this post was submitted on 30 Jul 2024
68 points (97.2% liked)

Linux

48648 readers
1023 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I am going to ask if I may use linux for work. We are using windows but there is nothing that couldn't be done on linux. Privately, I am mainly a fedora user but I'd be happy with any OS and DE or wm. What do I need to look out for when I suggest an OS? What does a computer/ linux/DE need in order to be ready for enterprise workstation? Will I only have a user and no sudo rights? May I install all flatpak apps? Does the admin have to be able to remote ssh?

top 42 comments
sorted by: hot top controversial new old
[–] [email protected] 54 points 4 months ago (1 children)

if it's a large enough company, expect them to have systems administrators (sometimes called systems engineers nowadays) to exert control over their windows systems using either active directory or azure iam policies.

there are multiple ways to get a linux system to comply with those policies; but that doesn't matter since they'll make the case to management that the extra operational costs of either getting your system to become compliant or providing you with support will hurt the budget and/or suck up extra bandwidth for support.

your best bet in such cases are to offer written agreements that you will never seek out IT's help and you will take full responsibility if you're not able to get your work done because your linux system and provide a plan written down for each eventuality you can think of when your linux system doesn't work as expected.

i would also expect your manager to reject your request despite these efforts unless you're a highly enough paid individual contributor or have a special enough relationship with upper management.

[–] [email protected] 20 points 4 months ago (1 children)

Honestly the only hope will be if there is a Linux nerd in the IT shop who is willing to make the case for OP from the sysadmin side of the fence. If you don't have someone batting for you in that corner, there's basically no hope.

Source: I've been using Linux at work in a Windows centric org for 5 years. Only reason is because a blessed nerd in my local IT support shop was on my side when I started there.

[–] balder1993 4 points 4 months ago

Another option is to have enough people in the company interested in using that to justify it.

In my company (a large bank) Linux is now being rolled out to selected people as test because there was enough interest from a lot of the backend crowd.

[–] [email protected] 28 points 4 months ago* (last edited 4 months ago) (3 children)

If you work for a larger company, they will likely want you to keep using what they already have, not because Linux can't do the job but because it's a PITA to maintain different devices.

[–] [email protected] 16 points 4 months ago (1 children)

Also, they will likely not appreciate having a lone user with a unique attack surface.

[–] [email protected] 13 points 4 months ago (1 children)

They will say, while simultaneously ignoring every NIST recommendation

[–] [email protected] 1 points 4 months ago

We don't ignore them. We scope out implementation plans constantly, it's just when they hit the MBA managers desk they tend to end up in the shredder.

[–] 0x0 1 points 4 months ago (1 children)

Also most Windows-centric companies hire Windows-centric sysadmins who'll hide behind any excuse not to show their linux ignorance.

[–] [email protected] 4 points 4 months ago

Also most Windows-centric companies hire Windows-centric sysadmins who’ll hide behind any excuse not to show their linux ignorance.

my favorite line they like to use is something to the effective of: we have to use something that can handle many users; implying that linux cannot handle thousands to millions of users, completely ignoring that it's the most widespread server os on the planet handling billions of users.

[–] [email protected] 1 points 4 months ago

Depends, every tech company I've worked at has had Windows machines for project managers, account managers etc, and Mac for developers and designers. So it is possible to support two OSs as standard. I've always just picked the Mac but when my next laptop is due I may ask if anyone uses Linux

[–] [email protected] 21 points 4 months ago

It's funny because I'm not allowed to use a Linux machine as a main system but all the appliances I build run Linux so I built myself one of those machines to be able to test my other machines because my windows machine is so locked down I can't do anything with it. So every day I have to ssh into my Linux test bench to test our products it's annoying

[–] Shareni 16 points 4 months ago

Does your company have a serious IT department that manage devices?

If yes, then you'll need to do whatever they say, and be ready to be told that's not happening.

If not, I'd suggest a stable distro, encrypt the disk, and use flatpak/nix to install fresh packages. Fedora could work, but I've had bad luck with it, and wouldn't want to risk my device crapping out because of an update.

The rest is really going to depend on your work and your it department.

[–] [email protected] 16 points 4 months ago

You probably will be told no. However, it never hurts to ask. I would go for bring your own device as that will allow you to set it up in a way that works for you.

[–] [email protected] 14 points 4 months ago

Most startups I've applied to are Linux friendly.

I currently work for a fortune 100 and managed to get a Linux machine purchased as a "lab" machine.

