Photon is a sleek web UI for Lemmy.

I was told by an admin I could post updates to Photon here, despite it being a web client?

This release brings basic moderation tools to Photon, as well as a bunch of quality-of-life tweaks.

Features

  • Add moderation tools by @Xyphyn in https://github.com/Xyphyn/photon/pull/33
    • Add post submission removal
    • Add comment submission removal
    • Add report viewing and resolving
    • Add thread locking
    • Add post pinning/unpinning
  • Add initiating message conversations
  • Add better pagination to lots of pages
  • Add sorting to user pages
  • Add user blocking
  • Add federation links

Fixes

Administration tools will come in v0.5.0.

Full Changelog: https://github.com/Xyphyn/photon/compare/v0.3.3...v0.4.0

Github

Official app instance

Community: [email protected]

  • Shadow
    link
    fedilink
    English
    61 year ago

    Please add support to not run as root!

    I was going to bring this up on lemmy.ca but haven’t had time to submit a PR to fix the user ID first.

    • Xylight (Photon dev)OP
      link
      fedilink
      English
      11 year ago

      Wdym? If you logged in as another user, you must add it to the docker group. I’m not sure what I have to do.

      • @[email protected]
        link
        fedilink
        English
        51 year ago

        Docker creates a virtual Linux environment basically, they mean they would like the user in that environment to not be root. I can submit a MR later today to do so (I authored the automatic docker builds MR)

        • Shadow
          link
          fedilink
          English
          41 year ago

          Yes this, thanks!

          Basically it’s not hard to break out of docker, I don’t want to run photon as root. If it gets hacked while running as root, it’s game over.

          • ubergeek77
            link
            fedilink
            English
            31 year ago

            It’s pretty hard to break out of Docker unless the user does something stupid, like mount the host’s Docker socket into the container.

            Casual container breakouts are not common at all, they’re a big deal, and fixed pretty quickly.

            • Shadow
              link
              fedilink
              English
              21 year ago

              A quick google tells me there were 3 vulns in 2022 allowing it. I’m not sure why you would argue for a horrible security practice under the excuse “it’s not common”. Even if it was only once every few years, the app doesn’t need root so it shouldn’t run as root.

              • ubergeek77
                link
                fedilink
                English
                41 year ago

                I’m not advocating for running containers as root, I was correcting your suggestion that container breakouts are trivial and easy to perform. But let’s walk through those 2022 breakout vulns shall we? I even found one more.

                CVE-2022-0847 - DirtyPipe, a Linux kernel vulnerability, and one of the most major and prolific Linux kernel vulns to date. In addition, it wouldn’t have mattered if the container ran as root or not, this was a significant Linux kernel flaw. In fact, the PoC runs the container as an unprivileged user.

                CVE-2022-0492 - Needed CAP_SYS_ADMIN to be exploitable, isn’t exploitable anymore, and falls under my remark of “the user doing something stupid.”

                CVE-2022-0492 - Vulnerability due to cgroups, and wouldn’t be exploitable as a root container user unless a very specific set of 5 prerequisites were met. “Just being root” was not enough for exploitation.

                CVE-2022-23648 - Was a read-only vulnerability relating to volume mounts, root vs non-root was not relevant to the vulnerability, and it only allowed for “breakout” in situations where you’re running in a Kubernetes cluster and the container can read service account tokens. Running as a non root user would not have prevented this.

                I’m not saying “running as root doesn’t matter,” running as a non root user is a best practice, yes. But breakout vulns are more rare and harder to exploit than even your response to me is trying suggest.