Subscribe to Reddit feed
All things Linux and GNU/Linux -- this is neither a community exclusively about the kernel Linux, nor is exclusively about the GNU operating system.Linux, GNU/Linux, free software...
Updated: 36 min 29 sec ago

Linux security: it's not great

3 hours 16 min ago

Hi. I'd be glad if you read all of my post and gave me some insight, whether you're new to Linux or have been using it for decades.

How do you live with the dreadful Linux security landscape?

Commits that fix security issues often leave out the CC: for the stable branch, don't have a CVE, and don't even explicitly mention the adverse effects that could befall someone without the fix. Most distributions use slightly older kernels (or way older, for CentOS/RHEL/Debian) and backport specific fixes to them. Security fixes without a CVE - and there are a lot of them - are often left out, and only available to those running the latest releases. Again, *most* distributions do not do that. Many users thus never get those patches and remain vulnerable.

Most Linux distributions ship with sub-optimal default settings (mount flags, sysctls, kernel configuration, [package mirrors]( over [HTTP](, binaries built without much/any hardening, etc.) and leave the task of securing the box up to the system administrator. If you're experienced with that, great, but a lot of people are not. The ones who just install Linux and start using it are at very much at risk if the defaults are not good. I would expect something like Gentoo to leave everything up to the admin like that, not Mint or *buntu.

Different distributions get security fixes at different times. I saw Ubuntu fix **[three local root vulnerabilities in systemd](** today, but didn't see an advisory for Debian (for example). Maybe it already happened and I just missed it or something, but, for a security-conscious newcomer, this makes choosing a distribution very confusing. Who will get the fixes first? Sometimes [different versions of the same distro don't even get all the fixes]( With few exceptions like the (linux-)distros mailing lists, there seems to be no coordination. BTW, about the systemd one: that should probably be its own section. Horrible security record there. Same with glibc. Same with OpenSSL.

Exploit mitigation techniques, even basic ones, are not a strong focus of upstream Linux or the distributions at all. If you want those, you(r company) has to pay grsecurity for their secret patchset. The [KSPP]( is not making much progress at all either. In fact, if the grsecurity author is to be believed, they shoehorn a lot of the grsec/PaX patches in without fully understanding them, thus introducing bugs. I know Brad has a pretty insufferable personality and it's in his best interests ($$$) to talk shit about the upstream code. Still, the whole situation is absolutely horrible and completely bizarre to someone that's not a Linux user. One guy keeps security fixes and improvements to himself, publicly boasting about how the vast majority of users are vulnerable to attack, and keeps his code sealed off behind an expensive paywall. He does not want the upstream kernel or GCC to improve; he wants more customers. The concept is very alien to someone like me. When governments or other malicious actors buy his code, they now have a private list of fixes to use against anyone else - *against you*. I could argue that grsecurity/PaX is a hostile actor. Theoretically, why doesn't one company buy the patch, get some people to integrate it, and move on? Everyone would be safer. More importantly: **why does no one care about this?** A run-of-the-mill Linux install is not protected against modern ROP attacks without modern mitigations available and enabled. With Linux, the attackers are way ahead of the defenders.

Some Linux users seem to operating under the false assumption that their OS is "secure." Without diving into how broad of a subject security really is, it's pretty clear to me that almost no one creating Linux has user security as a very high priority. It tops the CVE charts time and time again, and no it's not just because "more people are reading the code." Corporate involvement in Linux development has skyrocketed, overshadowing the non-corporate involvement by a large degree. Companies get what they want in the tree and don't care how it affects everyone else. Does it build? Ship it! One random example: Have you seen the size of the amdgpu codebase? Look into it if not. Maybe some users will never take those codepaths and fall victim to the bugs, but not every example is so specific. It's a widespread problem throughout the entire kernel.

Why are things so bad? What can we do to fix them? If possible, try to avoid overly dismissive replies like "all software is bad" or "every computer is insecure" and so on.

submitted by /u/baboon69420
[link] [comments]

Just got started with Linux on DeX? Come join us on r/LinuxOnDeX!

4 hours 50 min ago

There's a troubleshooting megathread, one for talking about all the cool stuff you got up and running today, and lots of room for more. Come hangout!


submitted by /u/I_Love_That_Pizza
[link] [comments]

Anyone know where to find resources to learn what you'd need for a red hat certification?

5 hours 6 min ago

Pretty much just title, I just can't really afford the official classes from redhat, and I'd rather cheaper or free.

submitted by /u/TheRoyalBrook
[link] [comments]

Virtual keyboard software?

Mon, 2018-11-12 23:31

I'm looking for a software to have the screen keyboard on my touch screen pc because the default gnome does not open if I use the browser, I write mail etc. Before I used onboard, but with fedora, the latter, does not attach to the bottom of the screen (I do not know why) and I do not want to use it in fluctuating mode. Some alternative software and an onboard solution?

submitted by /u/TeoCol777
[link] [comments]

Do you think that lowering redundancy by sharing packages justifies the inconvenience of not being able to have native portable offline programs?

