Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Single User Security

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
millpond
Posts: 698
Joined: 2014-06-25 04:56

Single User Security

#1 Post by millpond »

I am looking for a FAQ or general user guide to setting up a Linux system for a *single* user, with secuity only kept at that level instead of its default multisuer/wan defaults. Freedom is inversely proportional to security, and its important, especially if the wife is to use this machine, that there be no or little additional hindrances to doing simple routines, or anything blocking our access to our hardware.

Please understand that I am utterly unconcerned about the dangers of typo mistakes in destroying the system. I use file managers for copy/delete/move operations and *never* any drag/drop stuff. In 25+ years of Win/Linux there has never been such an error here.

Behind two hardware firewalls, no email client, and browsers armored to the teeth - I feel that there is minimum risk in attack vectors. Especially when I am normally behind a VPN, and IPV6 is disabled.

I dont mind running in a user account, but would prefer WAN media apps to run in a third *sandbxed* account. Might even consider a VM for this purpose. Right now, I am restoring a development system with over 25K packages on SID and enough has broke so that it will not boot to a user account. Root works fine, brings up Mate, and everything seems to work OK. User accounts are not a real issue, but i would just as soon be rid of SeLinux, Polkit, AppArmor and anything that prevents anyone at the keyboard from having full, absolute control of the system.

Of course I am aware that what I am doing is completely opposite standard 'best practices' - and I would even myself necver recommend such a minimal securty setup to anyone with even a wireless laptop, much less a home system that has open ports for such things as remote desktop. Here sshd is disabled. Routers forbidden to port-forward. Numerous oother steps taken that dont come to mind.

Just wondering if anyone elese has taken this approach, who is a bit more knowledgeable about networking - and what other suggestions that they may have in mind.

Right now the the overamping on security is killing freedom in the personal user milieu.
I really dont care if a hacker breaks into this system. They would be bored to tears. I keep no personal information here that I would really mind was 'shared' with the net. And with over two million files and no indexing, any search would be noticed and killed instantly.

sombunall
Posts: 73
Joined: 2009-05-20 20:36

Re: Single User Security

#2 Post by sombunall »

millpond wrote:[...] but i would just as soon be rid of SeLinux, Polkit, AppArmor and anything that prevents anyone at the keyboard from having full, absolute control of the system.
Tried Docker yet? Also I think you could be paranoid about certain things. You could do more just setting Xorg not to use SUIDs. I've done it and noticed no real disturbance:

https://lists.x.org/archives/xorg-annou ... 02927.html

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Single User Security

#3 Post by bw123 »

I don't see the threat? What are you worried about? You say you have two hardware firewalls, maybe get another one just to be sure?

Really, I think it will depend on what you're trying to guard against? Personally I wouldn't do anything financial on the net, but I'm an old guy and stuck in the mud like that. There is a "securing Debian" guide easily found with a search. I did some reading way back, but FWICT if your incoming router blocks everything anyway, except standard ports like browser and email or whatnot, there's not much point in being too paranoid. Now the VPN stuff or anything else you have installed I can't vouch for, who knows? I never use them, or TOR because I just don;t have the knowledge, and configuring things like that incorrectly seems very easy to do, with a lot of potential to leave a gaping security hole.
...
would just as soon be rid of SeLinux, Polkit, AppArmor and anything that prevents anyone at the keyboard from having full, absolute control of the system.
...
okay I can't get with that idea. I'm sure the wife is smart, but I would not let anybody have that kind of access to my computer, and I need auth stuff to keep me from making mistakes. Get her a separate system for herself maybe?
resigned by AI ChatGPT

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Single User Security

#4 Post by bw123 »

Okay, I seem to have misunderstood, you're not asking about security. Basically you're asking, "How to run everything as root, like windows?"
resigned by AI ChatGPT

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Single User Security

#5 Post by Wheelerof4te »

^Yea, it's confusing. He wants to run everything without needing to type passwords. That's what I get, too.

Anyway, for single-use stuff we have sudo. Basically, you create a user, give him permission to admin the system, add the password and you're set. It's what Ubuntu is doing to simplify administration. Debian defaults to two accounts:admin (root) and normal user. But you can disable root during installation simply by not setting password for it. In this case, your regular user will have admin rights via "sudo".

It simple, and you don't have to be paranoid. It's much worse doing everything "the Windows way".

xepan
Posts: 89
Joined: 2018-11-28 06:38

Re: Single User Security

#6 Post by xepan »

I fail to see the problem you have described as "lack of freedom"
what exactly you think you can't do?

if bw123 is right and all you want is to run everything as root, then i'd say just do it, and else do security the way it is usually done.
I really dont care if a hacker breaks into this system. They would be bored to tears. I keep no personal information here that I would really mind was 'shared' with the net.
I still don't see the point, as said above, but you seem to have settled on that idea already.

