I've got a confession to make.

A while ago I refurbished this old laptop for someone, and ended up installing Bodhi on it. While I was installing it however, I did have some wicked thoughts..

What if I could ensure that the system remains up-to-date by running an updater script in a daily cron job? That may cause the system to go unstable, but at least it'd be up-to-date. Windows Update for Linux.

What if I could ensure that the system remains protected from malware by periodically logging into it and checking up, and siphoning out potential malware code? The network proximity that's required for direct communication could be achieved by offering them free access to one of my VPN servers, in the name of security or something like that. Permanent remote access, in the name of security. I'm not sure if Windows has this.

What if I could ensure that the system remains in good integrity by disabling the user from accessing root privileges, and having them ask me when they want to install a piece of software? That'd make the system quite secure, with the only penetration surface now being kernel exploits. But it'd significantly limit what my target user could do with their own machine.

At the end I ended up discarding all of these thoughts, because it'd be too much work to implement and maintain, and it'd be really non-ethical. I felt filthy from even thinking about these things. But the advantages of something like this - especially automated updates, which are a real issue on my servers where I tend to forget to apply them within a couple of weeks - can't just be disregarded. Perhaps Microsoft is on to something?

  • 19
    Microsoft: 😌 He understands
  • 3
    I wouldn't do auto-updates. No way. Especially cron-based, as they are unattended. If I had to I'd use cheff or ansible to update machines at desired time. On-demand basis and keep an eye on machines while update is running.

    Updates are likely to impair server stability. That's not something I'd like to happen when I'm not prepared. Neithet at SOD nor EOD.

    As for security -- anything running as root can have vulns granting root shell. Not to mention lateral attacks, like bit row hammering. Or smth more common, like sudoers misconfig or accidental suid in insecure script :)
  • 2
    @netikras Same, I've had issues with this for a few months on my mailers actually, as I nuked my php-fpm config with an unattended upgrade through a Termux script I wrote, and consequently broke Roundcube. Coincidentally I fixed that error today.. but that really taught me that unattended upgrades are no good for stability, especially when it comes to servers.
  • 5
    Dictatorship is actually not a bad form among the types of government, as long as the dictator is not a total jerk. 🤷‍♂️

    // Screw ethic. It's one of those marketing terms.
  • 3
    And there you have the exact same logic the US government followed before the Snowden leaks and possibly still follows. "It's so easy, and there's no real harm".
    Only you didn't go through with it. Good on you
  • 4
    I see what you did there @theNSA 🙃
  • 1
    @cursee that is the problem.
    If you have 50% chance of it being good it also means than you have 50% change of it being a total disaster and honestly it is a risk not worth taking.
  • 1
    @hell ah life and humans are complicated 🤷‍♂️
  • 2
    @cursee it isn't, we just talk too much. Leave the bullshit aside and everything is simple.
  • 2
    @hell but but bullshit is in each and every one of us 🕺
  • 0
    @M1sf3t not anymore unfortunately, I basically made that machine and gave it to the user. I never saw it again afterwards and the user ended up moving out to somewhere else. Personally I'm using other operating systems. But I recall it having required quite a bit of fuckery as well.
  • 0
    @M1sf3t If it's just gonna host a PHP server, why not go with a server distribution like Debian?
Add Comment