Single user PC/desktop - primary userid question

If none of the more specific forums is the right place to ask

Single user PC/desktop - primary userid question

Postby ruffwoof » 2017-07-26 17:29

I have Debian Jessie installed on a sole use desktop PC. Typically I only ever run root at the cli level, but I also have a userid "user" that loads xorg/desktop, and that can su/sudo. I also have a third userid "ff" that I set up to use rbash and has no su nor sudo (I also have permissions set around that to prevent it from broad access to data/docs folders/drives). I primarily use that ff userid as my default boot choice (I have it set to autologin) i.e. mostly for firefox browser/online purposes, and Ctrl-Alt-Fn to login as user whenever I want to do other stuff (editing/spreadsheets etc., but no internet).

A bit like a sandboxed userid in some respects. The browser is one of the weak points and running that with a reduced privileges userid seems reasonable to me. However I was wondering if that is a common choice/approach, or do others more commonly use some other choice/setup?
Debian Stretch (MAIN repositories only), jwm, pcmanfm --desktop
Acer Aspire M3201 (2GB), AMD Phenom X4, Nvidia GeForce 8600 GT.
ruffwoof
 
Posts: 168
Joined: 2016-08-20 21:00

Re: Single user PC/desktop - primary userid question

Postby kopper » 2017-07-27 09:55

ruffwoof wrote:However I was wondering if that is a common choice/approach, or do others more commonly use some other choice/setup?


I find your setup interesting and well, not common at all. I'd be curious to hear what kind of benefit your approach has compared to running browser with e.g. Apparmor (MAC) and firejail (sandbox). Instead of having multiple accounts, why not secure the one you actually use? I guess there are some minor advantages in having 'segregation of duties' with accounts for different purposes, but for a single-user machine it really doesn't seem like worth the effort.
Debian 9 with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 48
Joined: 2016-09-30 14:30

Re: Single user PC/desktop - primary userid question

Postby srq2625 » 2017-07-27 10:19

kopper wrote:I guess there are some minor advantages in having 'segregation of duties' with accounts for different purposes, but for a single-user machine it really doesn't seem like worth the effort.

Actually, his setup seems (on the surface at least) to address two aspects of Cyber-Security:
  1. Separation of Duties
  2. Least Privilege
Not being anything even remotely like a Linux security Guru, I still have to think that there are many more things that can/should do if one is interested in hardening/securing their Linux computer. Getting and implementing applicable portions of the Security Technical Implementation Guide for Red Hat might be a good place to start.
srq2625
 
Posts: 36
Joined: 2016-02-26 11:01

Re: Single user PC/desktop - primary userid question

Postby wizard10000 » 2017-07-27 10:26

Seems to me the easiest way to sandbox the browser would be to use sudo or su to run your browser as the unprivileged user. Remember to insure the unprivileged user has his own environment set and doesn't use yours - sudo -i or su -l (or just su -)

You may also have to use xhost or similar to grant the other user permission to connect to your X session but that's not a real big deal either.
we see things not as they are, but as we are.
-- anais nin
User avatar
wizard10000
 
Posts: 1143
Joined: 2011-05-09 20:02
Location: midwestern us

Re: Single user PC/desktop - primary userid question

Postby kopper » 2017-07-27 10:44

srq2625 wrote:...Security Technical Implementation Guide for Red Hat...

You meant Debian right?
https://www.debian.org/doc/manuals/secu ... ian-howto/

srq2625 wrote:Actually, his setup seems (on the surface at least) to address two aspects of Cyber-Security...


Separation or segregation of duties is an effective mechanism when there's two or more persons involved. In this case user accounts are handled by the same person.

If your goal is to run software in unprivileged mode (like you should do anyway with any browser), the same can be achieved with any user without compromising the system. This answers the question of least privilege and that's why sudo exists in the first place. Other, more critical point in my opinion is to restrict application's access to system resources. This could be handled with MAC and sandboxing.