I'm fully in control. IT doesn't even know it exists. I'm not allowed on the corporate network, but I managed to get some internal corporate access through another department's lab network (IT sanctioned) that has a VPN with a few routes to things like ticketing, time cards, and our internal wiki. Most of the stuff I need to do my job is in AWS and we are allowed to add home IPs to the security groups.

IT still gives me a MacBook. I use it like once every 6 months.

nixos-unstable is the only thing I will use currently.

I'm running bleeding edge stuff like the latest kernel, Hyprland nightly, my own "shell" built from Gnome components and lots of custom stuff using GJS (Gnome JavaScript).

If you get one, and you are free to do whatever on it, encrypt your drives like your job depends on it. I have a memorized passphrase, pin protected hardware key, and a key in TPM. No biometrics.

As far as other nice things to have:

  • VPN: https://www.infradead.org/openconnect/ supports some common enterprise VPNs.
  • Communication tools (Teams, WebEx, Zoom, Slack, etc.). I tend to have access to 90% of what I need. My team is thankfully accommodating for the couple features I have issues with. Make sure you test things like Screen Sharing especially in Wayland if you use it.
  • VM: If you can get a corporate licensed image to run a corporate licensed version of Office, I recommend it. Office365 for web is missing a few features and often renders differently from native.
  • Password Manager and encrypt everything. System is encrypted as previously stated. My home volume (BTRFS) is encrypted with a different key/passphrase. My work's sensitive files are encrypted yet again using rclone with different keys. I try to minimize attack surfaces by unlocking only what I need when I need it.
  • Backups. I use rclone to backup to our corporate OneDrive. Nixos is immutable and I have it setup with impermanence where every reboot is like a fresh install if I didn't codify it my nixos-config which is tracked in git. I persist a few cache and setting directories in my home directory, but not much. I can restore my setup in like 20 minutes if I ever lost my machine.
  • Virtual mic and camera for noise suppression and blurring for communication tools that don't have it built in.
  • Evolution EWS works okay as an Exchange email client. I had to hunt some weird settings like tenant ID to get it to work. I've been using Webmail or Outlook in a VM more often though as of late.

I work in software dev as FYI. For the few issues I have, my team has more issues getting stuff working consistently on macOS for our project. I used that as a justification when requesting the laptop: my dev environment should closely match our runtime environment. Most of that is moot now since we use Nix flakes in our repos for local dev envs.

[–] [email protected] 14 points 4 months ago (1 children)

Linux VM with 90% of cpu and memory. Use it for almost everything. Have it configured as NAT so it can share the vpn connection from the host laptop.

[–] [email protected] -1 points 4 months ago (1 children)

It's better to have Windows in a VM.

[–] [email protected] 12 points 4 months ago

Sure, but I don't see how that's relevant to OP, here.

[–] [email protected] 13 points 4 months ago* (last edited 4 months ago)

I work at a microsoft based company and I am running Linux on my machine after getting approval from my IT security people.

I do need to set a couple of things up, for my machine to still be compliant with the company policies.

So far that is:

  • Enrolled in Intune (via microsoft's intune portal app)
  • Full Disk Encryption (pretty standard these days)
  • Microsoft Defender Endpoint (a requirement many companies have)
  • Strong passwords that's changed pretty often

But whether you are allowed to or not, really depends on your IT department and the company policies.

[–] [email protected] 10 points 4 months ago (1 children)

I work for a large state university and run linux on my office machine, despite the fact the IT office dept doesn't officially support it. I told our IT guy once what I'm doing and his response was, "cool." Of course I'm totally on my own if anything goes wrong. It helps that I'm a prof and most of my on-campus work doesn't involve much time on a computer, aside from basic web and documents stuff. tldr, in my case I'm able to just do it without asking anyone's permission, and it's worked out great for several years now, but a lot of jobs aren't like that obviously.

[–] [email protected] 3 points 4 months ago

I'm running linux on my work-issued thinkbook. I also asked the IT guy and he told me I could do whatever I wanted as long as it wasn't piracy. I originally dual-booted it but then decided to delete the windows partition and now I just run win10 on QEMU/KVM if I need to do anything sharepoint-related.

[–] ICastFist 8 points 4 months ago

The main selling point of business windows is Active Directory. I'm not aware of a Linux or FOSS alternative for it (I never looked). At a certain size, companies will want to have all computers log in via a central server and be able to remotely access and control any such machine

[–] 0x0 7 points 4 months ago (1 children)
[–] [email protected] 1 points 4 months ago

Ominous blimp noises approaching from the distance

[–] [email protected] 5 points 4 months ago

In my previous job I ran my main laptop with Linux. Pain points:

  • MS Teams liked to crash on screen sharing
  • o365 email and calendar works best on Evolution, but still is not perfect
  • meeting rooms often had special usb dongle to connect to the screen. That never worked on Linux.