Mon, 2018-11-12 20:38

I understand that this is the "linux way", and I get it that it's "smart" to do it like this, but me, personally, would gladly sacrifice tens or hundreds of megabytes for self-contained, portable, software without any hassle with dependencies and the reliance on an internet connection. Storage is cheap. Everyone has at least 500 gigs of storage. What everyone doesn't have is the convenience of just drag and dropping his program onto a USB and taking it with himself to a friend, or using it on a fresh install. The whole concept of linux relies on rolling releases, and constant updating of packages which eventually won't be compatible with older software. If the guys didn't invent snap and flatpack and appimage (which is supposedly the best because it runs natively without sandboxing), Linux would be severely behind the convenience of Windows. But still, there is a very limited amount of appimage versions of software, and making one yourself takes up a great deal of effort and time. Ubuntu is now pushing snaps, but I don't trust canonical, and they are inferior to appimage. I wish the dudes at appimage would adretise better and people would get more interested in all this because you are too reliant on the internet and the merciful repository gods giving you packages. Couldn't the whole appimage process be automated? Why does it have to go all the way from github? Why can't it just make an ultimate package from the readily available packages already on the computer? I think this is the future of linux, and it will be great to just store a portable program, and just slap it onto a usb, and KNOW that it will work anywhere and everywhere. This will also help people who fix computers, and other guys who don't have constant access to the internet. What do you think?

submitted by /u/plippp
[link] [comments]

booting from live usb - nomodeset problem

Mon, 2018-11-12 20:07

I have tried to install both Solus 3.9999 and Fedora 29 using nomodeset because of my nvidia card. I can not reach a gui to install either operating system. I get a black screen with a blinking cursor. Any suggestion or something I may be doing wrong?

submitted by /u/VolcanicHowl
[link] [comments]

Testers needed: WattmanGTK [AMDGPU users]

Mon, 2018-11-12 19:12

Hey everyone,

Since my last post a lot has changed in WattmanGTK. I am therefore on the lookout for some test reports. The branch is called wattmangtk-next and can be found here

I am especially interested in multi GPU users (since I hope multi GPU support works for now), but others reports are also welcomed. Please let me know your hardware configuration and your setup (distro and such) and if you have any problems let me know (or even better: open an issue).

Some things are still in development though (some feedback on this would be nice as well):

  1. Fan control is not yet implemented. Since the fan control is either 0 (fully on), 1 (where PWM output is used), or 2 (closed loop, i.e. regulated by hardware itself). So does this mean that I have to write a controller and use output 1? How would the controller for this look like on the windows side?
  2. Reading for current clock values is done via sysfs and regex now. However this could lead to some problems I have noticed. I have seen that radeon-profile uses IOCTLs for this. Do you guys think this is the better route?
  3. Escalating privileges in the program. Since I want the apply button to be run as root basically. What is the best way to do this with python and GTK3? Polkit? I could use some pointers on this
  4. For anyone who could create a logo for the project, that would also be greatly appreciated.

For the arch/ arch-based users there should be an AUR package available now. However, this does not point to my testing branch yet.

Edit: here a new screenshot

Thank you all!

submitted by /u/Debian2323
[link] [comments]

Users issue with VSFTPd

Mon, 2018-11-12 18:49

Hello everyone, I'm currently using:

- CentOS (updated to latest packages)

- no cPanel

- httpd

- openssh-server

- vsftpd

So the issue is that I can only access files with my first account "mike" (which was created during installation) and any other user added later (even if it's in the same group as "mike") won't be able to access files.

Specifically, other accounts are able to create, delete and move through folders, but can't list or upload anything at all.

Is there anyway to enable other user to list, upload and download files?

Here's my configuration for VSFTPD:

anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES ascii_upload_enable=YES ascii_download_enable=YES ftpd_banner=Hello! chroot_local_user=YES chroot_list_enable=NO listen=YES pam_service_name=vsftpd tcp_wrappers=YES use_localtime=YES local_root=/var/www/html/ allow_writeable_chroot=YES

submitted by /u/ZioCain
[link] [comments]

Is Alpine Linux suitable for desktop PCs and laptops?

Mon, 2018-11-12 18:45

I've been using Alpine on a server before and I loved the simplicity.

There has been a discussion a year ago, but I've been wondering whether things have advanced since then.

I'm also interested in whether it is suitable for laptops, or whether it would be a hassle/impossible to install drivers, e.g. for this laptop:


submitted by /u/TwoUpper
[link] [comments]

power management, thermals, battery life... fine tuning is closer then we thought.

Mon, 2018-11-12 18:34

Hey guys.

I've found this quite interesting utility. It was made for server platforms but I was able to start it on my laptop, t440p with Haswell 4910MQ. All I had to do is to load msr kernel module and add CPU ID in rapl.c file in the source.
I'm not a developer but I'm sure that you guys can make a good tool to manage that stuff. This kind of functionality with undervolting and integration with TLP can make a huge step forward in power management.

submitted by /u/nitro9559
[link] [comments]

LVM usage

Mon, 2018-11-12 15:18

Hi Guys, I was wondering.

In my company, few IT people knew LVM and fewer people don't even installed/used it on their linux server.

Is it me who idealsize the use of LVM ? I don't get why people skipped that part.

submitted by /u/imarite
[link] [comments]