Single User Security

[CwF]

... is that he doesn't have to type a password (?).
Prettty much the only application i need to run as root is gparted anyway.

See my first response for no passwords. See if you have a /etc/sudoers.d/ file. For gparted there is now a policy file for /usr/share/polkit-1/actions. With polkit installed, modify the org.gnome.gparted file with <allow_active>yes</allow_active>,

[millpond]

What are root and user terminals?
terminal-emulators? probably.
But what the heck is a user terminal and a root terminal?

I sure can run ssh as web-browsers as root.
You might want to give a real and detailed example what you are speaking of.[/quote]

Xterms and VTs(ctrl-altxxx). However VTs cannot run GUI apps.
In this case either - depending who is logged into the terminal.

As an exampke: I use personalized directories for my files. In running my P2p client and FF (as a user) I kept running into permission problems which persisted with su, but went away booting to superuser. there is alot of stuff I could have done to fix the issue for the user account, but wanted to spend that time loading the system and then dealing with permissions issues *last*.

And then the thought occurred that some of these permisisons issues were *new* and not 'traditional' - which made me think that if this was destined to be a hacked SID system: In for a penny, in for a pound.

[llivv]

I never thought of this thread as a post asking for a solution to a specific issue, but rather as a discussion thread to probe for ideas on different ways to secure a box and also learn more about the ways Debian is changing currently.

@millpond:

There are at least 4 other threads in the forum with the same su issue.
New convention based on upstream is now being used for su

Code: Select all

su -

I noticed the issue in Sid approximately September 2018 and posted about it here in
Debian Development Section

CwF mentions it as well above http://forums.debian.net/viewtopic.php? ... 30#p689944
Job posted about the same issue and it's also mentioned in two other posts I know of here at FDN.

su man page is one of the manuals I keep a close eye on, it's changed several times making for some unusual advice/depreciation statements in stable testing and sid.

With all these "Path problems" and "Directory merge and link" issues rearing their ugly hacks, changing policy, initializing CoC's everywhere, and implementing new tools that obfuscate the changes made, even pottering can't find simple commits in systemd.

I see huge changes being made with little to no regard to backward compatibility.

Some devs like that. ( I know Kibi for one was excited to get out of XstrikeForce.
Probably close to 10 years ago and probably due to the excessive bug reports being submitted
showing user error - even from other devs.) I also remember him praising the inclusion of wayland as a way to finally get rid of xserver...

It was really a sad sad thing to watch devs file bug reports on wildly customized xservers without even testing the default xserver first..... I can only imagine what it would be like to have to address that kind of thing with only a 3 of 4 maintainers handling the load....

Other Devs seem to agree that so much change in the base system is not being handled in a way that is beneficial to the project.

I admit some of the fussy (probably more than the project wants to admit publicly) is that the paid Devs have to feed their families, etc etc.....A lot of the paid devs are working (for companies that have little or no interest in software freedom other than there being a cheap way to get free system support from unpaid devs doing gratis work). Also utilizing unscrupulous tactics to cover their tracks and keep the general public uninformed.. I doubt I have to name names here but a few of the historical abusers come to mind.

Kinda reminds me of the link H_o_a_S posted in another thread to the july 2018 systemd hug report concerning the loading of the autofs4 kernel module....Which it turns out systemd implemented a long time ago into the systemd early boot code.
Than pottering complaining it was a kernel issue and finally Linus had to find the systemd commit and explain it to pottering.. Linux than revirted the autofs4 module rename in the kernel commit due to pottering not even knowing what the problem is, still doesn't know it...even after Linux explained it to him.
You would think pottering would have a clue what autofs is, at the very least. Maybe than they could find their issue themselves instead of making Linus do the debugging of systemd for them.
And that kind of ineptitude from the systemd project has been directed at the kernel for many years.

I noticed it first during wheezy freeze when I was reporting an issue to DRM/DRI regarding xserver on old intel 830 chipset not being able to start Gnome or KDE with only 8 Mb of ram available for the on motherboard graphics chip.
Systemd was complaining again about how the kernel was at fault for some reason and breaking userspace ie: systemd.
One of the kernel devs in that report (very similar in structure to the one mentioned above) asked the systemd devs what their debug level was. Their reply was debug. (default).
Probably due to them not using or understanding how to use any debug mechanism at the time...Latest rant by pottering makes me wonder if they still don't have a decent systemd debug strategy in place.
It was clear to me that pottering wasn't going to dig though the systemd code himself to find an issue that he thought he could blame on the kernel breaking userspace again...
Just the tip of the iceberg, from what I'm hearing on the wire. .


.

[xepan]

... is that he doesn't have to type a password (?).
Prettty much the only application i need to run as root is gparted anyway.

