|
SamDabbers posted:freebsd jails and solarish zones are a way better container model than namespaces+cgroups+apparmor/selinux that you have to wrangle separately. ffs, with 'jails' the name says it all: incarcerate your processes why why is jails better than namespaces and cgroups hear this all the time, but the reasoning is always that jails and zones are simpler. maybe that's the reason it never took off.
|
#
?
Feb 5, 2018 23:56
|
|
|
|
| # ? Apr 29, 2024 05:56 |
|
|
SamDabbers posted:freebsd jails and solarish zones are a way better container model than namespaces+cgroups+apparmor/selinux that you have to wrangle separately. ffs, with 'jails' the name says it all: incarcerate your processes You still have to wrangle it separately with jails. Jails do not imply/include lomac and an exploit inside a jail can and will root the host. SELinux is a necessity with or without containers, but SELinux parameterization, control groups, and namespacing make it a lot easier to implement something like jail(8) except is actually secure. -- I believe the same is true of Solaris zones, but to be honest, I've never looked into it. Because Solaris is dead.
|
|
#
?
Feb 6, 2018 00:00
|
|
|
tl;dr: security and containerization are orthogonal. use selinux you jackasses
|
|
#
?
Feb 6, 2018 00:02
|
|
|
Notorious b.s.d. posted:tl;dr: security and containerization are orthogonal. As the maintainer of the SELinux packages for BuildRoot, I agree.
|
|
#
?
Feb 6, 2018 00:15
|
|
|
ah, here come the gold-platers
|
|
#
?
Feb 6, 2018 00:44
|
|
|
here’s a security tip: unplug you’re computre
|
|
#
?
Feb 6, 2018 00:57
|
|
|
nothing is secure because there's always like a dozen local root holes in the linux kernel if an attacker gets local execution on a vm you write off the entire vm, end of story seccomp and friends reduce the avenues by which an attacker can exploit a local root hole but idk how much i'd rely on them use containers for ease of management and use vms to actually contain breaches; hypervisor exploits do happen but when they do it's actually a big deal as opposed to a tuesday maybe i'm a bit  but exploit mitigation is the only class of security measures on linux that actually do something useful imo, kernel-enforced access control lists aren't really going to feature very heavily in the process of your system getting owned
Sapozhnik fucked around with this message at 01:05 on Feb 6, 2018 |
|
#
?
Feb 6, 2018 00:57
|
|
|
I'd just like to interject for a moment. What you're referring to as Linux, is in fact, a Tide ad.
|
|
#
?
Feb 6, 2018 01:13
|
|
|
Gazpacho posted:ah, here come the gold-platers you newfangled gold platin engineers in my day boats had a few holes and sometimes the wings fell off the plane and you just learned to like it
|
|
#
?
Feb 6, 2018 01:51
|
|
|
Sapozhnik posted:nothing is secure because there's always like a dozen local root holes in the linux kernel that is the point of selinux attacker gets uid=0 and that ... doesn't win anything.
|
|
#
?
Feb 6, 2018 01:51
|
|
|
uh...? attacker gets the ability to make the kernel do whatever the gently caress they want. uid=0 is just a means to an end at that point.
|
|
#
?
Feb 6, 2018 02:45
|
|
|
Notorious b.s.d. posted:that is the point of selinux setenforce 0?
|
|
#
?
Feb 6, 2018 02:46
|
|
|
hobbesmaster posted:setenforce 0? no one would ever try that!
|
|
#
?
Feb 6, 2018 03:20
|
|
|
who cares about security that is all too much effort, run all ur stuff as root including your desktop environment
|
|
#
?
Feb 6, 2018 03:24
|
|
|
the slackware way
|
|
#
?
Feb 6, 2018 06:50
|
|
|
pram posted:the slackware way
|
|
#
?
Feb 6, 2018 08:52
|
|
|
does anyone actually run unix multiuser anymore?
|
|
#
?
Feb 6, 2018 09:23
|
|
|
My uni has a shell server 
|
|
#
?
Feb 6, 2018 09:28
|
|
|
big shared computational clusters at universities are all multi-user machines, rhel or (more commonly in my experience) centos
|
|
#
?
Feb 6, 2018 14:04
|
|
|
Lysidas posted:big shared computational clusters at universities are all multi-user machines, rhel or (more commonly in my experience) centos depends a bit on size, they rather quickly get to be proper time-share and batch systems, where security becomes a very light concern (as the system itself is then gated behind some system that e.g. issues a short-term kerberos ticket or so for your access, and the larger system itself not really keeping any state, beyond a bunch of scratch with no guarantees). the clusters at my home university run ubuntu these days actually (reasonably serious systems, tending to debut pretty high up on the top500). i am not sure precisely why, but it is likely a mix of it not really mattering (the single-purpose nature and it is not like these systems will ever get e.g. spectre patches) and some users wanting it in fact it seems a very narrow space between living in a bunch of vm's on a physical machine, and having needs great enough that you have to span a bunch of physical machines exclusively anyway
|
|
#
?
