sudneo @ sudneo @lemmy.world

Posts

0

Comments

311

Joined

2 yr. ago

Absolutely not. Many applications used ENV variables for sensitive stuff even before. Let's remember that the vulnerability here is being able to execute phpinfo remotely.

Containerization can do good for security, in general.

The only thing that makes this case worse in docker is that more info is in ENV variables. The vulnerability has nothing to do with containers though, and using ENV variables to provide sensitive data is in general a bad decision, since they can be leaked to any process with /proc access.

Unfortunately, ENV is still a common way which people use to pass data to applications inside containers, but it is not in any way a requirement imposed by the tech.

There are various types of "spaghetti", from the thin ones to quite thick, then vermicelli, spaghetti quadrati, spaghetti alla chitarra etc..Definitely you can't replace spaghetti with fettuccine in all instances, IMHO.

That said, I am team vermicelli (which are thicker). But spaghetti from a good pasta brand (for supermarket stuff, say Rummo, Liguori) are just another thing compared to the Barilla stuff.

Add the DAC_READ_SEARCH capability to the restic binary (using setcap).This is what allows to read all files. Obviously this means being able to read all, all, files including shadow etc.

Sorry for the late answer. My point is that the problem is upstream to the issue of quoting/non quoting. A person who gets convinced by a nazi/antisemitic slogan is already a problem on itself. The quote is one of the N ways that person can be exposed to ideas that underneath they already support, and I don't think this is a good reason to change the way that we talk about some issues. In other words, even if someone "gets recruited" by the quote, this is merely surfacing the problem, it's not creating it.

Vatican City /s

I think that there are constraints for certain countries, but the majority probably could. And when they can't, it should be solved by cooperation and trade, IMHO.

I mean, it's not a spell, it's a sentence. If reading it will make it spread, as in more people will agree and support it, the problem is already there.

+1 for kagi. I think they have a smaller subscription too. Also not too long ago they changed the 10$ subscription from 700 searches/month to unlimited, which gives hope that they might improve the pricing over time.

As a side note, it is surprising how many searches one does during the month! I thought I did thousands per month, turns out I am always between 200 and 400!

OK :)

So chroot has not been used to isolate processes for decades to a confined view of the filesystem (especially in combo with a restricted shell), and for example the networking namespace is not used to limit the impact on a compromise on the firewall, the user namespace is not used to allow privileged processes to run de-facto unprivileged.

Whatever you say

EDIT: Actually, if you are really convinced of what you are saying we can do the following experiment:

• We spin up a VPS and run a web application with a RCE with a Systemd unit and run the same web app in a scratch container running under an unprivileged user

Then we can compare the kind of impact that using containers to wrap applications has on the security of the system. My guess, even with a full RCE you will not be able to escape the container.

Half-jokes aside, my stance is that isolation (namespacing and cgroups) allows to greatly reduce the attack surface and contain the blast radius of a compromise, which are security benefits. You can easily have a container with no shell, no binaries at all, no writable paths, read-only filesystem etc. You can do at least some of those things even in a regular Linux box of course, but it is much more uncommon, much harder, much less convenient (for example, no writeable /tmp is going to break a lot of stuff), much more error prone, etc.

Your stance i.e.:

running things inside of a container does not provide any security benefits as opposed to outside of the container

is way too absolute, imo.

Not really true, containers are based on namespaces which have always been also a security feature. Chroot has been a common "system" technique, afterall.

Containers help security if built properly, and it's easier to build a container securely (and run them), compared to proper SystemD unit security.

tl;dr, yes, it does.

Containers are nothing like VMs, and containers in Linux are basically a combination of a feature called Cgroups, which allows to restrict the resources (like memory, etc.) available to a process or group of processes, and namespaces. Namespaces are a construct in which certain namespaced resources are separated from each other, and processes can only see those belonging to their namespace. A simple example is a mount namespace. When you launch a container, you see a / directory which is not the root directory of your system.

Now, the problem is, that not all the resources are namespaced, so there is still quite a lot that processes within containers can do interacting with the main system resources, especially if they are root.

A root process within a container generally can do lots of things that the actual root process can do outside of it. For example, mounting parts of the filesystem (if you run with --privileged), loading kernel modules, etc. Podman can run rootless, in the sense that it uses also User namespaces, meaning a user 0 (root) inside a container is actually mapped to something else outside, but also docker nowadays can do the same.

So yeah, in general, running the applications with the less amount of privileges is a good idea and you should do it whenever you can. Even if you do need some privileges, you should add only the Capabilities needed, not just go straight to root.

Privacy and anonimity are different things. As long as nobody besides you and the indented destination(s) has access to the content of your communication, that communication maintains privacy, even if everyone sees that it's you talking.

Also, and this is something I mention all the time, the only information this gives is that you use signal. Besides that, as soon as anybody else registered your phone in their contact list, your phone number is already known and associated with you considering that many apps (like all the meta ones) gain access to the contact list and the chance that anybody who has your phone number uses one of those is almost 100%.

The points you raise are true, but honestly they are not a deal breaker. There are many hosting companies and domain companies, with different policies. Also, a website can be served by anything, changing domain and hosting is a nuisance, but it is something that can be done almost instantly. Of course this is similar to creating a different account on social media platforms, but the difference is that the website runs on an open protocol, which is not the case for some social media.

Also I assume that when people say that websites enable expressions, it also means that you can customize absolutely every aspect of the website, including the look and feel, which it is still part of your expression.

Same here. Surprisingly stable, I have only had one issue couple of years back!

You don't care until "bigotry" means what you think it means and not what someone else thinks, or until the same principle is pushed by other groups who happen to not care if "songs or artists perpetuating ____ get censored".

There is already a problem with monopoly in terms of which music is available, I can't wait to have those companies decide even more which songs can be published based on totally arbitrary principles and without any accountability. I am pretty sure that articles about this trash song will have the consequences of generaring more listens than if this was just ignored. I, for once, would have never known this song existed without this article, and now I am fairly curious to go check the lyrics to make a better idea about the article itself. Straisand effect and all...

Simple, all it takes is to take the Book of Wrong Ideas, which is notoriously objective and shared across the world.

Sure, but the conclusion is still the same: saying that Italy is a "fascist country" is bs.

"Italy" did not, a minority of people, who did for all kind of different reasons, did. A subset of those is probably a nostalgic.

Meloni's party benefited from the fall of the other right wing parties. The core base which is probably what I would call fascists are probably close to the usual % her party was getting few years back: 3-5%.

Anyway, this has nothing to do with "being a fascist country". Words have meaning, and a fascist country is a dictatorship in which freedom of press does not exist, where minorities and political opposition is systematically repressed, killed, silenced, etc. Thankfully, we are still very far from that.

If you read about this matter, you would know very well that the matter is way more complex than "he did not want to stand trial". The whole matter is very well described by Stefania Maurizi (a journalist who cooperated with Wikileaks) in her book "Secret power". Both the Swedish and the UK government have huge responsibilities on how (bad) that case was handled.

Meloni has still been voted by a minority of people, considering the incredibly low turnout in the last elections. "Fascist" country seems very much pulled from your ass, especially when talking about something started by the previous city government of Rome.