There does exist a tool that does it. The creator posted about it on the fediverse. It only supported ubuntu at the time but looked extremely promising.
I cannot remember it’s name. :/
Maybe it’s linixify? But I remember seeing a post on lemmy with a youtube demo?
unless the SSD stopped working but then it is reasonable to expect it would no accept partitioning
This happened to me. It still showed up in kde’s partition manager (when I plugged the ssd into another computer), with the drive named as an error code.
The creator of this software streams on twitch, using the “linux” tag which I follow around. I think she uses debian stable or unstable last time I was on the stream. She also has an owncast, which is like an open source self hosted twitch.
https://expiredpopsicle.com/about.html
I really enjoy when people dogfood software.
My recommendation is meetup and a website for advertising purposes. Meetup is frustrating, yes, but at the same time it’s where I have found almost all the linux and tech groups near me.
I’ve heard of thumbnails being used to deliver malware.
You’ve heard of critical vulnerabilities in media processing applications that mean that thumbnails can theoretically be used to be spread malware. That is not the same as “this issue was being actively exploited in the wild and used to spread malware before it was found and patched”.
These vulnerabilities, (again, cost money), and are fixed rapidly when found. Yes, disabling thumbnails is more secure. But I am of the belief that average users should not worry about any form of costly zero day in their threat model, because they don’t have sensitive information on their computers that makes them a target.
less distro-dependent like a privilege escalation attack
These also are valuable. Less valuable than browser escapes IMO though.
A keylogger is more likely, and it’s just as possible with sudo as it is with run0. They would replace sudo, run0, doas, etc with a fake command (since that only require access to the user), that either keylogs, or inserts a backdoor while it does the other sudo things.
I’ve heard a fair few times about thumbnailer attacks, but no real detail from KDE about what if any mitigations they have in place.
Please ignore the entire cybersecurity hype news cycle about images being used to spread malware. They often like to intentionally muddy the waters, and not clearly explain the difference between a malformed file being used as a vulnerability to exploit a code execution exploit, and an image file being used as a container for a payload (steganography). The former is a big deal, the latter is a non issue because the image is not the issue, whatever means the malware actually used to get onto the systems is.
Here’s a recent example of me calling this BS out. The clickbait title implies that users got pwned by viewing a malicious image, when in actually it was a malicious extension that did the bad things.
Unless you are using windows media player, the microsoft office suite, or adobe acrobat, code execution from loading a media file is a really big deal and fixed extremely quickly. Just stay updated to dodge these kind of issues.
As for zero days, unknown and unpatched vulnerabilities, again, that’s a different threat model because those exploits cost money to execute. Using an existing known (but fixed in updated versions of apps) is free.
If I uninstall sudo and switch to run0 (
Sudo and run0 are both problematic. Sudo is a setuid binary, which is problematic, but run0 is not much better. It works by making calls to systemd/polkit/dbus, services that constantly run as root, and they themselves expose a massive attack surface. Many privilege escalation CVE’s similar to sudo have been released that exploit that attack surface.
When it comes to actually being secure, systemd somewhat screws you over, due to having a massive attack surface, a way to run things as root, and the interesting decision to have polkit parse and run javascript in order to handle authorization logic (parsing is a nightmare to do securely).
The other thing, is that the browser sandbox is much, much stronger than the separation of privileges between users in Linux. Browser sandbox escapes (because they work the same on windows or Linux) are worth immense amounts of cash, and are the kinds of exploits that are used in targeted manners against people who have information on their computer worth that much. If you don’t have information worth millions of dollars on your computer, you shouldn’t worry about browser sandbox escape exploits.
The reality is that any attacker who is willing and able to pierce through a browser sandbox, will probably also have a Linux privilege escalation vulnerability on hand. In my opinion, trying to add more layers to security is pointless unless you are adding stronger layers. If your attacker has a stronger “spear”, it doesn’t matter how many weak “shields” you try to put in front to stop it.
If the million dollar industry of browser escapes is in your threat model, I recommend checking out the way that Openbsd’s sandboxing interacts with chromium. Or check out google’s gvisor sandbox and see if you can run a browser in there.
