Edge re-installing itself after I’ve manually taken ownership of its files and purged them from the system 6 fucking times is what’s going to finally drive me to abandon windows and go full linux.
I just haven’t had the time or energy to rebuild my software stack on a still pretty new to me OS. (emby, the Arrs, Ombi, nginx, and more)
I setup a debian machine a while ago and have been slowly trying to get used to it while migrating a few things, but It’s hard when windows is so engrained in most of what I’ve done on pc.
Edge re-installing itself after I’ve manually taken ownership of its files and purged them from the system 6 fucking times is what’s going to finally drive me to abandon windows and go full linux.
This sort of thing is why I finally switched my gaming PC - I was spending a bunch of time fighting to get Windows to do what I wanted that I figured I might as well be doing all that work on Linux.
At least Linux doesn’t deliberately fight me. When I have to spend time getting Linux to do something it’s because developers haven’t gotten to it yet, not because corporate are enforcing their vision of how I’ll use my system.
I started with Plex and was immediately unhappy with their always online model, shitty support, and data harvesting practices. (which has gotten significantly worse over the last few years)
Moved to Emby as the only alternative I’d heard of at the time (7 years ago), and was immediately impressed with how much easier it was to use, it’s stability across all platforms I use, their friendly and helpful forums, and their stance on keeping your server your own (no telemetry or dependency on external servers). I pretty quickly purchased a lifetime premier license and it’s never failed me.
From there I learned of Jellyfin but by then had no reason to move. Beyond that, I’m just not really a fan of Jellyfins origins (ie forking emby because they didn’t like Embys licencing) and their development has regularly lagged behind the others largely because they lack funding to keep a dev team AFAIK. (keep in mind thats an opinion from a distance, I don’t pay much attention to Jellyfin as I’m happy with Emby)
A good start is using something like sudo rather than logging in as root.
sudo gives your command root permission when it runs. That way you can delete the password from the root account and it can’t be logged in with. sudo will ask for YOUR password and then check if you have permissions to elevate your command to root level.
In a simple setup, you can just use for anything you would normally do as root.
This can protect you from mistakes too, when running commands that you’ve mistyped. For example, if you want to do “rm -rf ./*” to delete all files in the current directory, but you forget the dot (period); if you’re at a root prompt, you just deleted your entire filesystem. If you’re not, then you get a permission error.
One issue is trying to create a user to run services under, but not knowing how to give it permission to access what it needs (while also not entirely sure what it should/shouldn’t have permissions for).
Or just generally managing file permissions. I understand using chmod in a very basic capacity with a few letter arguments like +r, but then you toss in numbers (chmod 777, wut?) and I get lost.
The /etc/sudoers file is what you’d need to edit, and you’d use the visudo command to edit it.
chmod is indeed used for file permissions, but you can also use SELinux or AppArmor for more access/role/action based permissions (aka Mandatory Access Controls) instead of just limiting yourself to file permissions (aka Discretionary Access Control). There’s also udev rules (for device/sysfs access) and PAM (Pluggable Authentication Modules). Then there’s cgroups and namespaces for process limits and sandboxing. Really depends on what you’re trying to achieve.
But is there any reason why you’re looking into micromanaging service permissions? Most users, or even power users wouldn’t need to touch that stuff at all.
If it’s in a corporate environment, you’d already be running something like SELinux or similar and you’d apply a baseline security profile that meets various compliance specs. Very rarely would you have to mess with permissions of a service.
If this is for personal stuff, you’d just make use of multiple user accounts (if it’s a multi-user system), or just sandboxing (containers, flatpak etc) to run untrustworthy stuff like web browsers. None of this stuff would require you to touch chmod.
But is there any reason why you’re looking into micromanaging service permissions?
Because I don’t know any better, having very little base knowledge of linux.
The thought process here was that services like nginx should be running under a separate user from root and your main daily user account, only having access to the files it actually needs, but not really knowing how to achieve that. I know genuinely nothing about linux user management and feel a bit overwhelmed trying to figure out where to start :/ (especially comming from the all graphical UI experience of Windows)
Chmod is/was the only tool I’ve known about for managing permissions. I end up running stuff as root in my experimentations because I randomly run into permissions errors, but don’t know how to solve them, particularly without creating more problems for other processes.
I’m using Debian as a first Linux desktop experience; previously I’ve done some experimenting with rpis managed via ssh, mostly to run pihole, that’s about it. The rest has been windows where I was familiar.
nginx only runs the master process as root, but the actual worker processes already run under a low-privileged account called http. If you want to run the master process as well as non-root, you can follow the instructions here: https://wiki.archlinux.org/title/nginx#Running_unprivileged_using_systemd
To restrict access to files, you’d be editing the nginx config file, you can read on how to do that in the nginx documentation, or check ServerFault etc.
