Comment

Comment on Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀

glizzyguzzler@piefed.blahaj.zone ⁨1⁩ ⁨month⁩ ago

This is a fantastic tool, but I’d love to confidently expose the API to the internet for the shortcut. To do that you need read-only and running as a user; I saw that that’s not a thing that works from the issues.

Any thoughts on getting those security features working? Cause the app itself is so smooth I’d let my parents use it and be confident they wouldn’t need to be herded constantly.

source

Sort:hotnew top

daniel31x13@lemmy.world ⁨1⁩ ⁨month⁩ ago
So you want to disable registration? It’s possible.

source
- glizzyguzzler@piefed.blahaj.zone ⁨1⁩ ⁨month⁩ ago
  No what I said isn't about user registration; it's about adding these to the docker-compose.yml:
  
  read_only: true user: 6969:6969
  
  to prevent running as root and making the file system read-only. The API needs to be exposed without a VPN or other proxy login since my parents' can't handle that, so if I was able to implement these recommended security steps I'd feel like I could open up the container to the internet at large without too much risk.
  
  Per this issue https://github.com/linkwarden/linkwarden/issues/799 it seems like there's a lot of steps to take to get these settings to work.
  
  It would be also ideal if I didn't have to give the container (but not a deal-breaker):
  
  cap_add: - CAP_SYS_ADMIN - CAP_SYS_CHROOT
  
  as the issue also states is required for the headless chrome scraper browser.
  
  I am using it internally now and it's really good, but to open it up for my parents (which I think they'd dig) I'd definitely want these security settings on without major issues. Linkwarden is an internet-facing application so these recommended security practicies are in its wheel-house, feature-wise, as well.
  
  Hope that helps clear up my comment!
  
  source
  - daniel31x13@lemmy.world ⁨1⁩ ⁨month⁩ ago
    Oh I see, thanks for letting me know! Yes that’s actually requested and we’ll be getting to it sometime.
    
    source
    glizzyguzzler@piefed.blahaj.zone ⁨1⁩ ⁨month⁩ ago
    Great to hear! It’s seriously slick and “just works”. With those security features up you can tout them on the cloud offering too :)
    
    source
  - Lem453@lemmy.ca ⁨1⁩ ⁨month⁩ ago
    How would you add new links if its read only?
    
    source
    glizzyguzzler@piefed.blahaj.zone ⁨1⁩ ⁨month⁩ ago
    As always you store data you want to keep in the volumes section.
    
    With read-only you prevent new binaries from being added in the image space. You can add ‘noexec’ to your volumes/tmpfs preventing binaries to the areas that are writable. Then ideally you are using an image with minimal surface area (e.g., only sh and the exact binaries needed to make it go) and it’s very secure! It’s still plenty secure without a minimal image.
    
    source
    -> View More Comments
  - somethingsomethingidk@lemmy.world ⁨1⁩ ⁨month⁩ ago
    So I have mine running in a podman quadlet. It runs as root in the container but it is unpriviledged. Mine has NET_ADMIN and SYS_MODULE but I honestly can’t remember why… SYS_ADMIN seems extreme though
    
    source
    glizzyguzzler@piefed.blahaj.zone ⁨1⁩ ⁨month⁩ ago
    Care to share your quartet? I’m just getting into the quads with trixie out - and I haven’t gotten this working yet…
    
    source
    -> View More Comments