Unless I'm missing some very crucial point (which I wish someone would point out) I think there is little to be gained with extra user accounts for different purposes, at least from security's point of view. Of course you may want to contain your stuff in different accounts and that is just fine. I just feel that having separate accounts just for the sake of "separation of duties" and "least privilege" lead to false sense of security and efforts to secure system should be directed elsewhere, e.g. proper configuration of software, firewall maintenance, security updates, mandatory access control and correct usage of elevated privileges.

Before anyone can call me out on this, security is naturally far wider issue than single control, like having separate account for different purpose. I don't say it won't contribute to the big picture, but it's very small part and at that, pretty inefficient.
Debian 9 with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 48
Joined: 2016-09-30 14:30

Re: Single user PC/desktop - primary userid question

Postby wizard10000 » 2017-07-27 10:49

kopper wrote:
srq2625 wrote:...Security Technical Implementation Guide for Red Hat...

You meant Debian right?
https://www.debian.org/doc/manuals/secu ... ian-howto/


No, I'm pretty sure he was talking about DISA STIGs, which are DoD technical security guides and considerably more restrictive than Debian's security recommendations. DoD doesn't allow Debian in production because no paid vendor support is available so that pretty much limits your choices to RHEL, SuSE Enterprise or Ubuntu Server.

http://iase.disa.mil/stigs/Pages/index.aspx

Source: Former DoD geek :mrgreen:
we see things not as they are, but as we are.
-- anais nin
User avatar
wizard10000
 
Posts: 1143
Joined: 2011-05-09 20:02
Location: midwestern us

Re: Single user PC/desktop - primary userid question

Postby Wheelerof4te » 2017-07-27 10:50

I find your approach to security good, IF you wish to learn about Internet security or are preparing to work for Red Hat, for example.

Otherwise, you are a bit paranoid if all you need is simple desktop experience. Not to offend, just saying. GNU/Linux is much more secure, Debian even more so, by mere design than Windows. For single user desktop, default setup is good enough, assuming you are careful.
Please read:
Choosing a Debian distribution
and
Dont Break Debian

When in doubt, choose Debian Stable :)
User avatar
Wheelerof4te
 
Posts: 360
Joined: 2015-08-30 20:14

Re: Single user PC/desktop - primary userid question

Postby kopper » 2017-07-27 11:06

wizard10000 wrote:No, I'm pretty sure he was talking about DISA STIGs, which are DoD technical security guides and considerably more restrictive than Debian's security recommendations....
http://iase.disa.mil/stigs/Pages/index.aspx


Ah, I see. Thanks for the link!

Maybe easier "good place to start" would be something Debian specific though.. :) Even CIS has hardening guidelines for Debian available to general public (tip: search for "cis benchmark debian 8" ). :wink:
Debian 9 with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 48
Joined: 2016-09-30 14:30

Re: Single user PC/desktop - primary userid question

Postby srq2625 » 2017-07-27 14:40

Yes, the DISA STIG. There are going to be parts that don't apply to Debian, but there will be a lot that does.

As for the Least Priv comment I made...

The OP referenced a lower-priv account for his internet connection work. Running FF et. al. from a lower-priv account may (will?) reduce the exposure surface as compared to running from a "normal priv" account.

I just feel that having separate accounts just for the sake of "separation of duties" and "least privilege" lead to false sense of security and efforts to secure system should be directed elsewhere, e.g. proper configuration of software, firewall maintenance, security updates, mandatory access control and correct usage of elevated privileges.

I have to agree 100% with this - security is much more than just one thing or another, thus my comment/reference to the DISA STIG. Security is the whole package. When/if implemented correctly, the pieces you mention will, no doubt, provide a much ROI than worrying about running things from different accounts.
srq2625
 
Posts: 36
Joined: 2016-02-26 11:01

Re: Single user PC/desktop - primary userid question

Postby ruffwoof » 2017-07-27 15:13

Fundamentally I run Debian as a desktop and use Debian provided binaries only, sticking to just the MAIN repository i.e. my /etc/apt/sources.list content is

deb http://deb.debian.org/debian/ jessie main
#deb-src http://deb.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
#deb-src http://security.debian.org/ jessie/updates main

I commented out the sources as I don't compile anything myself.