But the modern Linux world revolves around containers. There’s an official Docker image for nginx that you could use if you’d like, and that’d make it a much more secure - and portable option.
Also, I’d recommend checking the Arch Wiki first for anything Linux related - the wealth of knowledge and documentation there is unmatched, and is useful even if you’re not running Arch.
In addition to what other posters said, some distros allow you to add a user to the “sudo” group (as a secondary group assignment; don’t make it their primary) to allow them sudo access.
To play devil’s advocate, that’s because Edge is the system web view used for system components. Removing it means certain UI for system components won’t be able to be rendered. It’s the same reason why uninstalling Chrome from Android breaks a bunch of stuff. They should decouple the web view from the browser but here we are.
Actually, Edge WebView2 is a separate system component pushed out via Windows Update (can also be bundled with individual apps), and is independent of Edge the browser.
So you can actually uninstall Edge the browser completely if you wanted to, and still keep using Webview.
Of course, it’s a different story that Microsoft like to sneak it back in as part of an update or something.
Exactly. Those OS updates are most likely fixing / reinstalling Edge since it is either considered corrupted or to push newer version. Set different default browser, unpin it from taskbar and you are good to go.
All these “fixes” and “debloaters” in a long run most likely will cause problems.
I don’t care. None of the stuff that breaks is even remotely important to me.
If I’ve made a point of removing a piece of software; reinstalling it, re-adding shortcuts in 3 different places, and changing my default back to edge with every system update (and now automatically harvesting all the data from every other installed browser) makes me want to personally lynch Satya Nadella. (Microsoft’s CEO)
Were you on a Windows Pro license and did you tried using group policy settings?
I keep hearing people being frustrated that low level solutions don’t work, but I’ve not heard of anyone having these issues who has used the official tools Microsoft provides for Windows sysadmins (and power users) to actually manage this sort of thing.
I get that logically, it shouldn’t matter whether you put a sign up telling Edge to fuck off when you’ve bulldozed it down six times, but Windows sees that it’s gone and your settings (by default with no group policy config) indicate it shouldn’t be gone, so it “helpfully” rebuilds it.
Power users are not their market for normal home licenses. Those are for the people who don’t know the difference between Edge and Chrome and need protection from making dumb mistakes like deleting Edge and ending up without any web browser. Unfortunately, those are the grand majority of computer users, and it makes good business sense to take advantage of “just helping” to provide a locked down ecosystem and push your software on power users who don’t know the management options available.
Windows doesn’t do a good job advertising these features, and has made them harder to find by getting rid of a lot of their old non-cloud sysadmin training courses, because it doesn’t help them make money. But by no means are these options non-existent.
They offer a Windows version for power users. It’s the Pro license, and it doesn’t cost significantly more if you’re buying a cheap “OEM” key.
If you want to make Windows work for you, look at the tools they have for on premises (non-cloud) Windows system administration in small companies.
KMS (key media server) is one way to manage Windows license keys for multiple machines in a domain. KMSpico emulates that setup on a single machine (no server needed), allowing safe spoofing of whatever level Windows license you want, using the same systems and technique meant for actual sysadmins. Last I knew, that was the safest way to spoof a license if you don’t have the ~$15 for one.
Group policy is one of a few ways to push consistent Windows configuration and settings to multiple machines in a domain. It is also an option for managing settings on individual Pro licensed Windows machines. Most of the time when you find weird registry key changes online to enable/disable Windows features, those are part of what Group Policy changes when you use it to disable a feature the proper way. Windows respects group policy options through updates, and releases update to group policy templates as needed. They don’t want to fuck with their big business clients that can actually hurt their bottom line, so they keep those working.
I do have a pro license (for RDP), but I’m not familiar with the group policy editor. Wasn’t aware it could disable Edge. I’ll have to explore that more. It’s rather absurd a user has to go to those lengths to keep data they’ve deleted, deleted.
Still gonna move to linux. Been a long time coming.
Edge re-installing itself after I’ve manually taken ownership of its files and purged them from the system 6 fucking times is what’s going to finally drive me to abandon windows and go full linux.
I just haven’t had the time or energy to rebuild my software stack on a still pretty new to me OS. (emby, the Arrs, Ombi, nginx, and more)
I setup a debian machine a while ago and have been slowly trying to get used to it while migrating a few things, but It’s hard when windows is so engrained in most of what I’ve done on pc.
