this post was submitted on 06 Aug 2023
94 points (92.0% liked)

Linux

48397 readers
692 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Do you have any antivirus recomendations for Linux.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 21 points 1 year ago (8 children)

There's plenty of good advice in other comments in this topic. Let me add mine too, something I haven't seen in other comments: You need to figure out your threat model, and steer your course accordingly.

Who do you trust?

  • No one? Don't use a computer. Use an airgapped computer without any internet connection. Write your own OS (but be mindful of bootstrapping issues, you'll also need to write your own compiler to protect against Thompson's hack). It's a hassle.
  • Original authors of software? Compile and install all software from source. Consider using LFS. It's a hassle.
  • Maintainers of my operating system of choice? Only install packages from official package repositories (apt in Debian, pacman in Arch, you know the drill). Eschew any others, like PPA in Ubuntu, AUR in Arch. Though package maintainers don't necessarily review any package updates, there's a chance they just might. Though package maintainers are in the position to inject backdoors during packaging, this is somewhat unlikely as packaging scripts tend to be small and easy to review.

What risky activities are you doing?

  • Running random crap software downloaded from the internet?
    • Run it in a virtual machine. It's easy to install another Linux into a VM - you could try VirtualBox or qemu or libvirt or some other one.
    • Containerize it with Docker, or run it in Firejail or Bubblewrap
      • Don't mount your home directory, or anything other important into the container. Instead, if you need to pass data, use a dedicated directory.
      • It's easy to restrict internet access to a program, when running it in Docker or Bubblewrap.
  • Running the same as root? I'm pretty sure a full virtual machine would be the only secure option to do that, and I'm 100% certain even that would be enough.
  • Running large software that probably ought to be OK, but you never know for certain? This is what I normally do:
    • Use the Flatpak version, if available. Check its permissions (e.g. with Flatseal), you might be able to tighten the screws. For example, a browser (yes, Firefox, Thunderbird, Chromium are available as Flatpaks. Even Chrome is) is plenty large enough for any number of security bugs to hide in. Or a backdoor, which might be crafted to be indistinguishable from a honest bug.
    • If there's no Flatpak version available, I Bubblewrap it.

I have a simple Bash script that restricts apps' view of my filesystem, and cuts off as much stuff as possible, while retaining the app's ability to run. Works with Wayland and console apps, optionally with Xorg apps if I set a flag. Network access requires its own flag.

I could share my Bubblewrapping script, if there's interest.

[–] [email protected] 1 points 1 year ago (1 children)

I would actually like to see your Bubblewrap script if you wouldn't mind sharing. I've been thinking about trying to learn how to use it for a while now, but I've kept putting it off since getting Xorg programs to work with it seemed difficult/confusing to me.

[–] [email protected] 2 points 1 year ago

Here it comes: https://paste.ee/p/voTFI

Note that I'm no Bash expert, and you'll undoubtedly find ways to improve or fix it. Usage:

  • Run stuff in a sandbox isolate bash - and then verify your access to filesystem is restricted
  • Enable Xorg for apps that need it X=1 isolate mindustry
    • Wayland, which naturally isolates apps from each other, is enabled by default.
  • Enable network for apps that need it: NET=1 isolate curl https://ip6.me/api/
  • Enter the sandbox to mess around with it manually: NAME=mindustry isolate bash
    • Note that it doesn't catch Ctrl-C. Ctrl-C kills the isolated Bash.
  • Populate data (installers and whatnot): NAME=mygame isolate ls; cp installer.sh ~/.local/share/bubblewrap/mygame/; NAME=mygame isolate bash
load more comments (6 replies)