Really great article.

I was a bit critical of your last post on kernel init stuff, but this one is well laid out and gets quickly to the material at hand: all applications make the same system calls.

Keep it up, I’m going to follow this.

My LDAP PTSD is coming back…

I’ll make the following LDAP assumptions:

• LDAP directory is configured and available
• LDAP uri is configured and a lookup on system level is working and returns the correct POSIX uid/gid with LDAP query
• no POSIX conflicts on the client (no object in passwd has uid/uid 11004) I can assume this because the fail over is root
• LDAP search base is configured and returns expected POSIX values

And I’ll make the following postgres assumptions:

• pg_hba.conf is configured for LDAP server address, port, and search base
• postgres can instantiate and connect to its dbs using LDAP with ldap

Finally, I’ll assume that your nfsv4 mount is active and that POSIX operations work at Pam - level tests.

The line

group:      files [SUCCESS=merge] sss [SUCCESS=merge] systemd

Seems weird to me; either you add success clause to both uid and gid, or none, but not one and not the other.

This would also hint that Pam has not been updated to use LDAP.

That’s where I’d start.

Side note: LDAP is by default unencrypted on the wire, so to complete this exercise, you may want to setup secrecy on the server. This is especially important for db creds.

If everyone has a copy of my passwords and authenticator keys, that wouldn’t suddenly make 2 factor auth a compromised idea.

Not sure how this relates. If you’re saying it was a good idea at the outset, then sure… If the keys hadn’t almost all been leaked by AMI and Phoenix. MS was supposed to have created a Microsoft Certified hardware vendor program for this, which fell apart pretty quickly.

Secure Boot is a joke, both practically (there are many, many tools in use to bypass it) and in my professional circles, it is considered obsolete like WEP. My audit controls for Secure Boot demand that an endpoint management solution like InTune is deployed.

You don’t have to take my word for it, obviously. I’m not trying to tell you how to live your life.

Secure Boot keys are considered compromised.

https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/

If you are recommending secure boot as a security measure, you should stop doing so.

Nice, and good job.

With respect:

• You are describing the init process, after the boot stuff is done. Not sure if you meant that or not.
• vmlinuz is the bootable kernel image distinct from the kernel itself. It contains the compressed bootable ELF kernel image (which itself contains bvmlinuz) and gzip decompress function, bsetup code, bbootsect system.map, and a handful of commands for the kernel image to bootstrap itself.
• Kernel space doesn’t stop once user space is allocated memory and initialized, they both run at the same time. Maybe I read that wrong, but it didn’t seem right to me.

I want to be careful here not to discourage you, this is great exploration!

I realize I’m handing out unsolicited advice here, but when I was first learning about Unix/Linux kernels in the Solaris and HP/UX days, the thing that helped the process “click” for me was compiling a kernel and building an ELF. And if you’re going to continue on this journey (which I hope you do), you should probably read a bit on memory segmentation and broadly about assembly instructions.

Good luck!

Are you just reverse-engineering this for fun, or are you trying to learn how qemu builds on a bootstrap?

Permissive licensing can create what is effectively “software tivoization” (the restriction or dirty interpretation of distribution and modification rights of software by the inclusion of differently-licensed components).

The Bitwarden case is a good example of how much damage can be done to a brand with merely the perception of restrictive licensing. obviously, bitwarden has clarified the mess, but not before it was being called ‘proprietary’ by the whole oss community.

So I don’t think op is referring to direct corporate takeover, but damage caused by corporate abuse of a fork.

Modern phones (after about 2016) use two boot slots for for the bootloader.

“Italian”?

I’m also on not-quite-supported hardware (surface pro 6) and I feel your pain. We have a special kernel for most of the functionality, but neither camera.

At this point, I’m grateful for a commodity x86_64 tablet with most everything else working perfectly, so it’s a small price.

Saving for later, pretty cool.

Europe can’t, nor will partner with Graphene OS because 1) Graphene OS likely won’t exist in 5 years with android becoming more and more closed, and 2) Graphene OS is still forced to use:

• Google phones
• proprietary android drivers
• proprietary Google services via shared accounts for some services
• manufacturer baseband modems, which are closed and very few people know how much data they send and where

I applaud your initiative and enthusiasm, but there are significantly more hurdles than simply convincing the EU to partner with a few companies.

If you are serious about this, start looking at projects Steam is supporting (like Proton) and figure put how we can get more developer time into existing Linux phone solutions.

Glad I was able to help, because samba has a lot of knobs and switches.

When I was first learning samba in 2003, I got overwhelmed pretty fast until my colleague told me the best way to handle samba is to start with a working and simple global directive, then one simple share, and layer security on top of that.

You are being prompted because the nobody/nogroup user/group has no password, no shell, and no permissions.

That tutorial is wrong. Couple of problems immediately:

• “valid users” specifies “all the users in this group are allowed access”. It is incompatible with “force user/group” directive
• you should be using the “guest user=” directive, which sets the identity of any public access. Your permissions should match this user.
• nobody/nogroup are special user and group that (usually) have no access to any file. They exist for processes to run with minimal provileges, or for a fallback default if UID/gid map are invalid. Using this user/group combo for this samba share implies that you will either alter them so that they now DO have privileges to access files, or that you intend samba to never access any files. Create a guest user, set permissions and umask in the directory.

Thanks for the context. I did read the articles on this, but you’ve summed up the positives well.

Unfortunately, these articles also point out that putting uutils into the wild of 25.10 will doubtless reveal some hitherto unknown breakages and rough patches.

Which I agree with. No one is forcing anyone to use 25.10, but there is no better way to smoke test sw than pushing it to prod.

I’m a Debian user, so I have the luxury of waiting to see the outcome of these efforts for now.

Supposedly there are many not-very-well-tested changes in 25.10, be aware of that if you upgrade or try this out.

If you just want to do pedestrian activities like gaming and desktop stuff, you’re fine with the average nvidia driver install tutorial, and it’s pretty trivial.

If you want more niche or advanced features like HDR tuning in Wayland or using cuda applications, you may want to consider that amd drivers are actually open and allow you to get into those kinds of tunables.

That said, there are still features and performance kept away from the user with nvidia, despite their never-ending promises of making drivers open, and nvidia has been rewarded for being not open on Linux, which a lot of us don’t like. I personally am one of those and my stance with nvidia is partly one of principle.

They don’t really compete on the same features, but I get what you mean.

Do bind mounts not allow you to manipulate the same data in one directory from multiple containers? That’s what I do, no fussing with hard links.

The Solaris version of vi, hardened against escape to shell and with no quality of life improvements. Builds character.

I also recommend giving up electricity and motor vehicles, real men calculate subnet masks by hand.