FranLMSP/opsec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Small update

Browse Source
This commit is contained in:
Franco Colmenarez 2023-01-31 13:46:40 -05:00
parent 4d1c0b9865
commit 40846fb848
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -289,7 +289,7 @@ The technical reasons why are explained [here](https://madaidans-insecurities.gi
Here are some tips on how you can improve Linux Desktop security:
- Use [Wayland](https://wiki.archlinux.org/title/Wayland) instead of [Xorg/X11](https://wiki.archlinux.org/title/Xorg). Xorg is a very ancient program with really ancient code, designed under a really ancient protocol (X11). Linux sandboxing is flawed mostly because of possible sandbox escapes through X11. The catch is that you may have compatibility issues with Wayland, for example, you may struggle with screen sharing. However, Wayland development is improving with time.
- Use [Wayland](https://wiki.archlinux.org/title/Wayland) instead of [Xorg/X11](https://wiki.archlinux.org/title/Xorg). Xorg is a very ancient program with really ancient code, designed under a really ancient protocol (X11). Linux sandboxing is flawed mostly because of [possible sandbox escapes through X11](https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html). The catch is that you may have compatibility issues with Wayland, for example, you may struggle with screen sharing. However, Wayland development is improving with time.
- Use [Pipewire](https://wiki.archlinux.org/title/PipeWire) instead of [Pulseaudio](https://wiki.archlinux.org/title/PulseAudio). Pipewire provides better sandboxing and security features. Most Linux distribution are starting to ship Pipewire instead of Pulseaudio.
- Use [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc). This is a bit more extreme and it's not recommended if you don't know what you are doing, as some programs may break.
- Use [doas](https://github.com/slicer69/doas) instead of Sudo. Sudo have had [security vulnerabilities](https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt) that took years to patch. Sudo is a really big program, and doas is much smaller in comparison. Doas has less features than Sudo, but for desktop usage, Doas is usually more than enough.