macbookpro linux install hooks

[[email protected] usr]# cat /boot/refind_linux.conf 
"Boot with standard options"  "ro root=UUID=3ff5c47a-fda5-be42-b402-d6c4ddf8634f intel_iommu=on iommu=pt efi=noruntime text"
#"Boot to single-user mode"    "ro root=UUID=3ff5c47a-fda5-be42-b402-d6c4ddf8634f intel_iommu=on iommu=pt efi=noruntime text single"
#"Boot with minimal options"   "ro root=/dev/nvme1n1p5"
[[email protected] usr]# cat /etc/mkinitcpio.conf |grep thunderbolt
HOOKS=(base udev autodetect modconf block filesystems keyboard fsck thunderbolt)
# thunderbolt3 
MODULES="thunderbolt"
[[email protected] usr]# cat /etc/initcpio/install/thunderbolt
#!/bin/bash
build() {
    add_runscript
}
help(){
echo "I don't know if this is needed for it to work"
}
[[email protected] usr]# cat /etc/initcpio/hooks/thunderbolt 
#!/usr/bin/ash
run_hook(){
echo 1 > /sys/bus/thunderbolt/devices/0-1/authorized
}

[[email protected] usr]# 
[[email protected] usr]# cat /etc/fstab 
# Static information about the filesystems.
# See fstab(5) for details.

# <file system> <dir> <type> <options> <dump> <pass>
UUID=3ff5c47a-fda5-be42-b402-d6c4ddf8634f   /   ext4    rw,relatime 0 1
#/dev/nvme1n1p5         /           ext4        rw,relatime 0 1

UUID=8403-1904  /boot/grub/efi  vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2
#/dev/nvme1n1p2         /boot/grub/efi  vfat        rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro    0 2

/swapfile               none        swap        defaults    0 0

[[email protected] usr]# 

mkinitcpio -P

Docker 组成员身份比sudo更危险

Docker 组成员身份比sudo更危险

Docker 守护进程具有setUID root ,并且在设计上允许以 root身份轻松访问主机文件系统。这使得恶意用户读取和更改敏感系统文件或粗心的用户允许恶意容器化应用程序这样做变得微不足道。访问 Docker 命令有效地授予了完全的根权限。

此外,Docker 没有任何等同于sudo密码检查的功能,这意味着针对docker组中的用户成功执行任意代码攻击有效地授予了攻击者 root 权限。因此,更安全的选择是永远不要将用户帐户(即使是您自己的)添加到docker组,这样 Docker 命令只能通过sudo使用。

https://wiki.debian.org/Docker