This sort of thing is why I finally switched my gaming PC - I was spending a bunch of time fighting to get Windows to do what I wanted that I figured I might as well be doing all that work on Linux.
At least Linux doesn’t deliberately fight me. When I have to spend time getting Linux to do something it’s because developers haven’t gotten to it yet, not because corporate are enforcing their vision of how I’ll use my system.
A damn good point.
I really got to get around to telling Microsoft to fornicate themselves with the wide end of a rake…
Out of curiosity, why Emby over Jellyfin?
It’s more mature and feature rich. Just like Plex vs. Jellyfin.
Mostly because they got there first tbh.
I started with Plex and was immediately unhappy with their always online model, shitty support, and data harvesting practices. (which has gotten significantly worse over the last few years)
Moved to Emby as the only alternative I’d heard of at the time (7 years ago), and was immediately impressed with how much easier it was to use, it’s stability across all platforms I use, their friendly and helpful forums, and their stance on keeping your server your own (no telemetry or dependency on external servers). I pretty quickly purchased a lifetime premier license and it’s never failed me.
From there I learned of Jellyfin but by then had no reason to move. Beyond that, I’m just not really a fan of Jellyfins origins (ie forking emby because they didn’t like Embys licencing) and their development has regularly lagged behind the others largely because they lack funding to keep a dev team AFAIK. (keep in mind thats an opinion from a distance, I don’t pay much attention to Jellyfin as I’m happy with Emby)
I moved to Fedora (KDE Plasma) about a year ago. I had researched alternatives for all I needed.
I installed it on a new machine and kept an old windows machine running.
It took a month or so to get things how I liked.
I miss some things in Windows but found some real time saving features in linux, on the whole I am better off.
And I feel a whole lot safer.
When Linux spoons me in bed and whispers in my ear that it loves me, that’s when I feel really safe.
Side question:
Know a good place I can learn linux user/group/permission management?
I don’t understand it well enough so I do a stupid amount of things as root…
A good start is using something like sudo rather than logging in as root.
sudo gives your command root permission when it runs. That way you can delete the password from the root account and it can’t be logged in with. sudo will ask for YOUR password and then check if you have permissions to elevate your command to root level.
In a simple setup, you can just use for anything you would normally do as root.
This can protect you from mistakes too, when running commands that you’ve mistyped. For example, if you want to do “rm -rf ./*” to delete all files in the current directory, but you forget the dot (period); if you’re at a root prompt, you just deleted your entire filesystem. If you’re not, then you get a permission error.
How do I manage what users can use sudo?
One issue is trying to create a user to run services under, but not knowing how to give it permission to access what it needs (while also not entirely sure what it should/shouldn’t have permissions for).
Or just generally managing file permissions. I understand using chmod in a very basic capacity with a few letter arguments like +r, but then you toss in numbers (chmod 777, wut?) and I get lost.
The
/etc/sudoersfile is what you’d need to edit, and you’d use thevisudocommand to edit it.chmodis indeed used for file permissions, but you can also use SELinux or AppArmor for more access/role/action based permissions (aka Mandatory Access Controls) instead of just limiting yourself to file permissions (aka Discretionary Access Control). There’s also udev rules (for device/sysfs access) and PAM (Pluggable Authentication Modules). Then there’s cgroups and namespaces for process limits and sandboxing. Really depends on what you’re trying to achieve.But is there any reason why you’re looking into micromanaging service permissions? Most users, or even power users wouldn’t need to touch that stuff at all.
If it’s in a corporate environment, you’d already be running something like SELinux or similar and you’d apply a baseline security profile that meets various compliance specs. Very rarely would you have to mess with permissions of a service.
If this is for personal stuff, you’d just make use of multiple user accounts (if it’s a multi-user system), or just sandboxing (containers, flatpak etc) to run untrustworthy stuff like web browsers. None of this stuff would require you to touch chmod.
Because I don’t know any better, having very little base knowledge of linux.
The thought process here was that services like nginx should be running under a separate user from root and your main daily user account, only having access to the files it actually needs, but not really knowing how to achieve that. I know genuinely nothing about linux user management and feel a bit overwhelmed trying to figure out where to start :/ (especially comming from the all graphical UI experience of Windows)
Chmod is/was the only tool I’ve known about for managing permissions. I end up running stuff as root in my experimentations because I randomly run into permissions errors, but don’t know how to solve them, particularly without creating more problems for other processes.
