Single User Security

If it doesn't relate to Debian, but you still want to share it, please do it here

Single User Security

Postby millpond » 2019-01-14 18:03

I am looking for a FAQ or general user guide to setting up a Linux system for a *single* user, with secuity only kept at that level instead of its default multisuer/wan defaults. Freedom is inversely proportional to security, and its important, especially if the wife is to use this machine, that there be no or little additional hindrances to doing simple routines, or anything blocking our access to our hardware.

Please understand that I am utterly unconcerned about the dangers of typo mistakes in destroying the system. I use file managers for copy/delete/move operations and *never* any drag/drop stuff. In 25+ years of Win/Linux there has never been such an error here.

Behind two hardware firewalls, no email client, and browsers armored to the teeth - I feel that there is minimum risk in attack vectors. Especially when I am normally behind a VPN, and IPV6 is disabled.

I dont mind running in a user account, but would prefer WAN media apps to run in a third *sandbxed* account. Might even consider a VM for this purpose. Right now, I am restoring a development system with over 25K packages on SID and enough has broke so that it will not boot to a user account. Root works fine, brings up Mate, and everything seems to work OK. User accounts are not a real issue, but i would just as soon be rid of SeLinux, Polkit, AppArmor and anything that prevents anyone at the keyboard from having full, absolute control of the system.

Of course I am aware that what I am doing is completely opposite standard 'best practices' - and I would even myself necver recommend such a minimal securty setup to anyone with even a wireless laptop, much less a home system that has open ports for such things as remote desktop. Here sshd is disabled. Routers forbidden to port-forward. Numerous oother steps taken that dont come to mind.

Just wondering if anyone elese has taken this approach, who is a bit more knowledgeable about networking - and what other suggestions that they may have in mind.

Right now the the overamping on security is killing freedom in the personal user milieu.
I really dont care if a hacker breaks into this system. They would be bored to tears. I keep no personal information here that I would really mind was 'shared' with the net. And with over two million files and no indexing, any search would be noticed and killed instantly.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby sombunall » 2019-01-14 19:34

millpond wrote:[...] but i would just as soon be rid of SeLinux, Polkit, AppArmor and anything that prevents anyone at the keyboard from having full, absolute control of the system.


Tried Docker yet? Also I think you could be paranoid about certain things. You could do more just setting Xorg not to use SUIDs. I've done it and noticed no real disturbance:

https://lists.x.org/archives/xorg-annou ... 02927.html
sombunall
 
Posts: 73
Joined: 2009-05-20 20:36

Re: Single User Security

Postby bw123 » 2019-01-14 22:22

I don't see the threat? What are you worried about? You say you have two hardware firewalls, maybe get another one just to be sure?

Really, I think it will depend on what you're trying to guard against? Personally I wouldn't do anything financial on the net, but I'm an old guy and stuck in the mud like that. There is a "securing Debian" guide easily found with a search. I did some reading way back, but FWICT if your incoming router blocks everything anyway, except standard ports like browser and email or whatnot, there's not much point in being too paranoid. Now the VPN stuff or anything else you have installed I can't vouch for, who knows? I never use them, or TOR because I just don;t have the knowledge, and configuring things like that incorrectly seems very easy to do, with a lot of potential to leave a gaping security hole.

...
would just as soon be rid of SeLinux, Polkit, AppArmor and anything that prevents anyone at the keyboard from having full, absolute control of the system.
...

okay I can't get with that idea. I'm sure the wife is smart, but I would not let anybody have that kind of access to my computer, and I need auth stuff to keep me from making mistakes. Get her a separate system for herself maybe?
User avatar
bw123
 
Posts: 3787
Joined: 2011-05-09 06:02

Re: Single User Security

Postby bw123 » 2019-01-14 23:08

Okay, I seem to have misunderstood, you're not asking about security. Basically you're asking, "How to run everything as root, like windows?"
User avatar
bw123
 
Posts: 3787
Joined: 2011-05-09 06:02

Re: Single User Security

Postby Wheelerof4te » 2019-01-15 11:27

^Yea, it's confusing. He wants to run everything without needing to type passwords. That's what I get, too.

