A curated reading path for engineers who ship software to Linux servers and want to understand what the kernel is actually doing for them. Capabilities, systemd, networking, security — the parts of Linux that have been quietly waiting to make your deployment story simpler, safer, and more honest.
Capabilities · Security · Deployment
Stop Running as Root. You Never Needed To.
Linux has had fine-grained process capabilities for over a decade. setcap, setpriv, hardened systemd units, and a one-line sysctl change each solve the low-port problem without handing your entire system to a web-facing process.
CAP_NET_BIND_SERVICE · setpriv · setcap · systemd · sysctl
Read article →
Sandboxing · Security · Go
Sandboxing Without the Sandbox: Linux Landlock in Go
Your Go binary can tell the kernel exactly what it needs — and the kernel will deny everything else. No containers. No root. No daemon. Five lines of code between "deployed" and "hardened."
Landlock LSM · go-landlock · landrun · phased privilege drop
Read article →
Terminal Craft · Shell · Pipelines
xargs: The Command Nobody Explains Properly
Every Unix pipeline has two gaps: stdin vs arguments, and the OS command-line length limit. xargs bridges both. The mental model, every flag that matters, BSD vs GNU portability, and the patterns worth memorising.
xargs · -I {} · -0 · -P parallel · sh -c · find -print0
Read article →