Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Single user PC/desktop - primary userid question

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
ruffwoof
Posts: 298
Joined: 2016-08-20 21:00

Single user PC/desktop - primary userid question

#1 Post by ruffwoof »

I have Debian Jessie installed on a sole use desktop PC. Typically I only ever run root at the cli level, but I also have a userid "user" that loads xorg/desktop, and that can su/sudo. I also have a third userid "ff" that I set up to use rbash and has no su nor sudo (I also have permissions set around that to prevent it from broad access to data/docs folders/drives). I primarily use that ff userid as my default boot choice (I have it set to autologin) i.e. mostly for firefox browser/online purposes, and Ctrl-Alt-Fn to login as user whenever I want to do other stuff (editing/spreadsheets etc., but no internet).

A bit like a sandboxed userid in some respects. The browser is one of the weak points and running that with a reduced privileges userid seems reasonable to me. However I was wondering if that is a common choice/approach, or do others more commonly use some other choice/setup?

kopper
Posts: 137
Joined: 2016-09-30 14:30

Re: Single user PC/desktop - primary userid question

#2 Post by kopper »

ruffwoof wrote:However I was wondering if that is a common choice/approach, or do others more commonly use some other choice/setup?
I find your setup interesting and well, not common at all. I'd be curious to hear what kind of benefit your approach has compared to running browser with e.g. Apparmor (MAC) and firejail (sandbox). Instead of having multiple accounts, why not secure the one you actually use? I guess there are some minor advantages in having 'segregation of duties' with accounts for different purposes, but for a single-user machine it really doesn't seem like worth the effort.
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian

srq2625
Posts: 44
Joined: 2016-02-26 11:01

Re: Single user PC/desktop - primary userid question

#3 Post by srq2625 »

kopper wrote:I guess there are some minor advantages in having 'segregation of duties' with accounts for different purposes, but for a single-user machine it really doesn't seem like worth the effort.
Actually, his setup seems (on the surface at least) to address two aspects of Cyber-Security:
  1. Separation of Duties
  2. Least Privilege
Not being anything even remotely like a Linux security Guru, I still have to think that there are many more things that can/should do if one is interested in hardening/securing their Linux computer. Getting and implementing applicable portions of the Security Technical Implementation Guide for Red Hat might be a good place to start.

kopper
Posts: 137
Joined: 2016-09-30 14:30

Re: Single user PC/desktop - primary userid question

#4 Post by kopper »

srq2625 wrote: ...Security Technical Implementation Guide for Red Hat...
You meant Debian right?
https://www.debian.org/doc/manuals/secu ... ian-howto/
srq2625 wrote: Actually, his setup seems (on the surface at least) to address two aspects of Cyber-Security...
Separation or segregation of duties is an effective mechanism when there's two or more persons involved. In this case user accounts are handled by the same person.

If your goal is to run software in unprivileged mode (like you should do anyway with any browser), the same can be achieved with any user without compromising the system. This answers the question of least privilege and that's why sudo exists in the first place. Other, more critical point in my opinion is to restrict application's access to system resources. This could be handled with MAC and sandboxing.

Unless I'm missing some very crucial point (which I wish someone would point out) I think there is little to be gained with extra user accounts for different purposes, at least from security's point of view. Of course you may want to contain your stuff in different accounts and that is just fine. I just feel that having separate accounts just for the sake of "separation of duties" and "least privilege" lead to false sense of security and efforts to secure system should be directed elsewhere, e.g. proper configuration of software, firewall maintenance, security updates, mandatory access control and correct usage of elevated privileges.

Before anyone can call me out on this, security is naturally far wider issue than single control, like having separate account for different purpose. I don't say it won't contribute to the big picture, but it's very small part and at that, pretty inefficient.
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Single user PC/desktop - primary userid question

#5 Post by Wheelerof4te »

I find your approach to security good, IF you wish to learn about Internet security or are preparing to work for Red Hat, for example.

