Questions & observations after trying EasyOS

Moderator: BarryK

Post Reply
Chrysolite Azalea
Posts: 30
Joined: Sat Oct 23, 2021 6:17 pm
Been thanked: 5 times

Questions & observations after trying EasyOS

Post by Chrysolite Azalea »

Hello everyone! Today, I've downloaded EasyOS and tried to run it in a virtual machine. I've looked what applications it has, what features are added, etc. Also, I've looked up the kernel configurations and have some questions:

1. What was the reason behind excluding mandatory access control systems support, such as SELinux, SMACK, AppArmor and TOMOYO Linux during kernel compilation time (pic. 1)? MAC in GNU/Linux can be disabled at boot time so it won't affect system functioning in any way.
2. What was the reason behind disabling Landlock support (pic. 2)? While Landlock is a pretty new technology (it was added in Linux 5.13 version), we can expect that more applications are going to use it in order to restrict their access to the filesystem just like they restrict their access to system calls with seccomp.
3. I've looked how EasyContainers works, and I have found something... disturbing in the EasyOS kernel (pic. 2) -- I just wonder, who could think that disabling the support for user namespaces in the kernel was a remotely good idea? User namespacing is a highly important feature of the Linux kernel that is used to create unprivileged containers and can be used to run untrusted apps in a container. Basically, it removes all parent-namespace capabilities and allows a namespace creator process to "remap" UIDs and GIDs so root in a container would be an ordinary user in the host namespace. In current EasyOS 4.4.3, only privileged containers can be created (even if you replace EasyContainers with LXC, Docker or systemd-nspawn), because there is no support for unprivileged containers in the kernel.

What's more important, there are unprivileged sandboxing tools such as [Bubblewrap](https://github.com/containers/bubblewrap/) that rely on unprivileged user namespaces. Disabling support for user namespaces means that only root can create a namespace sandbox, and adding Bubblewrap to EasyOS would require setting a SUID bit -- something Firejail has been criticized for. It can also cause issues with enabling the "No New Privileges" bit as it forbids any SUID-bit-based privilege elevation.

I hope that this is nothing more than merely a bug caused by a mistake in kernel compilation option choice.

Attachments
Picture 2 -- no support for user namespaces
Picture 2 -- no support for user namespaces
Screenshot_2022-10-27_16-13-01.png (227.97 KiB) Viewed 1411 times
Picture 1 -- MAC and Landlock are disabled
Picture 1 -- MAC and Landlock are disabled
Screenshot_2022-10-27_16-12-11.png (236.98 KiB) Viewed 1411 times
williwaw
Posts: 1975
Joined: Tue Jul 14, 2020 11:24 pm
Has thanked: 172 times
Been thanked: 372 times

Re: Really, what the..?

Post by williwaw »

Chrysolite Azalea wrote: Thu Oct 27, 2022 2:33 pm

I've looked how EasyContainers works, and I have found something... disturbing in the EasyOS kernel (pic. 2) -- I just wonder, who could think that disabling the support for user namespaces in the kernel was a remotely good idea? User namespacing is a highly important feature

Do you see security concerns with Easy containers? I believe Barry once issued a challenge to anyone who could hack out of an Easy container remotely.

Chrysolite Azalea
Posts: 30
Joined: Sat Oct 23, 2021 6:17 pm
Been thanked: 5 times

Re: Really, what the..?

Post by Chrysolite Azalea »

williwaw wrote: Thu Oct 27, 2022 7:51 pm
Chrysolite Azalea wrote: Thu Oct 27, 2022 2:33 pm

I've looked how EasyContainers works, and I have found something... disturbing in the EasyOS kernel (pic. 2) -- I just wonder, who could think that disabling the support for user namespaces in the kernel was a remotely good idea? User namespacing is a highly important feature

Do you see security concerns with Easy containers? I believe Barry once issued a challenge to anyone who could hack out of an Easy container remotely.

The problem is not with EasyContainers software, but with the stock EasyOS kernel -- it doesn't support unprivileged containers at all. It may be a non-issue for EasyContainers, as the confined process may run as unprivileged user inside the container, with security restrictions (seccomp, for example). However, there are programs that do use user namespace isolation (LXC, for example, if the container is set to run unprivileged), and LXC would only be able to run privileged containers. Also, there are software such as Bubblewrap that would require to be run as root to run in EasyOS, because creating most namespaces (which means all of them except user namespaces) requires CAP_SYS_ADMIN and since user namespaces are disabled, the only way to obtain that capability is real root (or zeus, but Bubblewrap won't continue in privileged mode if it's run with necessary capabilities but its UID is not 0).

TerryH
Posts: 658
Joined: Mon Jun 15, 2020 2:08 am
Has thanked: 164 times
Been thanked: 164 times

Re: Really, what the..?

