You are not logged in.
- Topics: Active | Unanswered
#276 Re: Off-topic » Music » 2022-12-20 06:01:46
Lots of The Specials. RIP Terry Hall.
#277 Re: Off-topic » What are you reading/want to read ? » 2022-12-19 19:56:38
Lone Wolf & Cub by Kazuo Koike & Goseki Kojima, the first omnibus edition (700 pages!). Utterly awesome. Even better than the Baby Cart movies. The Mandalorian was also inspired by this manga, interestingly.
#278 Re: Devuan » Hardening Linux, minimal, to ultra. » 2022-12-19 18:54:47
The script looks too complicated
That's the entire init script from Alpine's initramfs. The only bits that are needed are a few fstab lines — the mount commands in my link show what options are needed for that.
Thanks for the links, very useful.
EDIT: and in respect of Qubes and their "secure" virtualisation:
> Virtualization seems to have a lot of security benefits.
You've been smoking something really mind altering, and I think you
should share it.x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection. Then running your operating
system on the other side of this brand new pile of shit.You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.You've seen something on the shelf, and it has all sorts of pretty
colours, and you've bought it.That's all x86 virtualization is.
#279 Re: Devuan » Hardening Linux, minimal, to ultra. » 2022-12-19 16:38:35
immutability
How about overlayfs? Mount the root partition read-only with a writeable overlay that is lost on reboot.
Alpine uses overlayfs to run in RAM:
#280 Re: Hardware & System Configuration » [SOLVED] memory problem » 2022-12-19 16:28:28
memory is back to normal
The memory usage is the same irregardless of the tool used to measure it. Just accept the new procps package, it does not increase your RAM usage, it just reports it differently.
And sorry for missing that — I did check the procps changelog but obviously not carefully enough.
#281 Re: Off-topic » Share your photography! » 2022-12-18 19:24:57
Ah, Yorkshire. God's own county. Not as nice as Cheshire ofc, but not a bad place to live at all.
#282 Re: Hardware & System Configuration » [SOLVED] memory problem » 2022-12-18 14:57:04
The improved security provided by a non-root X is plain, simple fact. It is not an opinion.
Anyway I don't want to drag this thread off-topic so I've posted how to get EXE to run X under the normal user in the screenshots thread:
https://dev1galaxy.org/viewtopic.php?pid=39482#p39482
The advice also applies to Devuan so perhaps it will be useful for the OP even though it's off-topic here.
#283 Re: Off-topic » Show your desktop (rebooted) » 2022-12-18 14:54:28
EXE GNU/Linux running X under the normal user:
It's very simple to upgrade the security from stock:
$ echo '[ "$(tty)" = /dev/tty1 ] && exec startx > ~/.xsession-errors 2>&1' > ~/.profile
# update-rc.d tdm disable
# /etc/init.d/tdm stopThen log in at the console.
The same method can be applied to Devuan's Xfce desktop, the only difference is that uses LightDM instead of TDM (or maybe it's SLiM, I can't remember) so disable that instead.
#284 Re: Devuan » Hardening Linux, minimal, to ultra. » 2022-12-18 12:27:50
Today I've learned apt-mark hold to prevent firmware-linux-free being installed
The free firmware should be "safe", at least theoretically, because the source code is available.
#285 Re: Hardware & System Configuration » [SOLVED] memory problem » 2022-12-18 12:25:43
I have a GNU/LINUX EXE installed with default system settings. The Xorg.0.log file is exactly where I indicated
Tell EXE to stop running X under the root user then, it's really bad for security. Debian moved away from root-owned X seven years ago[1] so the derivatives should really catch up. IMO.
#286 Re: Hardware & System Configuration » [SOLVED] memory problem » 2022-12-18 11:49:07
sync; echo 1 > /proc/sys/vm/drop_caches sync; echo 2 > /proc/sys/vm/drop_caches
The kernel is quite capable of dropping the cache by itself if the memory is needed. And anyway the free output clearly shows that the buffers are almost empty. See also https://www.linuxatemyram.com/.
/var/log/Xorg.0.log
That location is only used if X is running under root. I think the OP's log will be under ~/.local/share/xorg/ but their use of custom startup scripts complicates the picture somewhat.
#287 Re: Hardware & System Configuration » [SOLVED] memory problem » 2022-12-17 22:49:36
So that memory use looks normal. Is free still showing an excess? The procps package hasn't been updated since April so I don't think it's the free command itself that's changed.
Anyway I'm out of ideas here, sorry.
And if you have a Haswell CPU you need the Intel microcode package to stop it crashing randomly.
#288 Re: Hardware & System Configuration » [SOLVED] memory problem » 2022-12-17 19:45:17
Which graphics chip are you running? If it's Intel then remove xserver-xorg-video-intel. That driver hasn't been properly maintained for about 10 years and it's buggy as hell. X's built-in modesetting DDX driver should offer a better experience if you don't have old hardware. It even has a new TearFree option to help combat X's completely broken compositing model, which is nice.
Just for the record here are my values with Xorg 21.5.1 with a Wayland comparison (amdgpu, 1920x1080):
$ doas ps_mem | grep 'Xorg\|openbox\|sway$'
7.4 MiB + 1.4 MiB = 8.8 MiB openbox
36.3 MiB + 17.0 MiB = 53.3 MiB sway
51.1 MiB + 32.7 MiB = 83.9 MiB Xorg
$EDIT: I use Arch btw 
EDIT2: changed awk to grep just in case andyprough takes the piss.
EDIT3: s/composting/compositing/. Possibly more accurate with the typo though...