See my first response for no passwords. See if you have a /etc/sudoers.d/ file. For gparted there is now a policy file for /usr/share/polkit-1/actions. With polkit installed, modify the org.gnome.gparted file with <allow_active>yes</allow_active>,

As of now i just left all systems as they were and it works like a charme.

[xepan]

As an exampke: I use personalized directories for my files. In running my P2p client and FF (as a user)

What are personalized directories?

I know in advance that the next comment will again make use of terms no one has heard of yet.
I am out.

[dilberts_left_nut]

1337 for dirs with the wrong permissions ...

[bw123]

1337 for dirs with the wrong permissions ...

I ran windows that way for yrs. When I tried it on linux, I found out that it's just too easy to delete/edit/create something somewhere that hoses some part of the system, without realizing it, sometimes days or even weeks later. Mysteriously, the system just starts to degrade, and you really don't understand what error you made and where the problem is. Group ownership in particular seems to be somewhat important, in ways that can be hard to understand.

The problem with the strategy of setting everything up to run as root, and implementing user permissions later, is like driving all nails with the biggest sledgehammer you have. The nails are hard to remove later. You don't drive a nail unless you're sure.

[millpond]

HeadOnASticks "solution" (to a problem i still don't understand) is that he doesn't have to type a password

Yeah, pretty much, along with forbidding `su` access to users not in the wheel group, which I think is a great idea.

Unfortunately, in SID, at least for this system: There is no wheel group in /etc/group

[millpond]

1337 for dirs with the wrong permissions ...

I ran windows that way for yrs. When I tried it on linux, I found out that it's just too easy to delete/edit/create something somewhere that hoses some part of the system, without realizing it, sometimes days or even weeks later. Mysteriously, the system just starts to degrade, and you really don't understand what error you made and where the problem is. Group ownership in particular seems to be somewhat important, in ways that can be hard to understand.

The problem with the strategy of setting everything up to run as root, and implementing user permissions later, is like driving all nails with the biggest sledgehammer you have. The nails are hard to remove later. You don't drive a nail unless you're sure.

Good points, and my apparent surprise here is that there has been no FAQs around as to how to restore a system, that has been say, backed up to an NTFS system. A script to restore default permissions and groups. I remember a decade ago on Jaunty something like that happened, and I had to install it on a second drive and note the permissions in /etc/ and i believe, /usr/lib.

In order to gain total control over a system we needs must *understand* it, Not 'obey' it.
I am not persuing NO security. I am trying to make security issues at my own discretion. Isnt this one of the Four Freedoms?
Perhaps its changed in Lennux.


For example, there are plenty of 'hacking' books for taking control over Win systems, and modding them to taste.
Looking for something like that for Linux.

I do like that in Buster the /usr and /lib trees have been simplified. Perhaps that can be expanded to allow for more interaction with other platforms.

[Head_on_a_Stick]

There is no wheel group in /etc/group

Code: Select all

# groupadd wheel

[GarryRicketson]

For example, there are plenty of 'hacking' books for taking control over Win systems, and modding them to taste.
Looking for something like that for Linux.

It is hard to explain things to a windows user, Linux does have so called "hacking books", they are called the manual, IE :

Code: Select all

man man 

and for example the

millpond wrote:
There is no wheel group in /etc/group

Obviously if a group does not exist one needs to create it, but I don't think windows uses or has those options, don't really know since I don't use it, and never have really.
H-O-A-S showed the command, but for more details, and a example of using the 'man' command:

Code: Select all

man groupadd

or http://man7.org/linux/man-pages/man8/groupadd.8.html

[millpond]

So I'm doing my best to be patient with the newfangled (in comparison) best practices I've developed over time and not let them interfere with others developing their own methods. Try to give pointer when I can and learn as much as possible from others too. It is the Linux/Gnu/Debian way to let anyone that wants to hacker on the software.

Linux was originally designed to be used for a student on a laptop. He adopted the prior sysv structure, including permissions - but the user was typically root and the idea of logging in as a user did not come till much later, and accounts were generally reserved for apps.
In other words the emphasis on file system security was based on keeping *apps* from superuser access, more than users - as it was originally a single user system.

Of course as it advanced and became used in production and enterprise the need for more and better security models became required.

The problem I have is that a clustered Wan systen designed to handle thousands of users, might not be appropriate for my needs, as the security measures can be stifling.

Imagine a system that by default does not even recognize insertion of USB stiicks?
(Strike one, for polkit).

[Head_on_a_Stick]

@OP, have you tried Puppy Linux? That runs as root OOTB.

http://bkhome.org/archive/puppylinux/technical/root.htm

See also https://xkcd.com/1200/

[millpond]

So far the only real option appears to be a VM, or a VT for non-gui stuff.