Anyway, for single-use stuff we have sudo. Basically, you create a user, give him permission to admin the system, add the password and you're set. It's what Ubuntu is doing to simplify administration. Debian defaults to two accounts:admin (root) and normal user. But you can disable root during installation simply by not setting password for it. In this case, your regular user will have admin rights via "sudo".

It simple, and you don't have to be paranoid. It's much worse doing everything "the Windows way".
User avatar
Wheelerof4te
 
Posts: 1164
Joined: 2015-08-30 20:14

Re: Single User Security

Postby xepan » 2019-01-15 15:08

I fail to see the problem you have described as "lack of freedom"
what exactly you think you can't do?

if bw123 is right and all you want is to run everything as root, then i'd say just do it, and else do security the way it is usually done.

I really dont care if a hacker breaks into this system. They would be bored to tears. I keep no personal information here that I would really mind was 'shared' with the net.
I still don't see the point, as said above, but you seem to have settled on that idea already.



He doesn't necessarily needs to care for you data, but take your mashine to do nasty things from your machine/IP. Something you would rather not want.
xepan
 
Posts: 88
Joined: 2018-11-28 06:38

Re: Single User Security

Postby Head_on_a_Stick » 2019-01-15 18:09

https://www.garyshood.com/root/

(Sorry, could not resist.)
User avatar
Head_on_a_Stick
 
Posts: 8900
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Single User Security

Postby millpond » 2019-01-15 19:44

bw123 wrote:Okay, I seem to have misunderstood, you're not asking about security. Basically you're asking, "How to run everything as root, like windows?"


Yes. And. No.

The objective here is tow have two totally functioning modes: Sysadmin and Wan/Media.
Functioning as to their roles:

Absolute control for sysadmin. No sudo, no limits of any kind. I run my systems out of scripts that I am not about to rewrite because they are not secure on a multiuser system, but appropriate here. There are some WAN things I need to do as sysadmin, but they are limited in nature, and am unconcered over security issues here. Hells bells, I do not even want my software I use to tweak my websites even to be accessible to sudo.

Media/Wan I prefer to run as some type of sub-user without access to system functions. I guess for X this would require some type of sandbox/chroot/VM arrangement. Not familiar with Docker

Freedom to me is the ability to 'hack' one system within reason. I am trying to avoid other repos here, and SID has the most promise for up tp date script languages, without the need (so far) to manually install them.

I am not asking how to run as root. I am doing that. More than I want at the moment, as user accounts are for some reason broken. Hoping to fix that next week. What I am interested in is any guides for running as full sysadmin in a systemd system, which none of my older texts are aware. Debian is a moving target. And I'm a little behind.

I do not like systemd. Its one of the reasons I left linux for a while. But with it, I can do a full development system in weeks instead of months. But it looks hackable enough to disable most of its junk.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby CwF » 2019-01-15 19:48

It is possible to create a passwordless system and not be root. You can even do an hardware key encrypted one!
CwF
 
Posts: 228
Joined: 2018-06-20 15:16

Re: Single User Security

Postby millpond » 2019-01-16 07:17

CwF wrote:It is possible to create a passwordless system and not be root. You can even do an hardware key encrypted one!


On Jessie I booted right into the user account, and ran the system from rooted terminals. Tried that on SID but kept running into GTK issues. Because some pinhead decided that superusers shouldnt run X GUIs. Hacked some files, and now GTK is running fine.

The risks of bricking a system with encryption far outweigh anything a malicious hacker can do. In an enterprise environment it may certainly be appropriate. For a home network I have the best option for data that should not be shared with the world - by disconnecting it from the net totally. As in powering its media off. 6 machines here. Only two typically ON.

One of them is Win7 that looks like a honeypot, with all security services turned off. About once a year I spend about 20 minutes kiling off a booger. I figure its less time than setting up a firewall. Point is: Real security lies at the system operator, not OS software level.

