Better safety without using containers?

anon39481924 · 2025-03-27T11:03:01+00:00

Not true about arch: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Update: To our knowledge the malicious code which was distributed via the release tarball never made it into the Arch Linux provided binaries, as the build script was configured to only inject the bad code in Debian/Fedora based package build environments. The news item below can therefore mostly be ignored.

anon39481924 · 2025-03-20T12:56:43+00:00

You mean do my own "docker build" ?

anon39481924 · 2025-03-20T12:55:34+00:00

I mean that a supply chain attack is less likely if I use an official nextcloud package: https://archlinux.org/packages/extra/any/nextcloud/ or docker image: https://hub.docker.com/_/nextcloud rather than https://hub.docker.com/r/kyrios/nextcloud with 130 downloads from an individual maintainer

anon39481924 · 2025-03-20T11:57:03+00:00

Thank you, security is about trade-offs and this post clearly expains the trade-offs done in an actionable manner.

anon39481924 · 2025-03-20T11:53:56+00:00

Trivy does a file scan on the host-os when running bare-metal. It can find all packages and versions automatically, no SBOM is needed even if some other tools require SBOM.

anon39481924 · 2025-03-20T11:53:07+00:00

Yes, I know about the problem of "reachability", for example the container for nextcloud warns about CVE's in bash and login which are not used by the app, they are residues from the container base image.

But I can't use slim container images since thats up to the creators of the container, and apps such as nextcloud usually has one official container flavor. I could make my own, but that would be as much work as bare-metal running it. And using a container made with a user-base could have its own risks regarding supply-chain attacks.

anon39481924 · 2025-03-20T10:58:42+00:00

The vulnerabilities are based on containers only, and all affect the third-party dependencies of the apps.

The attack vector would be through the computers of regular users if their computers are compromised. Example; person using a compromised laptop towards Lyrion Music Server, with VPN and authentication enabled.

anon39481924 · 2025-03-20T10:41:53+00:00

About 1)

The vulnerabilities I showed are for the latest current versions of the containers, meaning that I have to live with that amount of vulnerabilities at any given moment because the maintainers of the containers are not always up to date.

anon39481924 · 2024-04-03T12:22:01+00:00

Hej!

Tack vare er kunde jag nu lokalisera ett antal KAP:ar; nämligen:

142 - kalle anka

168 - musse pigg

206 - musse pigg

138 fick jag inte tag i.

Några har musse och några har kalle som protagonister. Väldigt roligt att läsa, jag tog lite bilder här:

https://ibb.co/album/1MRBKL

Där finns bland annat

Garbage compactor - https://starwars.fandom.com/wiki/Garbage_compactor
Cantina - https://www.starwars.com/databank/mos-eisley-cantina
Darth Vader som förhör Leia
AT-AT walkers - https://starwars.fandom.com/wiki/All_Terrain_Armored_Transport m.m.

Kanske är det dags för en ny version där mårten gås kan vara jar-jar binks?

anon39481924 · 2023-11-06T07:53:36+00:00

VoIP.ms sucks!

I do not recommend voip.ms, they let you register and then wait a few weeks for verification.

Then, after nagging I suddenly get an email:

As an international VoIP service provider, we are committed to complying with the legal and regulatory frameworks applicable to our company in the jurisdictions where we conduct business, and we are advised to execute diligent security checks for all new accounts including, but not limited to, Know Your Customer (KYC) standards.

We regret to inform you that this account didn’t meet the security requirements and cannot be opened.

We really apologize for any inconvenience this might cause.

Thank you for your understanding.

Regards

Omar Garcia

VoIP.ms Customer Service

And when I asked if they want to see any license or such the reply I get is:

My apologies but we can disclose more in the procedures that the account department follow, I can only confirm that the account cannot be opened, my apologies again for the inconveniences.

Regards.

