• 0 Posts
  • 505 Comments
Joined 1 year ago
Cake day: February 10th, 2025
  • FauxLiving@lemmy.worldtoPC Gaming@lemmy.caValve Developer Improves The Linux Gaming Experience For Limited vRAM HardwareEnglish
    6·
    2 days ago

    It’s on the AUR but you need a patched kernel which you can grab from catchyOS

    Instructions are in the developer’s blog post: https://pixelcluster.github.io/VRAM-Mgmt-fixed/

    Q: I use another Arch-based distro! What now?

    The dmemcg-booster and plasma-foreground-booster utilities are available in the AUR as well (plasma-foreground-booster carries the package name plasma-foreground-booster-dmemcg), so you can install them from there.

    For the kernel side, you can either use the CachyOS kernel package on a non-CachyOS system by retrieving the package from their repository, or you can compile your own kernel. Installing linux-dmemcg from the AUR will compile the development branch I used to develop this. Being a development branch, this carries the risk of some stuff being broken, so install at your own risk!

    If you want to apply the kernel patches yourself, you need these six .patch files: [links in blog]

    I’m not sure how easily they apply on specific kernel versions, but feel free to leave a comment if you run into issues and I’ll try to help out.

  • FauxLiving@lemmy.worldtoPC Gaming@lemmy.caValve Developer Improves The Linux Gaming Experience For Limited vRAM HardwareEnglish
    55·
    2 days ago

    Lots of for-profit commercial entities contribute to open source projects.

    The code they’re contributing is covered by the same license as the code contributed by volunteer developers.

    I understand why we should be cautious about these things, but the current situation is that Valve is contributing a lot and their contributions are open source. Yeah, they’re doing it for a profit motive, but not to the point where they’re trying to kill open source projects or hide the updates behind proprietary binaries.

    Valve is, currently, not being evil. GabeN has plenty of yacht money.

  • FauxLiving@lemmy.worldtoSelfhosted@lemmy.worldHairpin dns issueEnglish
    2·
    2 days ago

    Yeah, setup a pi-hole container/server to do DHCP and disable it on your router. The documentation should cover it, but you have to use network_mode: host in order for it to do DHCP.

    You can then add an A record entry for your Immich server’s domain name pointing to the LAN IP and so any device on your LAN will resolve its domain to the LAN IP.

    You also get pi-hole DNS filtering/adblock and, probably, a larger DNS cache than what the router provides.

  • FauxLiving@lemmy.worldtoSelfhosted@lemmy.worldHairpin dns issueEnglish
    5·
    3 days ago

    On your LAN DNS server (say, pi-hole), you could add an A record for your Immich’s domain name that points to the internal IP address so clients on your LAN would simply resolve the LAN IP instead of trying to do fancy NATing. Make sure your browser doesn’t try to do DNS over HTTPS, which would skip your local dns.

    Or you could run everything on a meshVPN like Tailnet. That way the (VPN) IP of the Immich server doesn’t change and the Tailnet will route the traffic over your LAN when your clients are local.

  • FauxLiving@lemmy.worldtoLinux@lemmy.mlWhat package manager do you use for arch based distros?
    8·
    4 days ago

    Depends on the program, they don’t use system libraries so if they have a lot of dependencies then they’ll be larger.

    An example:

    Steam Flatpak: 35MB

    Steam pacman: 19MB

    On one hand, it’s only a few MB. On the other hand, it’s 54% larger.

    Flatpaks can also depend on other flatpaks. For example, graphics card support requires about 1-1.5GB of flatpak dependencies even though your system already has graphics card drivers.

  • FauxLiving@lemmy.worldtoLinux@lemmy.mlTiming Flaw in systemd Cleanup Enables Root Privilege Escalation
    2·
    8 days ago

    What is the security hole in systemd?

    You haven’t answered this.

    systemd-tmpfiles exists to delete inactive files in /tmp. That’s not a security flaw, that’s system maintenance. It’s the documented purpose of systemd-tmpfiles and it performs exactly was documented.

    The security hole is in snap-confine which does not verify that its own directory is owned by root before mounting it AS ROOT. That’s the security hole.

    So, again, what is the security hole in systemd-tmpfiles?

    If you don’t have an answer then just say so. Resorting to name calling and trying to frame this as if I’m the irrational one is absurd.

  • FauxLiving@lemmy.worldtoLinux@lemmy.mlTiming Flaw in systemd Cleanup Enables Root Privilege Escalation
    21·
    8 days ago

    There is no systemd flaw here.

    snap-confine creates /tmp/.snap owned by root.

    systemd-tmpfiles can delete this directory because it also has root privileges. It will do so if the directory is inactive for, by default, 30 days. Files can be excluded from this by adding a .conf file to /etc/tmpfiles.d/, snap-confine does not do this.

    Because the files are not excluded they will be deleted. systemd-tmpfiles can do this because it is running as root.

    Once they are deleted a USER can recreate /tmp/.snap with malicious code.

    snap-confine never verifies that the directory is owned by root, and performs its security checks before its privileged file operations, creating a race window. Because snap-confine is setuid root, it then bind-mounts files from the attacker-controlled /tmp/.snap into the snap sandbox’s filesystem, allowing an attacker to execute arbitrary code as root.

    What is the systemd-tmpfiles flaw? It does exactly what it is supposed to do, and it provides a means to exclude directories from its process. snap doesn’t configure systemd to ignore the directories and it doesn’t perform appropriate checks on the directory’s ownership.