Kata1yst

That’s called ‘privilege escalation’, and replacing system level calls with user level calls is closely watched for and guarded against with many different security measures including SELinux.

You’ve already outed yourself multiple times in this thread as someone who doesn’t understand how security in the real world works. Take the L and try to learn from this. It’s okay not to understand something. But it’s very important to recognize when that happens and not claim to understand better than someone else.

I strongly disagree with your premise. Separating authentication and privilege escalation adds layers of security that are non-trivial and greatly enhance resilience. Many attacks are detected and stopped at privilege escalation, because it happens locally before a user can stop or delete the flow of logs.

If I get into your non-privileged account I can set up a program that acts like sudo

No you cannot. A non privileged user doesn’t have the access necessary to run a program that can accomplish this.

And even if they do it’s too late anyway because I’ve just compromised root and locked everybody out and I’m in there removedting on the filesystems or whatever. Because root can do anything.

Once again, you didn’t privilege escalate, because once you have a foothold (authentication) you don’t have the necessary privileges, so you must perform reconnaissance to identify an exploitable vector to privilage escalate with. This can be any number of things, but it’s always noisy and slow, usually easy to detect in logs. There is a reason the most sophisticated attacks against well protected targets are “low and slow”.

And if I can’t break into your non-privileged account then I can’t break into a privileged account either.

You’re ignoring my points given regarding the risks of compromised keys. If there are no admin keys, there are no remote admin sessions.

These artificial distinctions between “non-privileged” and “superuser” accounts need to stop. This is not good security, this is not zero trust. Either you don’t trust anybody and enforce explicit privilege escalation for specific things, or just accept that you’re using a “super” paradigm and once you’ve got access to that user all bets are off.

Spoken like someone who has never red teamed or purple teamed. Even admin accounts are untrusted, given only privileges specific to their role, and closely monitored. That doesn’t mean they should have valid security measures thrown away.

Wouldn’t separate SSH keys achieve the same?

Separate ssh keys for the user and the admin? Yeah, see point 2, admins should not be remotely accessible.

Really? How, exactly? Break the ssh key authentication? And wouldn’t that apply to all accounts equally?

Keys aren’t perfect security. They can easily be mishandled, sometimes getting published to GitHub, copied to USB drives which can easily be lost, etc.

Further, there have been attacks against SSH that let malicious actors connect remotely to any session, or take over existing sessions. By not allowing remote access on privileged accounts, you minimize risk.

Forcing a non privileged remote session to authenticate with a password establishes a second factor of security that is different from the first. This means a cracked password or a lost key is still not enough for a malicious actor to accomplish administrative privileges.

A key is something you have

A password is something you know

So, by not allowing remote privileged sessions, we’re forcing a malicious actor to take one more non-trivial step before arriving at their goals. A step that will likely be fairly obvious in logs on a monitored machine.

On a server, it allows you to track who initiates which root season session. It also greatly minimizes the attack surface from a security perspective to have admin privileged accounts unable to be remotely connected to.

If you’re trying to use it as a workstation or a laptop, you won’t find much compelling. It’s built with the intent to act as a server. In fact, as a web server or networking server it’s second to none.

Administrating BSD is lovely. It’s well documented and everything is very stable, understandable, and predictable.

“We had a huge chunk of our engineering staff spending time improving FreeBSD as opposed to working on features and functionalities. What’s happened now with the transition to having a Debian basis, the people I used to have 90 percent of their time working on FreeBSD, they’re working on ZFS features now … That’s what I want to see; value add for everybody versus sitting around, implementing something Linux had a years ago. And trying to maintain or backport, or just deal with something that you just didn’t get out of box on FreeBSD.”

I still hold much love for FreeBSD, but this is very much indicative of my experience with it as well. The tooling in FreeBSD, specifically dtrace, bhyve, jails, and zfs was absolutely killer while Linux was still experiencing teething problems with a nonstandard myriad of half developed and documented tools. But Linux has since then matured, adopted, and standardized. And the strength of the community is second to none.

They’ll be happier with Linux.

https://en.wikipedia.org/wiki/HTTP%2F3?wprov=sfla1

I was actually surprised to find out QUIC is fairly close to being default.

Wikipedia

HTTP/3 uses QUIC, a multiplexed transport protocol built on UDP.

HTTP/3 is (at least partially) supported by 97% of tracked web browser installations (thereof of 98% of “tracked mobile” web browsers), and 29% of the top 10 million websites.

Used to be the best way to get performant graphics on Linux.

Like, 8 years ago.

I like kitty, but it’s configuration system is completely nuts.

Alacritty was good, but had weird issues with fonts for me.

I ended up on Wezterm. Lots of modern features, performance, stability, and awesome configurability.

I use the Kishi and combined with the Steam Link app I’m hard pressed to understand why my friends all keep buying Steam Decks.

Just an offhand idea. If you look at the print in the thumbnail, you can see that while this clever brick-interleaving has eliminated the straight lines along the xy plane, the Z axis still has straight lines. Eliminating that so you have a “brick-interleaving” in all axis seems the most optimal.

Now we just need half-width extrusions on the outer wall!

Zettlr for technical writing into any format.

Obsidian for a second brain based on the molecular notes method. And yes, I’ve tried all of the FOSS alternatives. None are ready to replace Obsidian yet.

Wallabag for saving resources offline for easy and permanent reference.

Lunarvim for actually sitting down to work instead of fiddling with and optimizing my setup.

In my experience, nope. I tried so hard to use Logseq, but I had massive issues with speed, stability, and database corruption.

Really I think the root of the issue is their database. The database causes so many problems and makes their synchronization methods dirty hacks at best.

Why not a K8s cluster? Much more appropriate for modern software.

Development is happening in the dev’s branches. Branches are generally kept local until submitted for a PR. You can easily see this in the origin branches and open PRs.

Honestly I’m not sure if you’re trolling, don’t understand git development, or if you really think that a project needs to iterate main multiple times per month to be your definition of “healthy open source”, but I’m tired of shooting down such lazy attacks and won’t be responding further.

Have a nice day.

What obscure location? Codeberg?

All the activity is open on Codeberg. You can see every member of that team actively merging and reviewing requests.

Why do you assume that? Why is your way of open source the right way?

All open source projects are run by a small team of people reviewing and accepting, rejecting, and prioritizing work. What part of this project’s methodology bothers you?

He did though. And honestly the website has come very far in a short period of time, I really don’t understand the concerns and whining in this thread…

From codeberg-

Core Team

• ernest
• szsz
• cooperaj
• rideranton
• AnonymousLlama

https://codeberg.org/org/Kbin/teams

Design Team

• cody