#289 Re: Off-topic » Beware of the Zeitgeist... and a reminder to inspect packages/source. » 2022-12-17 11:58:07
The point being that a package such as this one does not have a place or reason to be in any Linux repository.
Much less in Devuan's repositories.
Of course it has a reason. It is a useful piece of software. If I was administrating a highly secure multi-user system I would want to keep a very close check on what my users were doing. The same goes for my teenage grandchild — I am very tempted to install Zeitgeist on their box to aid safekeeping.
#290 Re: Hardware & System Configuration » [SOLVED] memory problem » 2022-12-17 11:54:27
The .xinitrc file has 'exec fluxbox,' feh loads the background, starts conky and xnumlock.
I would prefer to see the actual file contents, if you don't mind. TIA.
Maybe 2/3 years ago, I had to create an '.xserverrc' file for xinit to start the desktop.
So what happens if you move that somewhere else and run
startx /usr/bin/fluxboxThat won't give you a full desktop but it will help eliminate custom startup scripts as a culprit here.
#291 Re: Devuan » Hardening Linux, minimal, to ultra. » 2022-12-17 11:48:55
The OpenSSL devs claim their code is now as good as OpenBSD's LibreSSL fork. I don't believe them but LibreSSL isn't generally available for Linux. OpenBSD wins again. IMO.
EDIT: just found a Debian port for LibreSSL by one of the OpenBSD devs:
https://github.com/reyk/libressl-deb
Hasn't been updated for almost two years though and the libtls library is statically linked so it's probably best not to use it for anything critical. Just in case.
#292 Re: Off-topic » Music » 2022-12-17 11:43:36
Boss Drum by The Shamen.
I remember when this album first came out, I hated it 'cos I was all about Death Metal at the time. I've mellowed with old age and can now recognise it as a stone cold classic though. E's are good!
#293 Re: Devuan » Hardening Linux, minimal, to ultra. » 2022-12-16 21:41:01
There is always https://wiki.debian.org/Hardening but it's a bit out of date now. And the hardening-runtime package as well, don't forget that.
#294 Re: Hardware & System Configuration » [SOLVED] memory problem » 2022-12-16 21:01:20
Did the memory usage increase before the xserver-xorg-core 21.1.5 release? Perhaps there is a regression.
How are you starting fluxbox?
#295 Re: Hardware & System Configuration » [SOLVED] Five-or-more pinning to older version » 2022-12-16 18:43:05
Why is this "1:" you call it epoch required?
The epoch is part of the version string. See also https://www.debian.org/doc/debian-polic … ml#version.
#296 Re: Devuan » Hardening Linux, minimal, to ultra. » 2022-12-16 18:40:11
What ideas you got on the post re hardening
Use Wayland instead of X. If you have to use X then run it with startx from a console login to ensure the server runs under the normal user instead of under root. You will need elogind but it does improve security so it's worth it (IMO).
I use OpenBSD instead of Linux if security is a concern. That operating system is pro-active in respect of security, which is certainly not the case for the Linux kernel developers. It doesn't have bash or glibc or any of the other GNU bloatware. It's wonderful.
#297 Re: Hardware & System Configuration » [SOLVED] Five-or-more pinning to older version » 2022-12-16 18:16:01
You forgot to add the epoch:
Package: five-or-more*
Pin: version 1:3.30.0*
Pin-Priority: 1001Tested and works for me.
EDIT: added asterisk after package name to cover multi-arch systems.
#298 Re: Hardware & System Configuration » [SOLVED] Five-or-more pinning to older version » 2022-12-16 18:07:40
Can we see
apt policy
apt policy five-or-moreThanks!
#299 Re: Devuan » Hardening Linux, minimal, to ultra. » 2022-12-16 17:25:56
Another idea, during install, after select and install software, I alt f2 and chroot /target and add to etc/fstab noatime.
That will break mutt and the increase in performance is so tiny as to be unmeasurable.
Running X via a setuid binary wrapper, I do not have the amount of knowledge, I don't know if this is OK or not
It's not. A huge amount of effort has been directed into removing setuid binaries because they present such a security risk. Using a setuid wrapper to avoid a correct login session will only degrade security.
#300 Re: Devuan » Hardening Linux, minimal, to ultra. » 2022-12-16 16:24:00
For install, do not use mains, use battery.
Why?
Nuke the internal storage device, fdisk/gdisk and /dev/urandom|zero is OK.
If the drive is solid state you can use blkdiscard to clear the drive instantly, no need to wait for it to fill with zeros. Note however that neither blkdiscard nor dd can completely wipe a solid state drive because of overprovision. #securitytheatre
Boot from a flash drive with a loader created by a professor/doctor i.e., Refind.
Whilst I much admire and respect the work of Rod Smith I don't see why rEFInd should be preferred over the default bootloader. Do you have any sound technical reasons to prefer it?
EFI_STUB booting with a unified kernel image would be the best for security, especially if the kernel image is signed with a personal key. That's what I use anyway.
wpasupplicant
That program is ancient now. Try iwd instead — it's more modern and secure than wpasupplicant with fewer dependencies.
IP masquerade does not work in systemd and wpa
Yes it does: https://www.freedesktop.org/software/sy … asquerade=.
& to be able to startx in user install xserver-xorg-legacy &
/etc/X11/Xwrapper.config
allowed_users=anybody
needs_root_rights=yes
****
Running X via a setuid binary wrapper is the exact opposite of good security. Don't do that. Just use a proper login session.
Don't use synaptics, use xserver-xorg-input-libinput
Why?
Put some caravan tape in your wallet to shield your bank card so the alarm does not go off when you walk IN to the supermarket
I can get bulk supplies of tin foil really cheap if you're interested. PM me for details.
Board footer
