I think containerization is a great way to protect a system, but this seems way too “experimental research project” to ship on a major OS. As someone else stated, libraries being neglected with security issues seems likely. Even IF attackers don’t get filesystem access or for malware, it could still allow for system resources to be used potentially for things like mining or ddos attempts and the like.
Announcement
Collapse
No announcement yet.
Ubuntu Delays Transition To Snap'ed CUPS Print Server
Collapse
X
-
Originally posted by qarium View Post
I did drop Kubuntu years ago in the time Canonical did make deal with Microsoft what makes ubuntu part of the evil microsoft empire. also KDE is evil CLA-WAR...
you better install Fedora 38 cinnamon Editon. cinnamon i similar to KDE but is based on GTK/Gnome.
So far, I've got instructions for Firefox, Thunderbird, GTK 3/4, Ttk, Wine, and Web Apps.
Even in the GNOME 2.x era, when I gave GNOME a shot before returning to KDE 3.5, it was annoying how much work I had to do to disable things like spatial navigation, install themes like Clearlooks Compact, etc.
As much as I love GIR (GObject Introspection, their IDL) and their interest in Rust, I do not share their UI design sensibilities. I'm also not a fan of how terribly GNOME handles with being run inside VirtualBox when I need to test the compatibility of a change to my QuickTile tool, and I'm not a fan of Mutter's creaky architecture in general.
KDE, by contrast, is leading the charge on crash recovery support for Wayland compositors (something I consider non-negotiable if I'm going to switch to Wayland) which the GNOME devs seem disinterested in. (I don't care what DE you champion. I've never seen a compositor that can run for several months straight without starting to lose its mind.)Last edited by ssokolow; 25 August 2023, 11:58 PM.
- Likes 3
Comment
-
Originally posted by Malsabku View PostWith Fedora Silverblue, all libraries are installed in triplicate for normal usage (base system libs + Fedora Flatpak Libs + Flathub Flatpak Libs). The libraries have also been installed at least twice on other immutable OSes, e.g. openSUSE Aeon (base system libs + flathub libs)
Silverblue and Flatpak both use OSTree as the underlying "git for your OS" layer, and OSTree already does automatic deduplication within a scope, so all it should take to avoid the duplication between at least the base system and the Fedora Flatpak libs is to ensure the same library versions are used and patch whatever is necessary to ensure that OSTree sees the base system and the Fedora flatpak libs as being backed by the same scope.
Comment
-
Originally posted by oleid View PostThe analogue of flatpak for services is called docker (or one of it's variants).
Here's the systemd unit file for a little daemon I wrote:
Code:[Unit] Description=Server to allow my fan to be turned off remotely After=network.target Wants=network.target # NOTE: Remember to check this file after making changes: # sudo ./install.sh; systemd-analyze security fan_remote.service [Service] Type=simple ExecStart=/usr/local/bin/fan_remote -F2 BindPaths=/dev/ttyS0 BindReadOnlyPaths=/usr/local/bin/fan_remote CapabilityBoundingSet= CPUQuota=20% DevicePolicy=closed DeviceAllow=/dev/ttyS0 DynamicUser=yes Environment= ExecPaths=/bin /usr/bin /usr/local/bin IPAddressDeny=any KeyringMode=private LockPersonality=yes MemoryDenyWriteExecute=yes MemoryMax=512M Nice=10 NoExecPaths=/ NoNewPrivileges=yes PassEnvironment= PrivateDevices=yes PrivateIPC=yes ProcSubset=pid ProtectProc=invisible PrivateMounts=yes PrivateNetwork=yes PrivateTmp=yes PrivateUsers=yes ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict ReadOnlyPaths=/usr/bin/br ReadOnlyDirectories=/usr RemoveIPC=yes RestrictAddressFamilies=none RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SocketBindDeny=any SupplementaryGroups=dialout SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service SystemCallFilter=~@chown @privileged @resources @setuid StandardOutput=journal TemporaryFileSystem=/usr/local:ro /usr/local/bin:ro UMask=0077 # All irrelevant paths not covered by Private* options that the FHS says we # should be able to rely on existing (systemd will error out if one doesn't) InaccessiblePaths=/boot /etc /media /mnt /opt /run /sbin /srv /usr/include /usr/libexec /usr/sbin /usr/share /usr/src /var # Remaining `systemd-analyze security` concerns: # - DeviceAllow=/dev/ttyS0 is needed to access X10 # - SupplementaryGroups=dialout is needed to access X10 # - RootDirectory/RootImage would require building a containerized image # for /usr/bin/br to access X10. # - I have no idea why ProtectClock is being reported as not set [Install] WantedBy=multi-user.target
Code:[Socket] ListenStream=23734 [Install] WantedBy=sockets.target
EDIT: ...and it produces this systemd-analyze security fan_remote output. (Tip: If pasting preformatted whitespace requires using the DOM inspector, maybe your paste code is broken.)