Overall it was glorious.

[–] [email protected] 4 points 4 months ago

I'd suggest one of the fedora atomic installs, maybe even get a couple renewed Thinkpads all set up, one with kde and one with gnome and let them play with them for a few days. I was the only engineer in my company that ran Linux and the bosses only concession was that I carry a windows PC too when he was onsite with me so he'd understand what I was doing, but he provided a nice one for me so I never complained.

[–] [email protected] 4 points 4 months ago

How it's set up depends on your business needs. We have a few hundred, and ow they're set up and managed is defined by a dozen or so groups. Base image to deploy, then ansible and config management to set up the roles.

Users are generally authorised via AD using sssd. Some have very specific Groups which have normal user access and occasionally sudo privs for specific commands. SSH, RDP or physical access.

Our sysadmins have local users with root privs, but most administration is done at scale using ansible or Uyuni.

Like everything, least privilege is the best way. AD allows us to quickly control access if someone leaves or is compromised, but it could equally be done with any central LDAP system and groups.

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (1 children)

Many orgs mandate this. You'll be fine.

I used to roll out mint xfce edition or Qubes to our staff laptops, unless an employee asked for a specific distro. I think some used fedora.

Don't use flatpak; its a security risk.

[–] [email protected] 4 points 4 months ago* (last edited 4 months ago) (1 children)

Why is flatpak a security risk? The applications run isolated and offer higher security, unless I'm missing something?

[–] [email protected] 1 points 4 months ago (2 children)

Because it doesn't verify the authenticity of code it downloads before it installs it

[–] [email protected] 2 points 4 months ago (1 children)

I don't think that that's true. At least not more than for any other community maintained packages.

[–] [email protected] 3 points 4 months ago (1 children)

Debain is community maintained packages and they've done signed manifests on all packages, required by default, since like 2002.

Flapak and snap are terribly insecure compared to standard distro package managers

[–] 0x0 0 points 4 months ago

What? No! Flatpak and Snap are the new trendy toys! How dare you criticize them!

/s

[–] [email protected] 1 points 4 months ago (1 children)

Neither does dnf/apt/pacman. You are always at the mercy of the package maintainer(s).

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago) (1 children)

Nope. Apt definitely cryptographiclly verifies the signatures of everything that it downloads. See man apt-secure

[–] [email protected] 3 points 4 months ago

I'm aware, signing the package is not the same thing as signing the code. The application is built by the package maintainer(s) and then the resulting packages are signed.

Which is the same thing that Flatpak does. Both depend on the trust for the repo owner and the package maintainer.

[–] dallen 2 points 4 months ago

My company only requires that I run their AV agent (bit defender).

Microsoft Teams is even flakier than on Windows (yes, it’s possible…)

[–] [email protected] 1 points 4 months ago

While I have to maintain an old Windows 7 box to run some ancient software on it, I do most of my development work on a Linux machine. I use LibreOffice to read and write documents, use Inkscape for drawings in my documntation, but first and foremost, my main IDE is Linux native (although a Windows port does exist).

[–] [email protected] -3 points 4 months ago (2 children)

It's better to ask forgiveness than permission. And forgiveness meaning "I didn't realize I couldn't do that"

[–] [email protected] 15 points 4 months ago (1 children)

This is horrific advice in this context.

As much as I would love to turf windows and jump to Linux I know that internal policy is you will be fired because you are breaking company policy and threatening company certifications and compliance.

[–] [email protected] 3 points 4 months ago

Thanks for balancing the comment. You're correct. For many, if not most jobs, my comment isn't good advice.

But if you ask, they will say no. If you do it anyway they could appreciate it. At my current and former jobs it ranges anywhere from a slap on the wrist to praise for creative use of resources.

I got caught by IT running Linux on four 15 year old optiplexes I found. They were unhappy, but were floored that they were running so well, and the fact that I was making use of something that was effectively trash. They let me keep them.

I was offering that perspective.

[–] [email protected] 11 points 4 months ago (1 children)

That strongly depends on the job. If the company has to follow regulations to meet some security posture, wiping the OS (and all the security tools and configuration set up by IT) to put your own favored OS without matching the security requirements could wind up with you getting fired.

[–] [email protected] 1 points 4 months ago

Oh yea for sure. There is a huge difference between a startup and a defense contractor.