How about systemd-nspawn?

Adopt, adapt & improve: http://forums.debian.net/viewtopic.php?f=16&t=129390

Now this is exactly what I have been looking for

https://wiki.archlinux.org/index.php/Systemd-nspawn
https://dabase.com/e/12009/

Thinking about using it with /opt.
Or making an /opt2

Might even add email to the system.

Cage all the possiible/probable vectors.

This system has 2 processors, and 4G - so the Lennux method might be preferable to a VM.

Spasibo.

[millpond]

I never thought of this thread as a post asking for a solution to a specific issue, but rather as a discussion thread to probe for ideas on different ways to secure a box and also learn more about the ways Debian is changing currently.


su man page is one of the manuals I keep a close eye on, it's changed several times making for some unusual advice/depreciation statements in stable testing and sid.

With all these "Path problems" and "Directory merge and link" issues rearing their ugly hacks, changing policy, initializing CoC's everywhere, and implementing new tools that obfuscate the changes made, even pottering can't find simple commits in systemd.

I see huge changes being made with little to no regard to backward compatibility.


.

Indeed, I think it a good idea for some key issued to be raised: Particularly how much power devs should have over a user's desktop.
Nothing infuriates me more than as root, the 'access denied' message.
Security issues are quite important, but its the user who should determine the risks. For example I know full well the risks of rm -f / .foo.
My solution is not to restrict my access, but to either use a scripted alias, or in practice use one of my file managers for system management.

I beleive apps, and not users should be sandboxed on a single user system.

With the current direction Lennux is heading, there will soon come a time when I will simply say WHOA! and stop. I've got the source and packages of the Debian archives, and I might then decide to freeze the system and selectively upgrade through source, or even possible switching to an arch/slackware model - if it is possible to migrate the system to it.

Has this ever been done before? With a system over 200G and 25k packages?

My prior 'fully stocked' system was 32 bit and was upgraded from squeeze to jessie, where I stopped. It was spread across 3 disks and worked fine until the primary seagate drive dropped dead suddenly. It was also heavily modded, but ran mostly through rooted tabs in Xterms.

Ultimately i would like to run all my Win apps in wine, after M$ kills off Win7 (like it did XP). Which is one reason to keep with SId so far and its latest RC versions.

[millpond]

As an exampke: I use personalized directories for my files. In running my P2p client and FF (as a user)

What are personalized directories?

I know in advance that the next comment will again make use of terms no one has heard of yet.
I am out.

For example I prefer my download directory to be off / and have evertthing dumped into that. Where I cannot change the dir location to it, I symlink it. This allows me to wite scripts using that directory to be much simpler. And run across multiple machines and architectures. (Same script for all).

There are others, such as a personalized CPAN directory that I use to access from all accounts.

I do not keep personal info or pictures in anything resembling a typical home/media directory fo example. An encryptor booger would have a hard time even finding that type of stuff.

[millpond]

... is that he doesn't have to type a password (?).
Prettty much the only application i need to run as root is gparted anyway.

See my first response for no passwords. See if you have a /etc/sudoers.d/ file. For gparted there is now a policy file for /usr/share/polkit-1/actions. With polkit installed, modify the org.gnome.gparted file with <allow_active>yes</allow_active>,

As of now i just left all systems as they were and it works like a charme.

Like my mint and magaeia systems.

No need to touch them. Not made for heavy lifting.

[millpond]

For example, there are plenty of 'hacking' books for taking control over Win systems, and modding them to taste.
Looking for something like that for Linux.

It is hard to explain things to a windows user, Linux does have so called "hacking books", they are called the manual, IE :

Code: Select all

man man [/quote]


Unfortunately most man pages are written in technogibberish, and many if not most lack realistic examples. 

I can pretty much figure them out with time, and google - but with the mess that Lennux has become, Its quite the chore to even know WHAT to look for. 

buster:/# man "magic cookie"
No manual entry for magic cookie

As for being a Win user, well I was using DOS/Win even before Linux existed. Its not a bad system, only a bad corporate model that its controlled by. Kinda like what RedHat is aspiring to be.

[bw123]

The criticism about man pages is common. It usually ranges from, "Hard to understand, cryptic, too technical" -or- "Not enough information and examples" and it seems like many people don't read them at all, and never try to help by contributing. I find it aggravating when documentation is missing, incomplete, or unavailable but I'd say man pages are a must if you're serious about running the system, especially in an unconventional way.

One of my favorite helpers for man pages is apropos, but there are many other tools to help find information on the system.

Code: Select all

$ apropos cookie

[Bulkley]

I beleive apps, and not users should be sandboxed on a single user system.

Have you tried appimages? They are self-contained and run quite nicely in user-space.