Questions & observations after trying EasyOS

[Chrysolite Azalea]

Hello everyone! Today, I've downloaded EasyOS and tried to run it in a virtual machine. I've looked what applications it has, what features are added, etc. Also, I've looked up the kernel configurations and have some questions:

1. What was the reason behind excluding mandatory access control systems support, such as SELinux, SMACK, AppArmor and TOMOYO Linux during kernel compilation time (pic. 1)? MAC in GNU/Linux can be disabled at boot time so it won't affect system functioning in any way.
2. What was the reason behind disabling Landlock support (pic. 2)? While Landlock is a pretty new technology (it was added in Linux 5.13 version), we can expect that more applications are going to use it in order to restrict their access to the filesystem just like they restrict their access to system calls with seccomp.
3. I've looked how EasyContainers works, and I have found something... disturbing in the EasyOS kernel (pic. 2) -- I just wonder, who could think that disabling the support for user namespaces in the kernel was a remotely good idea? User namespacing is a highly important feature of the Linux kernel that is used to create unprivileged containers and can be used to run untrusted apps in a container. Basically, it removes all parent-namespace capabilities and allows a namespace creator process to "remap" UIDs and GIDs so root in a container would be an ordinary user in the host namespace. In current EasyOS 4.4.3, only privileged containers can be created (even if you replace EasyContainers with LXC, Docker or systemd-nspawn), because there is no support for unprivileged containers in the kernel.

What's more important, there are unprivileged sandboxing tools such as [Bubblewrap](https://github.com/containers/bubblewrap/) that rely on unprivileged user namespaces. Disabling support for user namespaces means that only root can create a namespace sandbox, and adding Bubblewrap to EasyOS would require setting a SUID bit -- something Firejail has been criticized for. It can also cause issues with enabling the "No New Privileges" bit as it forbids any SUID-bit-based privilege elevation.

I hope that this is nothing more than merely a bug caused by a mistake in kernel compilation option choice.

[williwaw]

I've looked how EasyContainers works, and I have found something... disturbing in the EasyOS kernel (pic. 2) -- I just wonder, who could think that disabling the support for user namespaces in the kernel was a remotely good idea? User namespacing is a highly important feature

Do you see security concerns with Easy containers? I believe Barry once issued a challenge to anyone who could hack out of an Easy container remotely.

[Chrysolite Azalea]

I've looked how EasyContainers works, and I have found something... disturbing in the EasyOS kernel (pic. 2) -- I just wonder, who could think that disabling the support for user namespaces in the kernel was a remotely good idea? User namespacing is a highly important feature

Do you see security concerns with Easy containers? I believe Barry once issued a challenge to anyone who could hack out of an Easy container remotely.

The problem is not with EasyContainers software, but with the stock EasyOS kernel -- it doesn't support unprivileged containers at all. It may be a non-issue for EasyContainers, as the confined process may run as unprivileged user inside the container, with security restrictions (seccomp, for example). However, there are programs that do use user namespace isolation (LXC, for example, if the container is set to run unprivileged), and LXC would only be able to run privileged containers. Also, there are software such as Bubblewrap that would require to be run as root to run in EasyOS, because creating most namespaces (which means all of them except user namespaces) requires CAP_SYS_ADMIN and since user namespaces are disabled, the only way to obtain that capability is real root (or zeus, but Bubblewrap won't continue in privileged mode if it's run with necessary capabilities but its UID is not 0).

[TerryH]

Maybe the opening statement for Barry's website referencing EasyOS helps explain why:
EasyOS, also known as Easy OS, Easy Linux, or just "Easy", is an experimental distribution, a "new paradigm"; a blend of the best ideas from Puppy and Quirky, and a fundamental rethink of the security, maintainability and ease-of-use

https://bkhome.org/linux/easyos-a-simpl ... ution.html

[BarryK]

I'm in holiday-mode right now, but still quickly scanning the forum! I may be away from a phone signal soon though.

There is support for running as user "spot" in containers, if you are not satisfied with "crippled root"

EasyOS is an eclectic unorthodox experimental OS, it does not aim for compatibility with other security mechanisms.
Nor with other container mechanisms.

Back when I was originally researching namespaces, it looked like user-namespace is itself a potential security weakness.
So it is deliberately disabled.

[Chrysolite Azalea]

Back when I was originally researching namespaces, it looked like user-namespace is itself a potential security weakness.
So it is deliberately disabled.

The problem is that user namespaces are also a highly important security feature. What is sometimes called a security weakness, however, is unprivileged user namespaces specifically. For example, hardened versions of Arch Linux disable unprivileged user namespaces, requiring CAP_SYS_ADMIN for creating them, but they don't disable them completely. You can disable unprivileged user namespaces, by writing "0" in /proc/sys/kernel/unprivileged_userns_clone -- then, an unprivileged process wouldn't be able to create any namespaces. However, a privileged process would still be able create an unprivileged container.

P.S. I also wonder what was the reason behind disabling mandatory access control support and Landlock support.

[ErikV]

Hello everyone!,

I am not a young person.
Englisch (EN) is not my native language.

I want to install nload.
There is deb file for debian.
A source file on github.

Real time network traffic monitor for the text console (terminal).
https://github.com/rolandriegel/nload

The devx is closed and and i can not copy files to it.
Can you me helping how i it must do it.

xfce4-terminal is a better terminal program then Sakura.

There is deb file for debian.

xfce4-terminal werkt veel beter dan sakura
https://gitlab.xfce.org/apps/xfce4-terminal

Greatings,
Erik

[williwaw]

Hi erik
@ErikV

The devx is closed and and i can not copy files to it.

can you explain in more detail what you mean by closed? I did not need devx loaded to install

I found a deb at https://packages.debian.org/bullseye/nload and also downloaded......
https://packages.debian.org/bullseye/am ... 6/download
https://packages.debian.org/bullseye/am ... 6/download

left click to install or just download to petget

[williams2]

Real time network traffic monitor for the text console

It does not seem to show who is connected to what.

This should list some of the networks connections

Code: Select all

netstat -utape

I find iftop useful, and also nethogs

(both executables are about 60KB, not compressed.)

Also, ifconfig shows you total traffic per network (no meters, though.)

[BarryK]

I find iftop useful, and also nethogs

There is a recipe for compiling iftop in OpenEmbedded, I can compile it and add it to the package repository if you want.

No existing recipe for nload, but it looks simple enough to create one.

[ErikV]

Good news

Thanks everyone,

I have now bookworm installed and it it better then dunfell .
R.I.P dunfell

No problem with installing nload

Greatings,