this post was submitted on 23 Apr 2024
114 points (88.5% liked)

Linux

53368 readers
634 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
114
If all kernel bugs are security bugs, how do you keep your Linux safe? (www.zdnet.com)
submitted 1 year ago by lemmyreader@lemmy.ml to c/linux@lemmy.ml
64 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] lemmyng@lemmy.ca 38 points 1 year ago (2 children)

Just because it has a CVE number doesn't mean it's exploitable. Of the 800 CVEs, which ones are in the KEV catalogue? What are the attack vectors? What mitigations are available?

[–] taladar@sh.itjust.works 27 points 1 year ago (4 children)

The idea that it is somehow possible to determine that for each and every bug is a crazy fantasy by the people who don't like to update to the latest version.

load more comments (4 replies)
[–] lightnegative@lemmy.world 6 points 1 year ago

If I had a dollar for the number of BS CVE's submitted by security hopefuls trying to pad their resumes...

[–] KindaABigDyl@programming.dev 32 points 1 year ago (3 children)

Great reason to push more code out of the kernel and into user land

[–] kabi@lemm.ee 29 points 1 year ago* (last edited 1 year ago) (4 children)

Is it HURD'n' time?

[–] TimeSquirrel@kbin.social 14 points 1 year ago (1 children)

I dunno, Stallman, it's been 30 years, you got something for us?

load more comments (1 replies)
[–] jodanlime@midwest.social 5 points 1 year ago (1 children)

I think we should just resurrect Plan 9 instead.

[–] Peter1986C@lemmings.world 3 points 1 year ago (1 children)

Plan 9 is also monolithic, according to wikipedia. For BSD it depends.

[–] jodanlime@midwest.social 3 points 1 year ago (1 children)

I mean, you're right but I still want to see a modernized plan 9, I just think it would be neat.

[–] leopold@lemmy.kde.social 2 points 1 year ago (1 children)

that would be Inferno

load more comments (1 replies)
[–] OmnipotentEntity@beehaw.org 3 points 1 year ago (2 children)
[–] mexicancartel@lemmy.dbzer0.com 4 points 1 year ago (1 children)

Ah shit MIT license

[–] EinfachUnersetzlich@lemm.ee 1 points 1 year ago (1 children)

Is that bad?

[–] mexicancartel@lemmy.dbzer0.com 4 points 1 year ago

It means anyone including microsoft or apple can use the code contribution or take the entire softwarw and make some modifications and sell it proprietary. Any optimisations or features made by community can be proprietarised

load more comments (1 replies)
[–] barsoap@lemm.ee 2 points 1 year ago (1 children)

L4. HURD never panned out, and L4 is where the microkernel research settled: Memory protection, scheduling, IPC in the kernel the rest outside and there's also important insights as to the APIs to do that with. In particular the IPC mechanism is opaque, the kernel doesn't actually read the messages which was the main innovation over Mach.

Literally billions of devices run OKL4, seL4 systems are also in mass production. Think broadband processors, automotive, that kind of stuff.

The kernel being watertight doesn't mean that your system is, though, you generally don't need kernel privileges to exfiltrate any data or generally mess around, root suffices.

If you want to see this happening -- I guess port AMDGPU to an L4?

load more comments (1 replies)
[–] Rustmilian@lemmy.world 5 points 1 year ago* (last edited 1 year ago)

eBPF is looking great.

[–] 4am@lemm.ee 2 points 1 year ago (1 children)

So what you are saying is “mach was right”?

load more comments (1 replies)
[–] Catsrules@lemmy.ml 22 points 1 year ago (3 children)

Best way I found it running this command

rm -rf /

Then do a reboot just to be sure.

Good luck compromising my system after that.

FYI This is a joke Don't actually run this command :)

[–] possiblylinux127@lemmy.zip 8 points 1 year ago* (last edited 1 year ago) (2 children)

sudo apt-get remove systemd (don't actually run this)

[–] racketlauncher831@lemmy.ml 3 points 1 year ago

I ran it and followed a documentation to install Void Linux and now it runs so much smoother!

load more comments (1 replies)
[–] qaz@lemmy.world 7 points 1 year ago

It won't work without --no-preserve-root

[–] lordnikon@lemmy.world 2 points 1 year ago

good thing that command won't do anything anymore

[–] bloodfart@lemmy.ml 20 points 1 year ago (5 children)

That’s a crazy “if”

[–] Galli@hexbear.net 4 points 1 year ago (1 children)

"if" gcc had a Ken Thompson hack how do you secure checks notes anything

[–] pmk@lemmy.sdf.org 3 points 1 year ago (3 children)

I'm genuinely worried sometimes that a Ken hack has been introduced. I don't know by who, but possibly some government agency. Then again, we also have a Minix system built into the CPU doing god knows what and we just accept that.

load more comments (3 replies)
load more comments (4 replies)
[–] BigTrout75@lemmy.world 17 points 1 year ago

Article for the sake of having an article.

