Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.gamedev.place/users/AngryAnt/statuses/113849544342916400">Emil "AngryAnt" Johansen (angryant@mastodon.gamedev.place)'s status on Monday, 20-Jan-2025 00:14:50 JST</a><a href="https://mastodon.gamedev.place/@AngryAnt" title="angryant@mastodon.gamedev.place"><img src="https://gnusocial.jp/avatar/133955-48-20230603214945.webp" width="48" height="48" alt='Emil "AngryAnt" Johansen' style="position: absolute; left: 0; top: 0;">Emil "AngryAnt" Johansen</a><div><a href="https://graz.social/@publicvoit/113845978573370207" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/73592" title="raboof@merveilles.town">raboof</a></li></ul></div></section><article><p><a href="https://graz.social/@publicvoit">@publicvoit</a> <a href="https://merveilles.town/@raboof">@raboof</a> Mitigations to avoid that initial foothold include:<br>- Having most systemd services configured via NixOS options run with DynamicUser set, enabling lots of system isolation: <a href="https://unix.stackexchange.com/questions/635027/systemd-dynamicuser-vs-user#635036" rel="nofollow noreferrer">https://unix.stackexchange.com/questions/635027/systemd-dynamicuser-vs-user#635036</a><br>- The nature &amp; implementation of the nix store precludes whole classes of common exploits like library/dll injection and malicious patching.<br>- You can comparatively easily add further isoation to potential entry points by declaring them in NixOS containers.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4404176#notice-8615333">In conversation</a><time datetime="2025-01-20T00:14:50+09:00" title="Monday, 20-Jan-2025 00:14:50 JST">about 5 months ago</time> <span>from <span><a href="https://gnusocial.jp/notice/8615333" rel="external" title="Sent from gnusocial.jp via ActivityPub">gnusocial.jp</a></span></span><a href="https://gnusocial.jp/notice/8615333">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: cdn.sstatic.net</div><h5><a href="https://unix.stackexchange.com/questions/635027/systemd-dynamicuser-vs-user#635036">systemd DynamicUser vs User</a></h5><div></div></header><div>To run processes without root privileges you can use DynamicUser= or a static user with User= in systemd.
A good explanation for DynamicUser can be found in this blog post: http://0pointer.net/blog/</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Emil "AngryAnt" Johansen (angryant@mastodon.gamedev.place)'s status on Monday, 20-Jan-2025 00:14:50 JSTEmil "AngryAnt" Johansen
in reply to
- Karl Voit :emacs: :orgmode:
- raboof
@publicvoit @raboof Mitigations to avoid that initial foothold include:
- Having most systemd services configured via NixOS options run with DynamicUser set, enabling lots of system isolation: https://unix.stackexchange.com/questions/635027/systemd-dynamicuser-vs-user#635036
- The nature & implementation of the nix store precludes whole classes of common exploits like library/dll injection and malicious patching.
- You can comparatively easily add further isoation to potential entry points by declaring them in NixOS containers.
In conversationabout 5 months ago from gnusocial.jppermalink
Attachments
1. Domain not in remote thumbnail source whitelist: cdn.sstatic.net
  systemd DynamicUser vs User
  To run processes without root privileges you can use DynamicUser= or a static user with User= in systemd. A good explanation for DynamicUser can be found in this blog post: http://0pointer.net/blog/

Public

Embed Notice

HTML Code

Corresponding Notice