I use root (terminal) login to manually apt-get update; apt-get upgrade relatively regularly (yes I know I should perhaps have that setup to run automatically to get any updates asap, but I'm ok with running it manually myself perhaps every other day or so). I use user, that can su/sudo, relatively infrequently ... more as a graphical root userid i.e. to run gparted or gksu pcmanfm to edit the configuration when required. And to run office on more personal documents (financial spreadsheet), and even access my banks web site (load firefox with no addons/extensions and go straight to my banks web site, nowhere else before or after ... and then delete ~/.cache/mozilla and ~/.mozilla folders afterwards). Otherwise I use ff (restricted) all of the time. I've set things up so that has access to a /SHARED folder that I use as a gateway between user and ff. Mostly storing docs etc. under that ff userid directory structure that I would be little concerned if lost/accessed by anyone else.

I don't mind using Ctrl-Alt-Fn to switch between ff and user and sometimes have both gui desktops logged in during the same session to flip between the two. I don't really see having another userid as much of a bother, as that just makes the number of lines in /etc/passwd 33 instead of 32. I guess its just whatever you're comfortable with and I had assumed that my sort of setup might have been the more common arrangement with typical desktop end user type setups than what appears to be the case.

Thanks for all of the replies.
Debian Stretch (MAIN repositories only), jwm, pcmanfm --desktop
Acer Aspire M3201 (2GB), AMD Phenom X4, Nvidia GeForce 8600 GT.
ruffwoof
 
Posts: 168
Joined: 2016-08-20 21:00

Re: Single user PC/desktop - primary userid question

Postby pendrachken » 2017-07-27 23:28

wizard10000 wrote:Seems to me the easiest way to sandbox the browser would be to use sudo or su to run your browser as the unprivileged user. Remember to insure the unprivileged user has his own environment set and doesn't use yours - sudo -i or su -l (or just su -)

You may also have to use xhost or similar to grant the other user permission to connect to your X session but that's not a real big deal either.




Sounds kind of backwards to me.

IF I were to separate to this level, and I don't think it is remotely necessary for home use, I would just run as the lowest user ( for browser in this case ) then su / sudo to the higher user for document editing / su-to-root. You could also implement BSD / Gentoo style root restrictions by requiring users that can become root to be in the "wheel" group. This would prevent the browser user from logging into root ( and is a POSSIBLE exploit mitigation, depending on the exploit ) unless they logged into the higher privileged account ( which is in the wheel group ) first.
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P
pendrachken
 
Posts: 1272
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: Single user PC/desktop - primary userid question

Postby wizard10000 » 2017-07-28 09:24

pendrachken wrote:Sounds kind of backwards to me.

IF I were to separate to this level, and I don't think it is remotely necessary for home use, I would just run as the lowest user ( for browser in this case ) then su / sudo to the higher user for document editing / su-to-root. You could also implement BSD / Gentoo style root restrictions by requiring users that can become root to be in the "wheel" group. This would prevent the browser user from logging into root ( and is a POSSIBLE exploit mitigation, depending on the exploit ) unless they logged into the higher privileged account ( which is in the wheel group ) first.


The reason I sandboxed the browser instead of the user is that way the user's home directory is not exposed. But - I agree that either way is probably overkill, especially if one has good backups :mrgreen:
we see things not as they are, but as we are.
-- anais nin
User avatar
wizard10000
 
Posts: 1143
Joined: 2011-05-09 20:02
Location: midwestern us


Return to General Questions

Who is online

Users browsing this forum: berzo84 and 6 guests

fashionable