[–] swordgeek@lemmy.ca 16 points 1 year ago

Step one: stop listening to anything from Ziff-Davis.

[–] bhamlin@lemmy.world 10 points 1 year ago

I mean, this isn't any different for Windows or macos. The difference is the culture around the kernel.

With Linux there are easily orders of magnitude more eyeballs on it than the others combined. And fixes are something anyone with a desire to do so can apply. You don't have to wait for a fix to be packaged and delivered.

[–] PlexSheep@infosec.pub 8 points 1 year ago (1 children)

Security is not a binary variable, but managed in terms of risk. Update your stuff, don't expose it to the open Internet if it doesn't need it, and so on. If it's a server, it should probably have unattended upgrades.

[–] qaz@lemmy.world 5 points 1 year ago* (last edited 1 year ago) (4 children)

If it's a server, it should probably have unattended upgrades.

Interesting opinion, I've always heard that unattended upgrades were a terrible option for servers because it might randomly break your system or reboot when an important service is running.

[–] taladar@sh.itjust.works 3 points 1 year ago

There are two schools of thought here. The "never risk anything that could potentially break something" school and the "make stuff robust enough that it will deal with broken states". Usually the former doesn't work so well once something actually breaks.

[–] PlexSheep@infosec.pub 2 points 1 year ago* (last edited 1 year ago) (1 children)

Both my Debian 12 servers run with unattended upgrades. I've never had anything break from the changes in packages, I think. I tend to use docker and on one even lxc containers (proxmox), but the lxc containers also have unattended upgrades running.

Do you just update your stuff manually or do you not update at all? I'm subscribed to the Debian security mailing list, and they frequently find something that means people should upgrade, recently something with the glibc.

Debian especially is focused on being very stable, so updating should never break anything that wasn't broken before. Sometimes docker containers don't like to restart so they refuse, but then I did something stupid.

[–] qaz@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

I used to check the cockpit web interface every once in a while, but I've tried to enable unattended updates today. It doesn't actually seem to work, but I planned on switching to Nix anyway.

load more comments (1 replies)
[–] exu@feditown.com 2 points 11 months ago (1 children)

Not having automated updates can quickly lead to not doing updates at all. Same goes for backups.

Whenever possible, one should automate tedious stuff.

[–] qaz@lemmy.world 1 points 11 months ago

Thanks for the reminder to check my backups

[–] moonpiedumplings@programming.dev 2 points 11 months ago

That only applies to unstable distros. Stable distros, like debian, maintain their own versions of packages.

Debian in particular, only includes security patches and changes in their packages - no new features at all.* This means risk of breakage and incompatibilitu is very low, basically nil.

*exceot for certain packages which aren't viable to maintain, like Firefox or other browsers.

[–] MonkderDritte@feddit.de 8 points 1 year ago

pacman -Syu

Rhetorical question?

[–] django@discuss.tchncs.de 7 points 1 year ago

Install all the patches immediately.

[–] sonori@beehaw.org 5 points 1 year ago (1 children)

Crontab dnf update -y and trust that if anything breaks uptime monitoing/ someone will let me know sooner or later.

[–] possiblylinux127@lemmy.zip 3 points 1 year ago

Don't use cron for that. Use the package managers auto update utility. Plus if you use the proper tools you can set it to security updates only

[–] MadMadBunny@lemmy.ca 3 points 1 year ago (2 children)

Air gap.

[–] possiblylinux127@lemmy.zip 2 points 1 year ago* (last edited 1 year ago)

Honestly it is a valid option for critical systems. It is a bad idea to connect water treatment plans to the internet for example

[–] fruitycoder@sh.itjust.works 1 points 1 year ago (1 children)

Some air gaps better than others

[–] Iapar@feddit.de 3 points 1 year ago (2 children)

My airgap stinks.

load more comments (2 replies)
load more comments
view more: next ›