He doesn't necessarily needs to care for you data, but take your mashine to do nasty things from your machine/IP. Something you would rather not want.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Single User Security

#7 Post by Head_on_a_Stick »

https://www.garyshood.com/root/

(Sorry, could not resist.)
deadbang

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#8 Post by millpond »

bw123 wrote:Okay, I seem to have misunderstood, you're not asking about security. Basically you're asking, "How to run everything as root, like windows?"
Yes. And. No.

The objective here is tow have two totally functioning modes: Sysadmin and Wan/Media.
Functioning as to their roles:

Absolute control for sysadmin. No sudo, no limits of any kind. I run my systems out of scripts that I am not about to rewrite because they are not secure on a multiuser system, but appropriate here. There are some WAN things I need to do as sysadmin, but they are limited in nature, and am unconcered over security issues here. Hells bells, I do not even want my software I use to tweak my websites even to be accessible to sudo.

Media/Wan I prefer to run as some type of sub-user without access to system functions. I guess for X this would require some type of sandbox/chroot/VM arrangement. Not familiar with Docker

Freedom to me is the ability to 'hack' one system within reason. I am trying to avoid other repos here, and SID has the most promise for up tp date script languages, without the need (so far) to manually install them.

I am not asking how to run as root. I am doing that. More than I want at the moment, as user accounts are for some reason broken. Hoping to fix that next week. What I am interested in is any guides for running as full sysadmin in a systemd system, which none of my older texts are aware. Debian is a moving target. And I'm a little behind.

I do not like systemd. Its one of the reasons I left linux for a while. But with it, I can do a full development system in weeks instead of months. But it looks hackable enough to disable most of its junk.

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Single User Security

#9 Post by CwF »

It is possible to create a passwordless system and not be root. You can even do an hardware key encrypted one!

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#10 Post by millpond »

CwF wrote:It is possible to create a passwordless system and not be root. You can even do an hardware key encrypted one!
On Jessie I booted right into the user account, and ran the system from rooted terminals. Tried that on SID but kept running into GTK issues. Because some pinhead decided that superusers shouldnt run X GUIs. Hacked some files, and now GTK is running fine.

The risks of bricking a system with encryption far outweigh anything a malicious hacker can do. In an enterprise environment it may certainly be appropriate. For a home network I have the best option for data that should not be shared with the world - by disconnecting it from the net totally. As in powering its media off. 6 machines here. Only two typically ON.

One of them is Win7 that looks like a honeypot, with all security services turned off. About once a year I spend about 20 minutes kiling off a booger. I figure its less time than setting up a firewall. Point is: Real security lies at the system operator, not OS software level.

A production system must have fully amped security protocols. But I believe these should only be optional on single user systems.

xepan
Posts: 89
Joined: 2018-11-28 06:38

Re: Single User Security

#11 Post by xepan »

No sudo, no limits of any kind.
Again: what limits you speak of?

Might well be me, but i hear a lot of big buzz words, but got no clue what the heck your real problem is.

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Single User Security

#12 Post by CwF »

millpond wrote:Because some pinhead decided that superusers shouldnt run X GUIs.
That's because once I left the system up with a root Thunar open while I went for coffee. In the meantime my cat had an argument with my trackball. Why left click defaults to move I'll never know.
Some things like sound have issues as root. I see 'inxi' mentioned as differing ran as root, don't know, never used it.

I prefer to paddle downstream, with the flow. I'm a late comer, in at Jessie. So systemd and polkit is what it is. I have chosen not to argue with what I don't know. I try to only mod things in ways that will reliably persist through upgrades. If mods continually break, the message is to rethink the way you're doing things.

If permissions are getting in the way, they do, I can only imagine you have multi-step scripts which at some point reach out of or into user space/root. Without examples I have no solution. While you can't get away from a user typing sudo, you can eliminate the password. I assume you have already purged any gksu use.

file: /etc/sudoers.d/user

Code: Select all

user ALL=(ALL) NOPASSWD: /specific/command
#OR
user ALL=(ALL) NOPASSWD: ALL
That's a granular option, or a sledge.

With polkit you can do similar, with its inherent granularity per program.

Code: Select all

 <allow_any>no</allow_any>
 <allow_inactive>auth_admin</allow_inactive>
 <allow_active>yes</allow_active>
millpond wrote:The risks of bricking a system with encryption...
is zero? This was one of the first things I wondered about. So I made a full disk encrypted image. I found I could move it from system to system. I found I could mount it in a foreign system. I found I could image to file, and back to device. I found I could loop the file image, etc. On one flaky computer I did have to address superblock errors. Overall, for me it passes muster. Modern CPU's take off the performance hit. I don't see a problem outside hardware problems. I was infering in my comment that the encryption key can be delivered via hardware, either matching the OS to a particular computer or requiring a usb key, either without passowrds, and potentially invisible to the user.
millpond wrote:Win7 that looks like a honeypot,... Real security lies at the system operator, not OS software level.
Agreed, but this needs a qualifier. I've said forever the best AV software is a keyboard. Many believe XP is susceptible to air-borne viruses. The #1 vector has always been the user click. So software tries to guard against a wrong click, and that irritates us. Linux people are full of themselves with regards to security. Obfuscation seems to be a primary method. With 99% of users not on Linux, the safety lies in the fact that at this point, you are not a target...