Code:NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has no access to the host's network ✓ User=/DynamicUser= Service runs under a transient non-root user identity ✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities ✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges ✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities ✓ RestrictAddressFamilies=~AF_(INET|INET6) Service cannot allocate Internet sockets ✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot create user namespaces ✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets ✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities ✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks ✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges ✓ CapabilityBoundingSet=~CAP_RAWIO Service has no raw I/O access ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✓ IPAddressDeny= Service blocks all IP address ranges ✓ KeyringMode= Service doesn't share key material with other services ✓ NoNewPrivileges= Service processes cannot acquire new privileges ✓ NotifyAccess= Service child processes cannot alter service state ✓ PrivateDevices= Service has no access to hardware devices ✓ PrivateMounts= Service cannot install system mounts ✓ PrivateTmp= Service has no access to other software's temporary files ✓ PrivateUsers= Service does not have access to other users ✗ ProtectClock= Service may write to the hardware clock or system clock 0.2 ✓ ProtectControlGroups= Service cannot modify the control group file system ✓ ProtectHome= Service has no access to home directories ✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer ✓ ProtectKernelModules= Service cannot load or read kernel modules ✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) ✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy ✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets ✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted ✓ SystemCallArchitectures= Service may execute system calls only with native ABI ✓ SystemCallFilter=~@clock System call whitelist defined for service, and @clock is not included ✓ SystemCallFilter=~@debug System call whitelist defined for service, and @debug is not included ✓ SystemCallFilter=~@module System call whitelist defined for service, and @module is not included ✓ SystemCallFilter=~@mount System call whitelist defined for service, and @mount is not included ✓ SystemCallFilter=~@raw-io System call whitelist defined for service, and @raw-io is not included ✓ SystemCallFilter=~@reboot System call whitelist defined for service, and @reboot is not included ✓ SystemCallFilter=~@swap System call whitelist defined for service, and @swap is not included ✓ SystemCallFilter=~@privileged System call whitelist defined for service, and @privileged is not included ✓ SystemCallFilter=~@resources System call whitelist defined for service, and @resources is not included ✓ AmbientCapabilities= Service process does not receive ambient capabilities ✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access ✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes ✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging ✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters ✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot create cgroup namespaces ✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot create IPC namespaces ✓ RestrictNamespaces=~CLONE_NEWNET Service cannot create network namespaces ✓ RestrictNamespaces=~CLONE_NEWNS Service cannot create file system namespaces ✓ RestrictNamespaces=~CLONE_NEWPID Service cannot create process namespaces ✓ RestrictRealtime= Service realtime scheduling access is restricted ✓ SystemCallFilter=~@cpu-emulation System call whitelist defined for service, and @cpu-emulation is not included ✓ SystemCallFilter=~@obsolete System call whitelist defined for service, and @obsolete is not included ✓ RestrictAddressFamilies=~AF_NETLINK Service cannot allocate netlink sockets ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ SupplementaryGroups= Service runs with supplementary groups 0.1 ✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC ✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() ✓ Delegate= Service does not maintain its own delegated control group subtree ✓ LockPersonality= Service cannot change ABI personality ✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings ✓ RemoveIPC= Service user cannot leave SysV IPC objects around ✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot create hostname namespaces ✓ UMask= Files created by service are accessible only by service's own user by default ✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable ✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM ✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() ✓ ProtectHostname= Service cannot change system host/domainname ✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks ✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases ✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() ✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system ✓ RestrictAddressFamilies=~AF_UNIX Service cannot allocate local sockets → Overall exposure level for fan_remote.service: 0.4 SAFE 😀
Last edited by ssokolow; 26 August 2023, 01:20 AM.
- Likes 2
Comment
-
Originally posted by caligula View PostThe purpose of snaps is vendor lock-in. No other distro uses them. Also AMD and Intel make faster processors with larger memory support. The purpose of faster hardware is to run the same software as fast as it used to run few years ago.
It's as if you're calling all package repositories "vendor lock-in" because only a single distro (in general) can use that particular repository. No. The only way snaps could be a vendor lock-in mechanism was if CUPS developers themselves only distributed CUPS via snaps, which they obviously don't.
Distros are free to package their software in any way they want. Those decisions will only affect their own distro, not the others.
- Likes 1
Comment
-
Originally posted by ssokolow View Post...and systemd for the sandboxing", as is used by things like Fedora Silverblue.
Here's the systemd unit file for a little daemon I wrote:
Code:[Unit] .. [Service] ... → Overall exposure level for fan_remote.service: 0.4 SAFE 😀
sorry i know you just copy pasted into the thread here. i would just appreciate a more permanment reference. that would be easier to find again later. for example in some documentation, or other in-repo code example. many thanks.
- Likes 1
Comment
-
Originally posted by curfew View PostDistros are free to package their software in any way they want. Those decisions will only affect their own distro, not the others.
for example (if i remember) from last time, is it true that ppas don't work over in debian?
so exactly the amount of relative grief(s) existing users are being inficted upon. given their (much earlier) prior choice so many years before, to decide to go with ubuntu.
or perhaps here is a different question:
are there any so-called 'protest distros' coming out or to be maintained which replaces all the mandatory snaps with non-snap versions? for example learn linux (on youtube) gave such an example. but it's not really solidly supported. or could users instead consider switching to some other 'more serious' distros. such as vanilla os? (which btw is planning to drop ubuntu now, in favor of a debian base image).
so my feelings are this is where the discussion should be at. to evaluate more seriously the variety of different possible options that are available to us. and see what the relative pros/cons are.
another point is that over on windows there are de-clutter and 'fix windows' tools that cleans up the bad stuff in windows. so could there be enough reason for a similar tool to exist for ubuntu? that would include multiple 'selectable' tasks (including both the cups and firefox). the idea being that you can choose to either 'sort them out' or otherwise 'leave them alone' (as stock). and maybe even include some level of capability to reverse such changes. now: that might not be a permanent long term solution! but it could be a sort of short term one. to buy people a bit of extra time while trying to get off ubuntu for good.
Comment
-
Originally posted by curfew View PostWhy are you even commenting when everything you say is absolutely wrong and backwards. Ubuntu can package its software in any way it wants and that has nothing to do with vendor lock-ins.
It's as if you're calling all package repositories "vendor lock-in" because only a single distro (in general) can use that particular repository. No. The only way snaps could be a vendor lock-in mechanism was if CUPS developers themselves only distributed CUPS via snaps, which they obviously don't.
Distros are free to package their software in any way they want. Those decisions will only affect their own distro, not the others.
Even if it wasnt intentional, which I doubt, the backlash of forcing every faculty and other large linux user to lock themselves into the snap fad is more likely to get them to switch to something like OEL9 than put the effort in to very ubuntu specific setup.
- Likes 1
Comment
-
Originally posted by mcloud View Post
Benchmark opportunity right here
Originally posted by jeisom View PostI think containerization is a great way to protect a system, but this seems way too “experimental research project” to ship on a major OS. As someone else stated, libraries being neglected with security issues seems likely. Even IF attackers don’t get filesystem access or for malware, it could still allow for system resources to be used potentially for things like mining or ddos attempts and the like.
Originally posted by patrick1946 View Post
Are you working for the marketing department of Canonical? With Silverblue the base system is very basic. So updates are easy and there is no need for LTS versions anymore. And with flatpak you have so many different libraries like you have runtime except the files have the same sha. If ubuntu is sharing the libraries then you get the same problem as with traditional systems.
Why do you get the same problem as with traditional systems? I don't get that point. The coreXX snaps are still universal to every distro.
Originally posted by ssokolow View Post
If that's true, it sounds like something they should fix.
Silverblue and Flatpak both use OSTree as the underlying "git for your OS" layer, and OSTree already does automatic deduplication within a scope, so all it should take to avoid the duplication between at least the base system and the Fedora Flatpak libs is to ensure the same library versions are used and patch whatever is necessary to ensure that OSTree sees the base system and the Fedora flatpak libs as being backed by the same scope.
Getting back on topic, it wouldn't even be technically possible to outsource CUPS to Flatpak let alone the Gnome Terminal or the Gnome System Monitor.
Comment
-
Originally posted by dreamcat4 View Postor perhaps here is a different question:
are there any so-called 'protest distros' coming out or to be maintained which replaces all the mandatory snaps with non-snap versions? for example learn linux (on youtube) gave such an example. but it's not really solidly supported. or could users instead consider switching to some other 'more serious' distros. such as vanilla os? (which btw is planning to drop ubuntu now, in favor of a debian base image).
- Likes 3
Comment
Comment