While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:

rhababerbarbar@tux.social

While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:

Disabling setuid does not mitigate it, but reduces the attack surfaces overall significantly.

Instead of #sudo, #su, #pkexec and other #setuid binaries you can use #run0 or a dedicated root account.

I have disabled setuid for a bunch of binaries I don't need, they still work when ran as root, with run0 or #sudo-rs.

```nix
boot.blacklistedKernelModules = [
"algif_aead"
];

security.sudo.enable = false;

security.wrappers = {
su.enable = false;
pkexec.enable = false;

# example setuid binary
chsh = {
source = "${pkgs.shadow}/bin/chsh";
setuid = lib.mkForce false;
owner = "root";
group = "root";
};
};
```

marie@chaos.social

@Rhababerbarbar setuid binaries have nothing to do with the vulnerability, they are just an easy way of exploiting it. Avoiding them does not make you less vulnerable to copyfail. (blacklisting the kernel module is good)

jay@social.zerojay.com

@marie @Rhababerbarbar Also, almost no one is going to be running the vulnerable kernel module anyways unless they compiled a monolithic kernel so..., yeah, feels pretty overblown to me.