Most active commenters
  • airocker(4)

←back to thread

Run0, a systemd based alternative to sudo, announced

(mastodon.social)
466 points CoolCold | 12 comments | 29 Apr 24 23:59 UTC | HN request time: 0.806s | source | bottom
Show context
airocker ◴[30 Apr 24 20:21 UTC] No.40215819[source]
I have seldom come across unix multiuser environments getting used anymore for servers. Its generally just one user on one physical machine now a days. I understand run0's promise is still useful but i would really like to see the whole unix permission system simplified for just one user who has sudo access.
replies(17): >>40215898 #>>40216049 #>>40216052 #>>40216221 #>>40216591 #>>40216746 #>>40216794 #>>40216847 #>>40217413 #>>40217462 #>>40218411 #>>40219644 #>>40219888 #>>40220264 #>>40221109 #>>40223012 #>>40225619 #
1. rpgwaiter ◴[30 Apr 24 20:29 UTC] No.40215898[source]
NixOS may be helping multiuser make a comeback, at least it is for me and my home servers. I no longer have to containerize my apps, i can have one baremetal server with a dozen+ services, all with their own users and permissions, and i don't have to actually think about any of the separation.

Plus there’s network shares. Multiple people in my home with linux PCs, each with their own slice of the NFS pie based on user perms. Sure, it’s not secure, but these are people I live with, not state-sponsored hackers.

All that said, I’d also love a simpler single-user perm setup. For VMs, containers, etc it would be amazing

replies(5): >>40215927 #>>40216146 #>>40216291 #>>40217505 #>>40219940 #
2. airocker ◴[30 Apr 24 20:31 UTC] No.40215927[source]
NixOS at it again :)
3. adastra22 ◴[30 Apr 24 20:48 UTC] No.40216146[source]
I’m not sure how “I don’t have to actually think about any of the separation” meshes with the fact that you explicitly setup multiple users and configured file and group permissions accordingly. You clearly put a lot of thought into it.

Alternatively, containers really are a no-thinking-required solution. Everything maximally isolated by default.

replies(3): >>40216833 #>>40216899 #>>40223828 #
4. tetris11 ◴[30 Apr 24 21:01 UTC] No.40216291[source]
DietPi does exactly the same using Debian
5. oceanplexian ◴[30 Apr 24 21:51 UTC] No.40216833[source]
Containers are isolated but a far, far cry from maximally isolated. They’re still sharing a Linux Kernel with some hand waving and cgroups. The network isolation and QoS side is half-baked even in the most mature implementations.

HVM hypervisors were doing stronger, safer, better isolation than Docker was 10 years ago. They are certainly no-thinking required though which leads to the abysmal state of containerized security and performance we have currently.

6. airocker ◴[30 Apr 24 21:56 UTC] No.40216899[source]
There have been no big cves of container escapes for a while now. I guess it can be considered secure enough.
replies(1): >>40220912 #
7. inhumantsar ◴[30 Apr 24 22:59 UTC] No.40217505[source]
> i can have one baremetal server with a dozen+ services, all with their own users and permissions

I've used nixos and I don't really see how nixos is special apart from the declarative config. The same can/should be done with any distro and any config manager.

And unless you were running Podman in rootless mode, the same setup applies to containers too.

replies(1): >>40219945 #
8. eru ◴[01 May 24 05:48 UTC] No.40219940[source]
Containerisation (either with containers or via VMs) doesn't have to be expensive.

In principle, you can have just exactly the binary (or binaries) you need in the container or VM, without having a full Linux install.

See eg Unikernels like Mirage.

9. rpgwaiter ◴[01 May 24 05:50 UTC] No.40219945[source]
Sure i could do this on debian, but like, i wont. Some software comes packaged with nice scripts to provision new users for running systemd services, but a lot do not.

For me and my home network, if the default security mode is “manage users yourself”, i chmod -R 777 on all applicable files and call it a day. Nixos lets me be lazy, as all nixos modules (that I’ve ever used) have their own user setups with minimal permissions by default

10. lyu07282 ◴[01 May 24 08:41 UTC] No.40220912{3}[source]
A lot of Kernel privescs are also technically container escapes, so 2 months ago was the last one actually: https://www.cvedetails.com/cve/CVE-2024-1086/
replies(1): >>40225864 #
11. matrss ◴[01 May 24 14:34 UTC] No.40223828[source]
> I’m not sure how “I don’t have to actually think about any of the separation” meshes with the fact that you explicitly setup multiple users and configured file and group permissions accordingly. You clearly put a lot of thought into it.

That's the thing, with NixOS you usually don't have to explicitly setup users and permissions. For most simple services, the entire setup is a single line of code in your NixOS configuration. E.g.

    services.uptime-kuma.enable = true;
will make sure that your system is running an uptime-kuma instance, with its own user and all.

Some more complex software might require more configuration, but most of the time user and group setup is not part of that.

12. airocker ◴[01 May 24 16:52 UTC] No.40225864{4}[source]
but then even traditional multi-user would be compromised in this case.