this post was submitted on 30 Aug 2024
24 points (90.0% liked)

Selfhosted

40438 readers
435 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Does anyone know of a hosting service that offers Silverblue as a possible choice for OS?

It seems to me that for a server running only docker services the greatly reduced attack surface of an immutable distro presents a definitive advantage.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 3 months ago* (last edited 3 months ago) (1 children)

While you are correct, any system is compromised if you have root, so isn’t that irrelevant at that point?

The original context for the comment chain was:

Because even if an attacker could gain access even as root he cannot modify system files.

So no, it's completely relevant.

[–] [email protected] 1 points 3 months ago (1 children)

My comment in the comment chain was:

An attacker escaping from a container can't be system root as Podman runs rootless (without some other exploit or weak password).

We could give the op the benefit of the doubt and thinking that they were saying that the attacker inside the container managed to gain root inside the container.

[–] [email protected] 2 points 3 months ago (1 children)

Your comment also contained

The filesystem itself is also read-only.

Which is what led to the further discussion of root making that not so.

I don't believe that to be the intent of the OP's comment, given their second sentence, but they are welcome to state otherwise. I just don't want them thinking that an immutable distribution gives them some kind of bulletproof security that it doesn't.

[–] [email protected] 1 points 3 months ago

Very true. The discussion helped me, as I did think it meant not easily editable.

As root of course you can change the system to be any other type of system (layer packages, rebase, whatever), but I did assume it meant not easily modifiable in it's current state.