Otherwise, you are a bit paranoid if all you need is simple desktop experience. Not to offend, just saying. GNU/Linux is much more secure, Debian even more so, by mere design than Windows. For single user desktop, default setup is good enough, assuming you are careful.

kopper
Posts: 137
Joined: 2016-09-30 14:30

Re: Single user PC/desktop - primary userid question

#6 Post by kopper »

wizard10000 wrote: No, I'm pretty sure he was talking about DISA STIGs, which are DoD technical security guides and considerably more restrictive than Debian's security recommendations....
http://iase.disa.mil/stigs/Pages/index.aspx
Ah, I see. Thanks for the link!

Maybe easier "good place to start" would be something Debian specific though.. :) Even CIS has hardening guidelines for Debian available to general public (tip: search for "cis benchmark debian 8" ). :wink:
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian

srq2625
Posts: 44
Joined: 2016-02-26 11:01

Re: Single user PC/desktop - primary userid question

#7 Post by srq2625 »

Yes, the DISA STIG. There are going to be parts that don't apply to Debian, but there will be a lot that does.

As for the Least Priv comment I made...

The OP referenced a lower-priv account for his internet connection work. Running FF et. al. from a lower-priv account may (will?) reduce the exposure surface as compared to running from a "normal priv" account.
I just feel that having separate accounts just for the sake of "separation of duties" and "least privilege" lead to false sense of security and efforts to secure system should be directed elsewhere, e.g. proper configuration of software, firewall maintenance, security updates, mandatory access control and correct usage of elevated privileges.
I have to agree 100% with this - security is much more than just one thing or another, thus my comment/reference to the DISA STIG. Security is the whole package. When/if implemented correctly, the pieces you mention will, no doubt, provide a much ROI than worrying about running things from different accounts.

ruffwoof
Posts: 298
Joined: 2016-08-20 21:00

Re: Single user PC/desktop - primary userid question

#8 Post by ruffwoof »

Fundamentally I run Debian as a desktop and use Debian provided binaries only, sticking to just the MAIN repository i.e. my /etc/apt/sources.list content is

deb http://deb.debian.org/debian/ jessie main
#deb-src http://deb.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
#deb-src http://security.debian.org/ jessie/updates main

I commented out the sources as I don't compile anything myself.

I use root (terminal) login to manually apt-get update; apt-get upgrade relatively regularly (yes I know I should perhaps have that setup to run automatically to get any updates asap, but I'm ok with running it manually myself perhaps every other day or so). I use user, that can su/sudo, relatively infrequently ... more as a graphical root userid i.e. to run gparted or gksu pcmanfm to edit the configuration when required. And to run office on more personal documents (financial spreadsheet), and even access my banks web site (load firefox with no addons/extensions and go straight to my banks web site, nowhere else before or after ... and then delete ~/.cache/mozilla and ~/.mozilla folders afterwards). Otherwise I use ff (restricted) all of the time. I've set things up so that has access to a /SHARED folder that I use as a gateway between user and ff. Mostly storing docs etc. under that ff userid directory structure that I would be little concerned if lost/accessed by anyone else.

I don't mind using Ctrl-Alt-Fn to switch between ff and user and sometimes have both gui desktops logged in during the same session to flip between the two. I don't really see having another userid as much of a bother, as that just makes the number of lines in /etc/passwd 33 instead of 32. I guess its just whatever you're comfortable with and I had assumed that my sort of setup might have been the more common arrangement with typical desktop end user type setups than what appears to be the case.

Thanks for all of the replies.

pendrachken
Posts: 1394
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: Single user PC/desktop - primary userid question

#9 Post by pendrachken »

wizard10000 wrote:Seems to me the easiest way to sandbox the browser would be to use sudo or su to run your browser as the unprivileged user. Remember to insure the unprivileged user has his own environment set and doesn't use yours - sudo -i or su -l (or just su -)

You may also have to use xhost or similar to grant the other user permission to connect to your X session but that's not a real big deal either.


Sounds kind of backwards to me.

IF I were to separate to this level, and I don't think it is remotely necessary for home use, I would just run as the lowest user ( for browser in this case ) then su / sudo to the higher user for document editing / su-to-root. You could also implement BSD / Gentoo style root restrictions by requiring users that can become root to be in the "wheel" group. This would prevent the browser user from logging into root ( and is a POSSIBLE exploit mitigation, depending on the exploit ) unless they logged into the higher privileged account ( which is in the wheel group ) first.
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P

Post Reply