Late reply but I also recommend going through flathub for screenwriting apps if you want more. I saw some options that looked pretty good, although many were proprietary.
Proxmox is based on debian, with it’s own virtualization packages and system services that do something very similar to what libvirt does.
Libvirr + virt manager also uses qemu kvm as it’s underlying virtual machine software, meaning performance will be identical.
Although perhaps there will be a tiny difference due to libvirt’s use of the more performant spice for graphics vs proxmox’s novnc but it doesn’t really matter.
The true minimal setup is to just use qemu kvm directly, but the virtual machine performance will be the same as libvirt, in exchange for a very small reduction in overhead.
Idk what to tell you. I linked to sources showing that flathub signs everything, and that flatpak refuses to install unsigned packages by default.
If you have anything contrary feel free to link it.
Also you multi replied to this comment. Sometimes I had this issue with eternity.
From flahubs docs: https://docs.flathub.org/blog/app-safety-layered-approach-source-to-user#reproducibility--auditability
The build itself is signed by Flathub’s key, and Flatpak/OSTree verify these signatures when installing and updating apps.
This does not seem to be optional or up to the control of each developer or publisher who is using the flathub repos.
Of course, unless you mean packages via flatpak in general?
Hmmm, this is where my research leads me.
https://docs.flatpak.org/en/latest/flatpak-builder.html#signing
Though it generally isn’t recommended, it is possible not to use GPG verification. In this case, the --no-gpg-verify option should be used when adding the repository. Note that it is necessary to become root in order to update a repository that does not have GPG verification enabled.
Going further, I found a relevant github issue where a user is encountering an issue where flatpak is refusing to install a package that is not signed, and the user is asking for a cli flag to bypass this block.
I don’t really see how this is any different from apt refusing to install unsigned packages by default but allowing a command line flag (--allow-unauthenticated) as an escape hatch.
To be really pedantic, apt key signing is also optional, it’s just that apt is configured to refuse to install unsigned packages by default. So therefor all major repos sign their packages with GPG keys. Flatpak appears to follow this exact same model.
This is not true. Flatpaks from flathub are signed with a gpg key.
Now admittedly, they use a single release key for all their signing, which is much weaker than the traditional distro’s model of having multiple package maintainers sign off on a release.
But the packages are signed.
Edit: snaps are signed in a similar way.
sandboxing is not the best practice on Linux… So I’m better off with Qubes than with Secureblue
No, no, no.
It’s no that sandboxing is the best practice, it’s just that attempting to “stack” linux sandboxes is mostly ineffective. If I run kvm inside xen, I get more security. If I run a linux container inside a linux container, I only get the benefit of one layer. But linux sandboxes are good practice.
I do agree that secureblue sucks, but I don’t understand your focus on Qubes. To elaborate on my criticisms let me explain, with a reply to this comment:
Many CVE’s for Xen were discovered and patched by the Qubes folks, so that’s a good thing…
If really, really care about security, it’s not enough to “find and patch CVE’s”. The architecture of the software must be organized in such a way that certain classes of vulnerabilities are impossible — so no CVE’s exist in the first place. Having a lack of separation between different privilege levels turns a normal bug into a critical security issue.
Xen having so many CVE’s shows that is has some clear architectural flaws, and that despite technically being a “microkernel”, the isolation between the components is not enough to prevent privilege isolation flaws.
Gvisor having very few CVE’s over it’s lifespan shows it has a better architecture. Same for OpenBSD — despite having a “monolithic” kernel, I would trust openbsd more in many cases (will elaborate later).
Now, let’s talk about threat model. Personally, I don’t really understand your fears in this thread. You visited a site, got literally jumpscared (not even phised), and are now looking at qubes? No actual exploit was done.
You need to understand that the sandboxing that browsers use is one of the most advanced in existence currently. Browser escapes are mostly impossible… mostly.
In addition, you need to know that excluding openbsd, gvisor, and a few other projects almost all other projects will have a regular outpouring of CVE’s at varying rates, depending on how well they are architectured.