Post by TerryH »

Maybe the opening statement for Barry's website referencing EasyOS helps explain why:
EasyOS, also known as Easy OS, Easy Linux, or just "Easy", is an experimental distribution, a "new paradigm"; a blend of the best ideas from Puppy and Quirky, and a fundamental rethink of the security, maintainability and ease-of-use

https://bkhome.org/linux/easyos-a-simpl ... ution.html

New Laptop - ASUS ZenBook Ryzen 7 5800H Vega 7 iGPU / 16 GB RAM

User avatar
BarryK
Posts: 2748
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 136 times
Been thanked: 750 times

Re: Questions & observations after trying EasyOS

Post by BarryK »

I'm in holiday-mode right now, but still quickly scanning the forum! I may be away from a phone signal soon though.

There is support for running as user "spot" in containers, if you are not satisfied with "crippled root"

EasyOS is an eclectic unorthodox experimental OS, it does not aim for compatibility with other security mechanisms.
Nor with other container mechanisms.

Back when I was originally researching namespaces, it looked like user-namespace is itself a potential security weakness.
So it is deliberately disabled.

Chrysolite Azalea
Posts: 30
Joined: Sat Oct 23, 2021 6:17 pm
Been thanked: 5 times

Re: Questions & observations after trying EasyOS

Post by Chrysolite Azalea »

BarryK wrote: Fri Oct 28, 2022 1:12 am

Back when I was originally researching namespaces, it looked like user-namespace is itself a potential security weakness.
So it is deliberately disabled.

The problem is that user namespaces are also a highly important security feature. What is sometimes called a security weakness, however, is unprivileged user namespaces specifically. For example, hardened versions of Arch Linux disable unprivileged user namespaces, requiring CAP_SYS_ADMIN for creating them, but they don't disable them completely. You can disable unprivileged user namespaces, by writing "0" in /proc/sys/kernel/unprivileged_userns_clone -- then, an unprivileged process wouldn't be able to create any namespaces. However, a privileged process would still be able create an unprivileged container.

P.S. I also wonder what was the reason behind disabling mandatory access control support and Landlock support.

ErikV
Posts: 2
Joined: Wed Nov 16, 2022 5:34 pm

Re: Questions & observations after trying EasyOS

Post by ErikV »

Hello everyone!,

I am not a young person.
Englisch (EN) is not my native language.

I want to install nload.
There is deb file for debian.
A source file on github.

Real time network traffic monitor for the text console (terminal).
https://github.com/rolandriegel/nload

The devx is closed and and i can not copy files to it.
Can you me helping how i it must do it.

xfce4-terminal is a better terminal program then Sakura.

There is deb file for debian.

xfce4-terminal werkt veel beter dan sakura
https://gitlab.xfce.org/apps/xfce4-terminal

Greatings,
Erik

williwaw
Posts: 1975
Joined: Tue Jul 14, 2020 11:24 pm
Has thanked: 172 times
Been thanked: 372 times

Re: Questions & observations after trying EasyOS

Post by williwaw »

Hi erik
@ErikV

The devx is closed and and i can not copy files to it.

can you explain in more detail what you mean by closed? I did not need devx loaded to install

I found a deb at https://packages.debian.org/bullseye/nload and also downloaded......
https://packages.debian.org/bullseye/am ... 6/download
https://packages.debian.org/bullseye/am ... 6/download

left click to install or just download to petget

williams2
Posts: 1065
Joined: Sat Jul 25, 2020 5:45 pm
Been thanked: 306 times

Re: Questions & observations after trying EasyOS

Post by williams2 »

Real time network traffic monitor for the text console

It does not seem to show who is connected to what.

This should list some of the networks connections

Code: Select all

netstat -utape

I find iftop useful, and also nethogs

(both executables are about 60KB, not compressed.)

Also, ifconfig shows you total traffic per network (no meters, though.)

User avatar
BarryK
Posts: 2748
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 136 times
Been thanked: 750 times

Re: Questions & observations after trying EasyOS

Post by BarryK »

williams2 wrote: Mon Nov 28, 2022 2:03 am

I find iftop useful, and also nethogs

There is a recipe for compiling iftop in OpenEmbedded, I can compile it and add it to the package repository if you want.

No existing recipe for nload, but it looks simple enough to create one.

ErikV
Posts: 2
Joined: Wed Nov 16, 2022 5:34 pm

Re: Questions & observations after trying EasyOS

Post by ErikV »

Good news

Thanks everyone,

I have now bookworm installed and it it better then dunfell .
R.I.P dunfell

No problem with installing nload

Greatings,

Post Reply

Return to “EasyOS”