read More...
A new release of the Cinnamon 6 desktop environment is now available with experimental Wayland support.
Read More...
Categories: Software and Help
Cinnamon 6 Desktop: Best New Features
A new release of the Cinnamon 6 desktop environment is now available with experimental Wayland support.
Categories: General News
LXer: Linus Torvalds flags holiday-mode changes to next kernel merge window
Published at LXer:
Penguin emperor ponders whether kernel contributors will code across the festive season, or humbug it. 'Twas the night before Christmas and all through the house, not a coder was stirring, not even their mouse.�
Read More...
Penguin emperor ponders whether kernel contributors will code across the festive season, or humbug it. 'Twas the night before Christmas and all through the house, not a coder was stirring, not even their mouse.�
Read More...
Categories: Software and Help
Linus Torvalds flags holiday-mode changes to next kernel merge window
Penguin emperor ponders whether kernel contributors will code across the festive season, or humbug it. 'Twas the night before Christmas and all through the house, not a coder was stirring, not even their mouse.…
Categories: General News
LXer: 9to5Linux Weekly Roundup: December 3rd, 2023
Published at LXer:
The 165th installment of the 9to5Linux Weekly Roundup is here for the week ending on December 3rd, 2023, keeping you guys up to date with the most important things happening in the Linux world.
Read More...
The 165th installment of the 9to5Linux Weekly Roundup is here for the week ending on December 3rd, 2023, keeping you guys up to date with the most important things happening in the Linux world.
Read More...
Categories: Software and Help
9to5Linux Weekly Roundup: December 3rd, 2023
The 165th installment of the 9to5Linux Weekly Roundup is here for the week ending on December 3rd, 2023, keeping you guys up to date with the most important things happening in the Linux world.
Categories: General News
next-20231205: linux-next
Version:next-20231205 (linux-next)
Released:2023-12-05
Categories: Linux Kernel
Bluetooth loopback devices. Getting control of DRM
On android:
1) can't screenshot my AI app. I have to use another phone and take a picture.
2) Many apps block seedvault backup, so I have to rely on other ways to do that
3) I can't record the sound without using an external bluetooth loop back device. I can't find where to buy those mobizen headphones anymore.
On my Mac:
1) I can't record the sound easily. For whatever reason, I can't get the aggregate soundflower device to work
For these issues, I could connect to an external bluetooth device that routes the output back as an input for recording.
I'm interested in these manual methods of recording, and sick of the cat and mouse controls. What can I search for to find various approaches to think, such as building a quiet box for recording etc. WHat is this approach even called?
1) can't screenshot my AI app. I have to use another phone and take a picture.
2) Many apps block seedvault backup, so I have to rely on other ways to do that
3) I can't record the sound without using an external bluetooth loop back device. I can't find where to buy those mobizen headphones anymore.
On my Mac:
1) I can't record the sound easily. For whatever reason, I can't get the aggregate soundflower device to work
For these issues, I could connect to an external bluetooth device that routes the output back as an input for recording.
I'm interested in these manual methods of recording, and sick of the cat and mouse controls. What can I search for to find various approaches to think, such as building a quiet box for recording etc. WHat is this approach even called?
Categories: Software and Help