Xen is one of those projects. Linux is one of those projects. Your browser is one of those projects. Although I consider Linux a tier below in security, I consider Xen and browsers to exist at a similar tier of security.
What I’m trying to say, is that any organization/entity that is keeping a browser sandbox escape, will most definitely have a Linux privilege escalation vulnerability, and will probably also have a Xen escape and escalation vulnerability.
The qube with the browser might get compromised, but dom0 would stay safely offline, that’s my ideal, not the utopic notion of never possibly getting attacked and hacked.
This is just false. Anybody who is able to do the very difficult task of compromising you through the browser will probably also be able to punch through Xen.
not the utopic notion of never possibly getting attacked and hacked.
This is true actually. Browser exploits are worth millions or even tens of millions of dollars. And they can only really be used a few times before someone catches them and reports them so that they are patched.
Why would someone spend tens of millions of dollars to compromise you? Do you have information worth millions of dollars on your computer? It’s not a “utopic notion”, it’s being realistic.
If you want maximum browser security, disable javascript use chromium on openbsd. Chromium has slightly stronger sandboxing than firefox, although chromium mostly outputs CVE’s at the same rate as firefox. Where it really shines, is when combined with Openbsd’s sandboxing (or grapheneos’ for phones).
Sure, you can run Xen under that setup. But there will be no benefit, you already have a stronger layer in front of Xen.
TLDR: Your entire security setup is only actually as strong as your strongest layer/shield. Adding more layers doesn’t really offer a benefit. But trying to add stronger layers is a waste of your time because you aren’t a target.
to answer your first question, kind of. Gvisor (by google btw) uses the linux kernels sandboxing to sandbox the gvisor process itself.
Distrobox also uses the linux kernels sandboxing, which is how linux based containers work.
Due to issues with the attack surface of the linux’s kernels sandboxing components, the ability to create sandboxing or containers inside sandboxes or containers is usually restricted.
What this means is that to use gvisor inside docker/podman (distrobox) you must either loosen the (kinda nonexistent) distrobox sandbox, or you must disable gvisors sandboxing that it applies to itself. You lose the benefit, and you would be better off just using gvisor alone.
It’s complicated, but basically the linux’s kernels containers/sandboxing features can’t really be “stacked”.
Check out turbowarp, an ultra fast reimplementation of scratch.
I’ve seen games that only worked in turbowarp.
Custom editors are probably needed.
Kde’s spectacle (screenshot utility) does this by default now.
Syd3, and gvisor, a similar project in go aren’t really sandboxes but instead user mode emulation of the linux kernel. I consider them more secure than virtual machines because code that programs run is not directly executed on your cpu.
Although syd3 doesn’t seem to emulate every syscall, only some, I know rhat gvisor does emulate every syscall.
If you compare CVE’s for gvisor and CVE’s for xen/kvm, you’ll see that they are worlds apart.
Xen has 25 pages: https://app.opencve.io/cve/?vendor=xen
Gvisor has 1: https://app.opencve.io/cve/?q=gvisor
Now, gvisor is a much newer product, but it is still a full 7 years old compared to xen’s 22 years of history. For something that is a third of the age, it has 1/25th of the cve’s.
There is a very real argument to be made that the hardened openbsd kernel, when combined with openbsd’s sandboxing, is more secure than xen, which you brought up.
Actually, modern kali is a lot more usable than the older kali. Kali used to only have a root user, so chromium and electron apps wouldn’t start since they don’t run as root.
Despite this, nowadays I generally recommend new people away from kali, because I believe the process of installing the tools that kali provides on other distros is a valuable learning experience.
Kali is great for the professional, but but learners I prefer they get to experience the package manager or other aspects of system management.
For maintenance I would recommend a ticketing system instead of forgejo:
https://selfh.st/apps/?search=ticket
There are a few options and they probably all work better than a git issue tracker.
Another thing I would recommend is to have centralized accounts via an identity provider. People have one username and password they can use to log into all the services, and you can reset/signup them to all connected services by managing the identity provider app.
There are a few options for this as well but I’m on my phone some imma just list the three that I find most promising for your usecase: kanidm, voidauth, authentik.