[[email protected] usr]# cat /boot/refind_linux.conf
"Boot with standard options" "ro root=UUID=3ff5c47a-fda5-be42-b402-d6c4ddf8634f intel_iommu=on iommu=pt efi=noruntime text"
#"Boot to single-user mode" "ro root=UUID=3ff5c47a-fda5-be42-b402-d6c4ddf8634f intel_iommu=on iommu=pt efi=noruntime text single"
#"Boot with minimal options" "ro root=/dev/nvme1n1p5"
[[email protected] usr]# cat /etc/mkinitcpio.conf |grep thunderbolt
HOOKS=(base udev autodetect modconf block filesystems keyboard fsck thunderbolt)
# thunderbolt3
MODULES="thunderbolt"
[[email protected] usr]# cat /etc/initcpio/install/thunderbolt
#!/bin/bash
build() {
add_runscript
}
help(){
echo "I don't know if this is needed for it to work"
}
[[email protected] usr]# cat /etc/initcpio/hooks/thunderbolt
#!/usr/bin/ash
run_hook(){
echo 1 > /sys/bus/thunderbolt/devices/0-1/authorized
}
[[email protected] usr]#
[[email protected] usr]# cat /etc/fstab
# Static information about the filesystems.
# See fstab(5) for details.
# <file system> <dir> <type> <options> <dump> <pass>
UUID=3ff5c47a-fda5-be42-b402-d6c4ddf8634f / ext4 rw,relatime 0 1
#/dev/nvme1n1p5 / ext4 rw,relatime 0 1
UUID=8403-1904 /boot/grub/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2
#/dev/nvme1n1p2 /boot/grub/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2
/swapfile none swap defaults 0 0
[[email protected] usr]#
mkinitcpio -P
Docker 组成员身份比sudo更危险
Docker 组成员身份比sudo更危险
Docker 守护进程具有setUID root ,并且在设计上允许
以 root身份轻松访问主机文件系统。这使得恶意用户读取和更改敏感系统文件或粗心的用户允许恶意容器化应用程序这样做变得微不足道。访问 Docker 命令有效地授予了完全的根权限。
此外,Docker 没有任何等同于sudo
密码检查的功能,这意味着针对docker
组中的用户成功执行任意代码攻击有效地授予了攻击者 root 权限。因此,更安全的选择是永远不要将用户帐户(即使是您自己的)添加到docker
组,这样 Docker 命令只能通过sudo
使用。