alip6d ago
Symbolic links bite again! This time it's #NixOS did you know #sydbox has trace/force_no_symlinks and trace/force_no_magiclinks options to disable following symlinks/magiclinks? You can even change them at runtime to achieve #pledge like confinement: https://discourse.nixos.org/t/nix-security-advisory-privilege-escalation-via-symlink-following-during-fod-output-registration/76900 #nix #linux #security
Nix security advisory: Privilege escalation via symlink following during FOD output registration

Summary Nix daemon is vulnerable to arbitrary file overwrites as the daemon user (root on NixOS and in multi-user installations). The issue is identified as GHSA-g3g9-5vj6-r3gj with CVE assignment pending. All users allowed to submit builds to the Nix daemon (allowed-users, everyone by default) can achieve arbitrary file writes as root and subsequent privilege escalation. Am I affected? All Nix versions since 2.21 and patch releases >=2.18.2,>=2.19.4,>=2.20.5 prior to 2.34.5, 2.33.4, 2.32.7, 2...

NixOS Discourse
alipApr 5
News from #sydbox git: Starting next release, we're going to be signing binary releases with #OpenBSD signify rather than #GnuPG. To enable practical signing in #Exherbo #Gitlab CI, I wrote an #ISC licensed, pure portable #POSIX shell implementation of #OpenBSD signify. signify.sh has no external dependencies and runs with PATH=. It has unit tests embedded which may be run with --test option: https://gitlab.exherbo.org/sydbox/sydbox/-/raw/next/dev/signify.sh #exherbo #linux #security
alipApr 4
#gVisor recently got its own #ASLR implementation. OTOH, #Sydbox uses ASLR provided by the #Linux #kernel and enforces PIE executables. #HardenedBSD has a sysctl to enforce PIE as well: https://man.exherbo.org/syd.7.html#Enforcing_Position-Independent_Executables_(PIE) #exherbo #linux #security
SYD(7)

alipMar 31
Reading this made me reconsider switching #Sydbox from GPL-3 to AGPL-3: https://www.onlyoffice.com/blog/2026/03/onlyoffice-flags-license-violations-in-euro-office-project-by-nextcloud-and-ionos WDYT? #exherbo #linux #security #poll
GPL-3 > AGPL-3
50%
AGPL-3 > GPL-3
25%
No difference for a sandbox
12.5%
Strawberry fields forever
12.5%
Poll ended at .
ONLYOFFICE flags license violations in “Euro-Office” project

The “Euro-Office” initiative is an evident and material violation of ONLYOFFICE licensing terms and principles of international intellectual property law.

ONLYOFFICE Blog
Show threadalipMar 31
@lattera for sure! I've been following #HardenedBSD's attempts to migrate with interest. I have never got around to learning it myself to the point I can mirror #Sydbox. Pointers welcome.
Show threadShawn WebbMar 31
@alip Would you be amenable to also mirroring #sydbox on #radicle?
alipMar 31
#Sydbox is NOT hosted on #Github and this is an ethical decision. Main repository is the #Exherbo #Gitlab, we have mirrors on #Sourcehut and #Codeberg. Having said that, the code is GPL-3 and I can't legally prevent anyone from mirroring it on Github. I can just kindly ask not to...: https://github.com/tamaroning/sydbox/issues/1 #exherbo #linux #security
Please remove this repository · Issue #1 · tamaroning/sydbox

Dear kind people, I am Ali Polatel, the main author of Sydbox. I want to kindly ask you to remove this repository from Github. There's a reason I don't host code on Github. I don't want my code, my...

GitHub
alipMar 29
Here is #rustlang bindings for Redis' #radix tree: https://crates.io/crates/redix New #sydbox uses this for path canonicalization which sufficiently reduces its userspace overhead. Let me know if sydbox-3.51.1 is too fast for you and I'll add some random sleeps around the code ;) #exherbo #linux #security
crates.io: Rust Package Registry

crates.io serves as a central registry for sharing crates, which are packages or libraries written in Rust that you can use to enhance your projects

alipMar 27
#Sydbox has a new #tutorial: https://man.exherbo.org/sydtutorial.7.html #exherbo #linux #security
SYDTUTORIAL(7)

alipMar 22
#Sydbox 3.51.0 is out: #Security update fixing multiple Crypt Sandboxing race conditions, an ioctl(2) truncation bypass, and a MIPS ptrace(2) bug. Force Sandboxing now uses the Kernel Crypto API (AF_ALG) for zero-copy hashing. #Landlock sandboxing is on by default. wordexp(3) confinement hardened. pandora 0.20.0 generates #Landlock rules. Sydbox is a rock solid application #kernel to sandbox applications on #Linux: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3510 #exherbo
ChangeLog.md · main · Sydbox / sydbox · GitLab

rock-solid application kernel

GitLab