Yes. Memory allocated, but not written to, still counts toward your limit, unlike in overcommit modes 0 or 1.
The default is to hope that not enough applications on the system cash out on their memory and force the system OOM. You get more efficient use of memory, but I don’t like this approach.
And as a bonus, if you use overcommit 2, you get access to vm.admin_reserve_kbytes which allows you to reserve memory only for admin users. Quite nice.
If by “unused” you mean not actively storing data, then the Linux kernel docs disagree.
Unless you have the vm.overcommit_memory sysctl set to 2, and your overcommit is set to less than your system memory.
Then, when an application requests more memory than you have available, it will just get an error instead of needing to be killed by OOM when it attempts to use the memory at a later time.
Same could’ve once been said about a free OS like Linux. Now it is absolutely possible, with the downsides shrinking bit by bit.
The goal of 100% free is one I support. And these people are working to make it possible.
(DBus-based?)
Yeah. iwd even has this issue where it needs you to run a system dbus (presumably so regular users can configure network and the admin can apply dbus polices) even if you do everything as root. No dbus, no function.
Not good.
Simple solution is to use cryptsetup to encrypt it, forget the key, and optionally overwrite the first megabyte or so of the disk (where the LUKS header is).
If such a project were to become compromised (the way XZ-Utils was), it would eventually spread to Ventoy.
What a lot of people don’t know is that the XZ attack entirely relied on binary blobs: Partially in the repo as binary test files, and partially in only the github release (binary).
If someone actually built it from source, they weren’t vulnerable. So contrary to some, it wasn’t a vulnerability that was in plain view that somehow passed volunteer review.
This is why allowing binary data in open-source repos should be heavily frowned upon.
Really Linux distros just didn’t work with it right out of the box…
From what I’ve read, this is misleading. Default secureboot within Windows will only boot a bootloader signed with Microsoft’s key. Although Microsoft does seem to provide a signing service for signing with their keys, this is at their mercy. Windows made a change that broke booting alternative operating systems unless they use a service that Windows provides to fix it, or disable secureboot.
The “I hate change.” Mindset.
Or maybe it’s extra complexity that often leads to the first recommendation to fixing Linux not booting being “disable secureboot” and how this is an extra hurdle to jump through for new users. As well as increased likelihood of problems, due to secureboot.
Sounds like flatpaks/appimages with extra steps.
I’m fairly sure the complexity of flatpak/appimage solutions are far more than the static linking of a binary (at least on non-glibc systems). Its often a single flag (Ex: -static) that builds the DLLs into the binary, not a whole container and namespace.
The question should by why you’d want to.
Because the application working is more important than the downsides in my case. Its quite useful for an application which hasn’t been updated in a long time, will never receive updates again, or doesn’t work in my nonstandard environment.
I have had older applications fail to function due to DLL hell.
You can modify the keybinds in software too. You would need to change your console keymap (TTY) and your desktop environment keybindings. Programmable keyboard is most likely easier though.
I played around with it and changed both to just use F1 = tty1 and so on, without requiring CTRL+ALT.
Your needs must be different than mine.
I press one button combination and have root without ever entering a password. I press a similar combination and go back. Not sure how this is a pain in the ass.
All I do is have agetty --autologin root tty2 linux run as a service. It launches on startup, and I just hit CTRL + ALT + F2 if I ever need a root shell.
All its doing is just auto logging-in as root on TTY2.
From what I’ve read, no. Though it doesn’t solve the fundamental problem of a root process handling untrusted input from a regular user.
The TTY method is IMO better as it ties privileges to a piece of physical hardware, bypassing the complexities of userspace elevation of privileges.
The nosuid mount option disables this behavior per mount. Just be sure you don’t use suid binaries.
Example: sudo or doas. I replaced those with switching to a tty with an already open root account on startup. Generally faster and (for me) more secure (you need physical access to get to the tty).
From my experience a user account usually needs to be in the “wheel” group to elevate privileges through sudo. So try that.
Simply: Do the protections against someone taking your computer and installing a malicious program before/as your OS, or a program that has attained root on your machine and installs itself before/as your OS, matter enough to you to justify the increased risk of being locked out of your machine and the effort to set it up and understand it.
If you don’t understand and don’t want to put in the effort to, then my advice would be to leave it off. Its simple, and the likelihood it saves you is probably very miniscule.
… Alpine is designed to be friendly to corporations who want to lock down their devices and prevent you from modifying them.
“Designed to” assumes intent. Alpine is absolutely designed to be Small, Simple, and Secure. Using busybox instead of the GNU coreutils is a means to this end. Using musl instead of glibc is a means to this end.
On the about page they list why they use these tools. The licensing is not listed at all.
A threat model in which you don’t trust the Linux Foundation and volunteers but do trust Microsoft.
Its all about what you want to protect. If a security breach is worse for you on Linux than it is on Windows because of which party has the data, then for you, Windows might be more secure.
Some people get confused because they think there is some objective measurable security rating one can apply to a system for every person. There isn’t. We may use the same systems but have different threat models and thus rate the security different.
Inputting a password multiple times into sudo has downsides too. Larger window for attackers to do something like: add a directory to your path, which has a fake sudo in it, and capture your password.