I’m using Debian as a first Linux desktop experience; previously I’ve done some experimenting with rpis managed via ssh, mostly to run pihole, that’s about it. The rest has been windows where I was familiar.
Okay so that’s different.
nginx only runs the master process as root, but the actual worker processes already run under a low-privileged account called
http. If you want to run the master process as well as non-root, you can follow the instructions here: https://wiki.archlinux.org/title/nginx#Running_unprivileged_using_systemdTo restrict access to files, you’d be editing the nginx config file, you can read on how to do that in the nginx documentation, or check ServerFault etc.
But the modern Linux world revolves around containers. There’s an official Docker image for nginx that you could use if you’d like, and that’d make it a much more secure - and portable option.
Also, I’d recommend checking the Arch Wiki first for anything Linux related - the wealth of knowledge and documentation there is unmatched, and is useful even if you’re not running Arch.
Thanks for your help m8, I appreciate it.
I’ll have to do some more reading once I’ve got some time.
In addition to what other posters said, some distros allow you to add a user to the “sudo” group (as a secondary group assignment; don’t make it their primary) to allow them sudo access.
Edit your /ect/sudoers file using visudo
To play devil’s advocate, that’s because Edge is the system web view used for system components. Removing it means certain UI for system components won’t be able to be rendered. It’s the same reason why uninstalling Chrome from Android breaks a bunch of stuff. They should decouple the web view from the browser but here we are.
Actually, Edge WebView2 is a separate system component pushed out via Windows Update (can also be bundled with individual apps), and is independent of Edge the browser.
So you can actually uninstall Edge the browser completely if you wanted to, and still keep using Webview.
Of course, it’s a different story that Microsoft like to sneak it back in as part of an update or something.
Exactly. Those OS updates are most likely fixing / reinstalling Edge since it is either considered corrupted or to push newer version. Set different default browser, unpin it from taskbar and you are good to go.
All these “fixes” and “debloaters” in a long run most likely will cause problems.
I don’t care. None of the stuff that breaks is even remotely important to me.
If I’ve made a point of removing a piece of software; reinstalling it, re-adding shortcuts in 3 different places, and changing my default back to edge with every system update (and now automatically harvesting all the data from every other installed browser) makes me want to personally lynch Satya Nadella. (Microsoft’s CEO)
Were you on a Windows Pro license and did you tried using group policy settings?
I keep hearing people being frustrated that low level solutions don’t work, but I’ve not heard of anyone having these issues who has used the official tools Microsoft provides for Windows sysadmins (and power users) to actually manage this sort of thing.
I get that logically, it shouldn’t matter whether you put a sign up telling Edge to fuck off when you’ve bulldozed it down six times, but Windows sees that it’s gone and your settings (by default with no group policy config) indicate it shouldn’t be gone, so it “helpfully” rebuilds it.
Power users are not their market for normal home licenses. Those are for the people who don’t know the difference between Edge and Chrome and need protection from making dumb mistakes like deleting Edge and ending up without any web browser. Unfortunately, those are the grand majority of computer users, and it makes good business sense to take advantage of “just helping” to provide a locked down ecosystem and push your software on power users who don’t know the management options available.
Windows doesn’t do a good job advertising these features, and has made them harder to find by getting rid of a lot of their old non-cloud sysadmin training courses, because it doesn’t help them make money. But by no means are these options non-existent.
They offer a Windows version for power users. It’s the Pro license, and it doesn’t cost significantly more if you’re buying a cheap “OEM” key.
If you want to make Windows work for you, look at the tools they have for on premises (non-cloud) Windows system administration in small companies.
KMS (key media server) is one way to manage Windows license keys for multiple machines in a domain. KMSpico emulates that setup on a single machine (no server needed), allowing safe spoofing of whatever level Windows license you want, using the same systems and technique meant for actual sysadmins. Last I knew, that was the safest way to spoof a license if you don’t have the ~$15 for one.
Group policy is one of a few ways to push consistent Windows configuration and settings to multiple machines in a domain. It is also an option for managing settings on individual Pro licensed Windows machines. Most of the time when you find weird registry key changes online to enable/disable Windows features, those are part of what Group Policy changes when you use it to disable a feature the proper way. Windows respects group policy options through updates, and releases update to group policy templates as needed. They don’t want to fuck with their big business clients that can actually hurt their bottom line, so they keep those working.
I do have a pro license (for RDP), but I’m not familiar with the group policy editor. Wasn’t aware it could disable Edge. I’ll have to explore that more. It’s rather absurd a user has to go to those lengths to keep data they’ve deleted, deleted.
Still gonna move to linux. Been a long time coming.