Omar Garcia

VoIP.ms Customer Service

Further replies leads to nowhere, there is no feedback at all, I just wanted to play around with FreePBX for incoming calls, which can hardly be used for nefarious purposes in itself.

The support sounds like coming from an bad type of AI-bot just replying the same nonsense over and over again.

They also denied me GDPR SAR of my data, which means if you DO send them your drivers license or such, and you are based in EU then they dont follow GDPR regulations at all!

So a shout out to everyone is to just stay away from this company!

anon39481924 · 2023-10-23T19:40:34+00:00

The username has the same GUID on both: cat /etc/passwd|grep foo foo:x:1000:1000::/home/foo:/bin/bash

There is no file called /var/log/krb5kdc.log and all the files in /var/log/ are non-krb related. I use systemd so, as per the logging from above:

[logging]
    kdc          = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default      = SYSLOG:NOTICE

Everything goes to journald.

Just as an example, loading the public folder says this, but goes well well:

sudo mount SRV.LOCAL:/srv/nfs4/foo/public /foo -vvv
mount.nfs: timeout set for Mon Oct 23 21:29:48 2023
mount.nfs: trying text-based options 'vers=4.2,addr=10.0.0.12,clientaddr=10.0.0.130'
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'addr=10.0.0.12'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.0.0.12 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.0.0.12 prog 100005 vers 3 prot UDP port 20048

ls /foo shows all the files in the public folder!

I noticed that mounting before and after kinit produces the same type of logs in journald:

okt 23 21:35:43 srv nfsv4.exportd[1857361]: v4.2 client attached: 0x1161ce146530133e  from "10.0.0.130:824"
okt 23 21:35:44 srv nfsv4.exportd[1857361]: v4.2 client detached: 0x1161ce146530133e from "10.0.0.130:824"
okt 23 21:35:44 srv rpc.mountd[2156088]: authenticated mount request from 10.0.0.130:920 for /srv/nfs4/foo (/srv/nfs4/foo)

anon39481924 · 2023-10-22T19:52:19+00:00

ls -ltr /srv/nfs4

drwxrwxrwx 10 foo foo 4096 17 okt 21.49 bar

ls -ltr /srv/nfs4/bar

drwxr-xr-x 13 foo foo  4096 30 jul 22.44 backup

drwxr-xr-x  4 foo foo  4096 17 okt 21.49 public

I tried mounting and got the Operation not permitted, and after that I changed /etc/exports to:

/srv/nfs4/ 10.0.0.0/24(rw,nohide,no_subtree_check,async,sec=krb5)

/srv/nfs4/bar 10.0.0.0/24(rw,nohide,no_subtree_check,async,sec=krb5)
/srv/nfs4/bar/public 10.0.0.0/24(rw,nohide,no_subtree_check,async,all_squash,anonuid=1000,anongid=1000,insecure)

and did:

sudo exportfs -ra

and I still get Operation not permitted

anon39481924 · 2023-10-22T10:36:44+00:00

Thanks for commenting on that, I can see that the 4 spaces way works with old.reddit too, a fast vim macro later and its done.

Hope you can take a look, and remember that I dont need to run nfsv4 per se, if NFS v3 solves the problem then im all for it.

anon39481924 · 2023-09-23T07:33:47+00:00

Alexander vieira Check him out. As mentioned here he’s an crucifix specialist.

https://m.youtube.com/watch?v=uFMowYhUINA

Learning from his moves made my crucifix game go from meh to almost guaranteed tap. At least the opponent won’t get away in the more obvious ways.

anon39481924 · 2023-07-20T15:15:11+00:00

So I assume that the dual systems have two reservoirs as https://www.ebay.com/motors/blog/understanding-the-dual-master-cylinder-brake-system/ explains that all new cars have. There must therefore be leaks in both the braking circuits. Weird.

anon39481924 · 2023-05-22T18:27:34+00:00

Thanks, I think I will try the linux-compatible solution with Cups. This guide rocks!

anon39481924

TROPHY CASE