GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Emil "AngryAnt" Johansen (angryant@mastodon.gamedev.place)'s status on Monday, 20-Jan-2025 00:14:50 JST

  1. Embed this notice
    Emil "AngryAnt" Johansen (angryant@mastodon.gamedev.place)'s status on Monday, 20-Jan-2025 00:14:50 JST Emil "AngryAnt" Johansen Emil "AngryAnt" Johansen
    in reply to
    • Karl Voit :emacs: :orgmode:
    • raboof

    @publicvoit @raboof Mitigations to avoid that initial foothold include:
    - Having most systemd services configured via NixOS options run with DynamicUser set, enabling lots of system isolation: https://unix.stackexchange.com/questions/635027/systemd-dynamicuser-vs-user#635036
    - The nature & implementation of the nix store precludes whole classes of common exploits like library/dll injection and malicious patching.
    - You can comparatively easily add further isoation to potential entry points by declaring them in NixOS containers.

    In conversation about 12 days ago from gnusocial.jp permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: cdn.sstatic.net
      systemd DynamicUser vs User
      To run processes without root privileges you can use DynamicUser= or a static user with User= in systemd. A good explanation for DynamicUser can be found in this blog post: http://0pointer.net/blog/

Feeds

  • Activity Streams
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.