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#13 Post by millpond »

xepan wrote:
No sudo, no limits of any kind.
Again: what limits you speak of?

Might well be me, but i hear a lot of big buzz words, but got no clue what the heck your real problem is.
There is a wide range of problems here.
It is technical - scripts and aps breaking, with things like proc/statidtics fuxxover to proc/stat.

Like a system that will boot to root and NOT user. .

Its SID so I dont take it personally -but by seeing more of the future and liking less of it.

And much of it is philosophical , to be for another thread.

xepan
Posts: 89
Joined: 2018-11-28 06:38

Re: Single User Security

#14 Post by xepan »

I would say a system doesn't "boot to root or user",
but to a login prompt or a display-manager.
use the former, log in as root, case closed.

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#15 Post by millpond »

Actually, it boots to a login prompt. Not a problem.

Just checked. Its now accepting user account at VT login.
Done some updates lately.

Still no explanation as to why a superuser account is considered so taboo, except that a few apps wount run under it (many of which actually do, especially if recompiled).

I consider Linux compromised already. Bashbug, heartbleed, certainly many more. All recent CPUs are boogered.

I have my own preferred security methods that work rather well, even on a slipship OS like Win.

User avatar
llivv
Posts: 5340
Joined: 2007-02-14 18:10
Location: cold storage

Re: Single User Security

#16 Post by llivv »

Hello
and I agree about the comprise.
Perhaps for different reasons spawned from,
ip sniffing,
hacked secured tunnels
(probably from the the tunnels destination - would that be a hack or something else altogether? -go figure)

I look forward to reading more.
Even if a bit unorthodox compared to what is normally seen in this forum,

slipshod oops slipship :lol:
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#17 Post by millpond »

Yes, indeed 'unorthodox'. Even a bit eccentric.

But something of value to laptop owners who may be blocked from using gui restore tools, and certainly useful for home users who have 'trusted' family members who do not know or care to know about Linux security fashions.

Gksudo, gksu seems to be missing from Sid. Not good.

NB: What I am talking about is not something that should be tried by novice users without some experience about what and how system damage may occur. But one can do just as much damage as a 'user' as 'root' in the right places.

Nor would even suggest using this method as a primary system. In our primary system Lennux (Magaiea) is in a VM. On this machine Lennux is a (near) fully loaded development system for playing around in.

Of great interest is what *real* problems can arise in a system behind 2 NATs, ssh disabled, no servers running.
Can anyone log in? Would setting hosts.deny to all:all (paranoid) break anything? I've got my rether large hosts file from Windoze hooked up for blocking now....

Does SNORT still work? Ther've been so damn many changes, that I cannot keep a bead on them, and all my notes and references are 'deprecated' as Lennux bears little similarity to the traditional Linux system.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Single User Security

#18 Post by Head_on_a_Stick »

millpond wrote:Gksudo, gksu seems to be missing from Sid
They are now obsolete, use pkexec instead.

It is *very* easy to add new polkit rules for any application to run as root, perhaps do that instead of coming here and whining like a spoilt little child?
deadbang

xepan
Posts: 89
Joined: 2018-11-28 06:38

Re: Single User Security

#19 Post by xepan »

millpond wrote:Y
NB: What I am talking about is not something that should be tried by novice users without some experience about what and how system damage may occur. But one can do just as much damage as a 'user' as 'root' in the right places.
what would that be?
and don't start with anything happening in home, that is quite different from the damage root can do.

As far the 7-proxies approach (behind two NAT's, yada-yada) is concerned: for sure web-browsing and email might be a problem, i would guess. Though i for one mainly ignore those.
Depends on what you do, i guess, and in general security is a subject you want to be as specific and narrow as possible (say: how do i secure ssh? ), the opposite of your way to ask. What your wife does really doesn't add any info to the subject, to give an example. A VPN tries to solve one problem, disabling services solves a different problem; to give another example.
Also ask in the right community. forums debian net isn't really a security channel (but don't ask there like you ask here, duh).

probably something like chrootkit, too, though that might just as well be obsolete right now, due to the never ending changes in Linux land.
Mainly a firewall though.

https://www.debian.org/doc/manuals/secu ... ian-howto/

-
The things which get added to a very complex subject by running as root are the exact reasons why one shouldn't do it, so i guess you will have to live with those extra problems.

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#20 Post by millpond »

Head_on_a_Stick wrote:
millpond wrote:Gksudo, gksu seems to be missing from Sid
They are now obsolete, use pkexec instead.

It is *very* easy to add new polkit rules for any application to run as root, perhaps do that instead of coming here and whining like a spoilt little child?
Who the hell is whining?
Polkit is well under control here.
The issue at hand is what are the potential problems with running as superuser on a system specifically designed to run at minimum security levels. Ans what are best pracices for THIS mode.

Thank you for pkexec.
Fisrst i've heard of it.

Post Reply