My Keyoxide Idendity:

aspe:keyoxide.org:TJXAWXPMSAG6VPARJQRWNB2TPA

  • 39 Posts
  • 1.22K Comments
Joined 8 months ago
cake
Cake day: April 11th, 2024

help-circle





  • Yeah because Flatpak firefox is damn insecure!

    Please dont use it. Firefox devs dont care. Flatpak restricts browsers from spawning “user namespace” sandboxes for filesystem isolation.

    Chromium uses a fork server (zygote) and breaks when it cannot spawn these sandboxes. So developers created zypak, which allows to isolate processes using bubblewrap, the Flatpak sandbox.

    Firefox just runs without a sandbox, and doesnt have a fork server, so nobody cares.

    Without process isolation, you have less duplicated content. This saves space but IT IS INSECURE.

    Please use a non-Flatpak Firefox version.

    There is no reason why a “Zen Browser” should use less RAM than Firefox.


    • use a non sudo user for the user
    • somehow get the IP address of that laptop all the time. There are dynDNS solutions like this where the client just needs to automatically download a certain file daily and you know his IP, my implementation is here.
    • have ssh access to root with a ssh key. The usual hardening, fail2ban, block using passwords
    • open the port for ssh on the clients system

    If something goes wrong, login via ssh (you know the dynamically changing IP) and remove a directory or the entire user.

    You cannot avoid that a user would copy files from there to a usb stick. Well you could, by using usbguard. Works really well in my experience, just prevent nonsudo users from adding new devices.

    And then you need to prevent the user from booting another system, or taking out the SSD and reading it. TPM and boot lock is the right thing here, what Max-P wrote.







  • Oooh crazy!

    You didnt layer aurora on bazzite, you rebased.

    This is very problematic and I didnt know this could happen. OCI images dont have a concept of “removing packages”. Instead, they are always removed on the local system.

    The firefox issue is uBlue people being weird. They remove it, preventing anyone from installing it. Instead you need to use the firefox tar archive from their website, works well too but is kinda random as you need to place it in some nonstandard folder.

    Steam is interesting. Please report that. I am not sure how these things work but my theory is that the installer (anaconda) wrote the system to your PC with the default configuration (with steam).

    Then you rebased to Aurora but the system was still originally Bazzite. Which is odd, ai thought there was no such state. Please report that to them!

    My idea is to rebase to their main image and then back to aurora. This may remove this steam error. The main images also still have firefox and just the codecs etc added, so I can recommend them.

    UBlue removed the instructions on how to do that from their website with the redesign.

    Use the rebase command you used, but use ublue-os/kinoite-main:latest instead of ublue-os/aurora:latest in the rebase command.

    Then rebase back to aurora after a reboot. But tbh I didnt like Aurora it is weird and kinda random. I like ujust and yafti though. I am on Fedora Kinoite with a huge set of layers. Works very fine too, still worlds faster than Windows updates LOL



  • Well often the answer is just to layer stuff. It is not true that containers fix everything, and rpm-ostree is a tool that manages RPMs.

    rpm-ostree install steam \
    libvirt-daemon-driver-network \
    libvirt-daemon-driver-nodedev \
    libvirt-daemon-driver-qemu \
    libvirt-daemon-driver-storage-core \
    qemu-audio-spice \
    qemu-char-spice \
    qemu-device-display-qxl \
    qemu-device-display-virtio-gpu \
    qemu-device-display-virtio-vga \
    qemu-device-usb-redirect \
    qemu-system-x86-core
    

    After reboot

    systemctl --now enable virtnetworkd.service
    systemctl --now enable virtqemud.service
    

    Source