Feb 6, 2018 15:29
|
|
|
new KDE LTS is out today
|
|
#
?
Feb 7, 2018 02:01
|
|
|
Notorious b.s.d. posted:the problem with ACLs is that there are three mutually incompatible systems: Linux/POSIX ACLs, Windows ACLs, and NFSv4 ACLs. <very Carnegie Mellon voice> Also AFS acls </vcmv> So technically four incompatible systems, though I've never seen AFS outside of education Hauldren Collider fucked around with this message at 06:16 on Feb 7, 2018 |
|
#
?
Feb 7, 2018 06:14
|
|
|
hobbesmaster posted:setenforce 0? uid 0 can’t run setenforce from inside an selinux context that is the point of selinux instead of all permissions checks being “is uid=0?”, programs are granted specific capabilities and not even root can exceed them
|
|
#
?
Feb 7, 2018 06:29
|
|
|
Gazpacho posted:does anyone actually run unix multiuser anymore? every job I’ve ever had used multi user Unix at least some of the time my current job, most developers even run their editor / IDE on big shared machines — their laptops are basically expensive X terminals
|
|
#
?
Feb 7, 2018 06:33
|
|
|
Notorious b.s.d. posted:my current job, most developers even run their editor / IDE on big shared machines — their laptops are basically expensive X terminals are you a cj for The Bad Place or something?
|
|
#
?
Feb 7, 2018 06:38
|
|
Gazpacho posted:does anyone actually run unix multiuser anymore? spankmeister posted:My uni has a shell server I remember how everyone at my uni used to telnet into a cluster of sun boxes and ran PINE for email, and you could kill pine and you’d have a ksh prompt and see the 300+ people logged in at any one time. And that “supposed to be for email” system had one of Sun’s C compilers available for anyone to run. that’s an awful lot of trust in isolation of a multi user system. Coffee Jones fucked around with this message at 07:13 on Feb 7, 2018 |
|
|
#
?
Feb 7, 2018 07:11
|
|
|
Coffee Jones posted:I remember how everyone at my uni used to telnet into a cluster of sun boxes and ran PINE for email, and you could kill pine and you’d have a ksh prompt and see the 300+ people logged in at any one time. when I was at my uni, everyone had a shell and you ran pine yourself now they use webmail can’t really remember what normal users did besides use pine
|
|
#
?
Feb 7, 2018 07:18
|
|
|
Notorious b.s.d. posted:every job I’ve ever had used multi user Unix at least some of the time nice mid-1990s cosplay even Ciaphas’ work doesn’t do that
|
|
#
?
Feb 7, 2018 07:19
|
|
|
Cocoa Crispies posted:are you a cj for The Bad Place or something? no, they use punched cards
|
|
#
?
Feb 7, 2018 07:19
|
|
|
el dorito posted:when I was at my uni, everyone had a shell and you ran pine yourself most people at my university used a nice graphical mail client with full support for fonts, styles, etc., hierarchical mailboxes, and seamless access to netnews that’s irrespective of whether they were on a Mac or one of the supported Unix systems people using MS-DOS or a shell session (dialup or telnet) used a curses-style fullscreen text app with a real menu bar and windows and colors and styles and poo poo, and even mouse support on MS-DOS systems
|
|
#
?
Feb 7, 2018 07:27
|
|
|
I use multi-user unix fairly frequently. Most of the research in my physics department that is too big to run on a laptop is instead run on one of the shared linux machines.
|
|
#
?
Feb 7, 2018 07:57
|
|
|
every person having a computer is a waste of computing power. we should all be remoting into a vax
|
|
#
?
Feb 7, 2018 09:43
|
|
|
perhaps the network *is* the computer
|
|
#
?
Feb 7, 2018 09:51
|
|
|
only VAX I want is a VAXStation/MicroVAX 2000, they’re adorable
|
|
#
?
Feb 7, 2018 09:51
|
|
|
I want an HP 2645 like curiousmarc and use it for shitposting
|
|
#
?
Feb 7, 2018 09:51
|
|
|
what about an HP 85, you could listen to the radio (also curiousmarc’s, he’s an HP nerd) this though is a pro as gently caress posting station  HP IPC, a 68K-based system with HP-UX in ROM and a built in inkjet printer other than the fact the system won’t boot if the printer fails self test they’re pretty drat cool
|
|
#
?
Feb 7, 2018 10:01
|
|
|
HP's incredible line of
|
|
#
?
Feb 7, 2018 14:45
|
|
|
atomicthumbs posted:every person having a computer is a waste of computing power. we should all be
|
|
#
?
Feb 7, 2018 14:46
|
|
|
i do a lot of jenkems janitor work so all my modern computers are just a fronend for that
|
|
#
?
Feb 7, 2018 15:51
|
|
|
|
| # ? Apr 29, 2024 05:56 |
|
|
Notorious b.s.d. posted:that is possible via ACLs, but people don't use ACLs very often ntfs acls are correct. the rest can be discarded
|
|
#
?
Feb 7, 2018 15:55
|
|