A production system must have fully amped security protocols. But I believe these should only be optional on single user systems.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby xepan » 2019-01-16 07:40

No sudo, no limits of any kind.

Again: what limits you speak of?

Might well be me, but i hear a lot of big buzz words, but got no clue what the heck your real problem is.
xepan
 
Posts: 88
Joined: 2018-11-28 06:38

Re: Single User Security

Postby CwF » 2019-01-16 16:23

millpond wrote:Because some pinhead decided that superusers shouldnt run X GUIs.

That's because once I left the system up with a root Thunar open while I went for coffee. In the meantime my cat had an argument with my trackball. Why left click defaults to move I'll never know.
Some things like sound have issues as root. I see 'inxi' mentioned as differing ran as root, don't know, never used it.

I prefer to paddle downstream, with the flow. I'm a late comer, in at Jessie. So systemd and polkit is what it is. I have chosen not to argue with what I don't know. I try to only mod things in ways that will reliably persist through upgrades. If mods continually break, the message is to rethink the way you're doing things.

If permissions are getting in the way, they do, I can only imagine you have multi-step scripts which at some point reach out of or into user space/root. Without examples I have no solution. While you can't get away from a user typing sudo, you can eliminate the password. I assume you have already purged any gksu use.

file: /etc/sudoers.d/user
Code: Select all
user ALL=(ALL) NOPASSWD: /specific/command
#OR
user ALL=(ALL) NOPASSWD: ALL

That's a granular option, or a sledge.

With polkit you can do similar, with its inherent granularity per program.
Code: Select all
 <allow_any>no</allow_any>
 <allow_inactive>auth_admin</allow_inactive>
 <allow_active>yes</allow_active>

millpond wrote:The risks of bricking a system with encryption...

is zero? This was one of the first things I wondered about. So I made a full disk encrypted image. I found I could move it from system to system. I found I could mount it in a foreign system. I found I could image to file, and back to device. I found I could loop the file image, etc. On one flaky computer I did have to address superblock errors. Overall, for me it passes muster. Modern CPU's take off the performance hit. I don't see a problem outside hardware problems. I was infering in my comment that the encryption key can be delivered via hardware, either matching the OS to a particular computer or requiring a usb key, either without passowrds, and potentially invisible to the user.
millpond wrote:Win7 that looks like a honeypot,... Real security lies at the system operator, not OS software level.

Agreed, but this needs a qualifier. I've said forever the best AV software is a keyboard. Many believe XP is susceptible to air-borne viruses. The #1 vector has always been the user click. So software tries to guard against a wrong click, and that irritates us. Linux people are full of themselves with regards to security. Obfuscation seems to be a primary method. With 99% of users not on Linux, the safety lies in the fact that at this point, you are not a target...
CwF
 
Posts: 228
Joined: 2018-06-20 15:16

Re: Single User Security

Postby millpond » 2019-01-17 06:00

xepan wrote:
No sudo, no limits of any kind.

Again: what limits you speak of?

Might well be me, but i hear a lot of big buzz words, but got no clue what the heck your real problem is.


There is a wide range of problems here.
It is technical - scripts and aps breaking, with things like proc/statidtics fuxxover to proc/stat.

Like a system that will boot to root and NOT user. .

Its SID so I dont take it personally -but by seeing more of the future and liking less of it.

And much of it is philosophical , to be for another thread.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby xepan » 2019-01-17 07:44

I would say a system doesn't "boot to root or user",
but to a login prompt or a display-manager.
use the former, log in as root, case closed.
xepan
 
Posts: 88
Joined: 2018-11-28 06:38

Re: Single User Security

Postby millpond » 2019-01-17 15:43

Actually, it boots to a login prompt. Not a problem.

Just checked. Its now accepting user account at VT login.
Done some updates lately.

Still no explanation as to why a superuser account is considered so taboo, except that a few apps wount run under it (many of which actually do, especially if recompiled).

I consider Linux compromised already. Bashbug, heartbleed, certainly many more. All recent CPUs are boogered.

I have my own preferred security methods that work rather well, even on a slipship OS like Win.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Next

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable