tuxcord/tuxcord.nix
8
2
Fork 1
Code Issues 13 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

[security] Add a red button to disable untrusted user login. #13

New Issue
Open
opened 2026-05-07 23:50:02 +02:00 by javalsai · 1 comment
javalsai commented 2026-05-07 23:50:02 +02:00
Owner
Copy Link
Copy Source

With the surge of copyfail and dirtyfrag I feel very skeptical at just having arbitrary users in our system.

Especially in the case of copyfail, where the vulnerable kernel modules were built into our almalinux kernel, and the proper selinux solution was quite messy; where we remained partially vulnerable (sudoers couldve been overwritten, a-r on suids wasn't a complete mitigation).

In those cases I would sleep more peacefully if we had an emergency button to boot off all untrusted users while we figure out a proper mitigation.

Especially considering the declarative nature of nix, where a fix rebuild could take some time until the system is reliable again.

With the surge of copyfail and dirtyfrag I feel very skeptical at just having arbitrary users in our system. Especially in the case of copyfail, where the vulnerable kernel modules were built into our almalinux kernel, and the proper selinux solution was quite messy; where we remained partially vulnerable (sudoers couldve been overwritten, `a-r` on suids wasn't a complete mitigation). In those cases I would sleep more peacefully if we had an emergency button to boot off all untrusted users while we figure out a proper mitigation. Especially considering the declarative nature of nix, where a fix rebuild could take some time until the system is reliable again.
javalsai added the
priority
medium
system
core
 labels 2026-05-07 23:50:02 +02:00
javalsai added the
type
security
 label 2026-05-07 23:51:46 +02:00
javalsai added this to the General TODOs project 2026-05-07 23:53:44 +02:00
javalsai moved this to To Do in General TODOs on 2026-05-07 23:53:53 +02:00
ErrorNoInternet commented 2026-05-08 00:10:11 +02:00
Owner
Copy Link
Copy Source

I was thinking of using specialisations but last time I had them in my NixOS configuration my evaluation time doubled for each new specialisation I added.

I was thinking of using [specialisations](https://search.nixos.org/options?channel=25.11&query=specialisation) but last time I had them in my NixOS configuration my evaluation time doubled for each new specialisation I added.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
priority
high
priority
low
priority
medium
status
discussion-needed
status
duplicate
status
invalid
status
question
system
core
system
service
type
enhancement
type
security
No Label
priority
medium
system
core
type
security
Milestone
No items
No Milestone
Projects
Clear projects
No project General TODOs
Assignees
Clear assignees
ErrorNoInternet (Ryan) UwU (Mista GayLord) danmax deadvey duck-that-quacks grialion javalsai pickzelle
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: tuxcord/tuxcord.nix#13
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?