Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Single User Security
Re: Single User Security
Hello
and I agree about the comprise.
Perhaps for different reasons spawned from,
ip sniffing,
hacked secured tunnels
(probably from the the tunnels destination - would that be a hack or something else altogether? -go figure)
I look forward to reading more.
Even if a bit unorthodox compared to what is normally seen in this forum,
slipshod oops slipship
and I agree about the comprise.
Perhaps for different reasons spawned from,
ip sniffing,
hacked secured tunnels
(probably from the the tunnels destination - would that be a hack or something else altogether? -go figure)
I look forward to reading more.
Even if a bit unorthodox compared to what is normally seen in this forum,
slipshod oops slipship
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.
Re: Single User Security
Yes, indeed 'unorthodox'. Even a bit eccentric.
But something of value to laptop owners who may be blocked from using gui restore tools, and certainly useful for home users who have 'trusted' family members who do not know or care to know about Linux security fashions.
Gksudo, gksu seems to be missing from Sid. Not good.
NB: What I am talking about is not something that should be tried by novice users without some experience about what and how system damage may occur. But one can do just as much damage as a 'user' as 'root' in the right places.
Nor would even suggest using this method as a primary system. In our primary system Lennux (Magaiea) is in a VM. On this machine Lennux is a (near) fully loaded development system for playing around in.
Of great interest is what *real* problems can arise in a system behind 2 NATs, ssh disabled, no servers running.
Can anyone log in? Would setting hosts.deny to all:all (paranoid) break anything? I've got my rether large hosts file from Windoze hooked up for blocking now....
Does SNORT still work? Ther've been so damn many changes, that I cannot keep a bead on them, and all my notes and references are 'deprecated' as Lennux bears little similarity to the traditional Linux system.
But something of value to laptop owners who may be blocked from using gui restore tools, and certainly useful for home users who have 'trusted' family members who do not know or care to know about Linux security fashions.
Gksudo, gksu seems to be missing from Sid. Not good.
NB: What I am talking about is not something that should be tried by novice users without some experience about what and how system damage may occur. But one can do just as much damage as a 'user' as 'root' in the right places.
Nor would even suggest using this method as a primary system. In our primary system Lennux (Magaiea) is in a VM. On this machine Lennux is a (near) fully loaded development system for playing around in.
Of great interest is what *real* problems can arise in a system behind 2 NATs, ssh disabled, no servers running.
Can anyone log in? Would setting hosts.deny to all:all (paranoid) break anything? I've got my rether large hosts file from Windoze hooked up for blocking now....
Does SNORT still work? Ther've been so damn many changes, that I cannot keep a bead on them, and all my notes and references are 'deprecated' as Lennux bears little similarity to the traditional Linux system.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Single User Security
They are now obsolete, use pkexec instead.millpond wrote:Gksudo, gksu seems to be missing from Sid
It is *very* easy to add new polkit rules for any application to run as root, perhaps do that instead of coming here and whining like a spoilt little child?
deadbang
Re: Single User Security
what would that be?millpond wrote:Y
NB: What I am talking about is not something that should be tried by novice users without some experience about what and how system damage may occur. But one can do just as much damage as a 'user' as 'root' in the right places.
and don't start with anything happening in home, that is quite different from the damage root can do.
As far the 7-proxies approach (behind two NAT's, yada-yada) is concerned: for sure web-browsing and email might be a problem, i would guess. Though i for one mainly ignore those.
Depends on what you do, i guess, and in general security is a subject you want to be as specific and narrow as possible (say: how do i secure ssh? ), the opposite of your way to ask. What your wife does really doesn't add any info to the subject, to give an example. A VPN tries to solve one problem, disabling services solves a different problem; to give another example.
Also ask in the right community. forums debian net isn't really a security channel (but don't ask there like you ask here, duh).
probably something like chrootkit, too, though that might just as well be obsolete right now, due to the never ending changes in Linux land.
Mainly a firewall though.
https://www.debian.org/doc/manuals/secu ... ian-howto/
-
The things which get added to a very complex subject by running as root are the exact reasons why one shouldn't do it, so i guess you will have to live with those extra problems.
Re: Single User Security
Who the hell is whining?Head_on_a_Stick wrote:They are now obsolete, use pkexec instead.millpond wrote:Gksudo, gksu seems to be missing from Sid
It is *very* easy to add new polkit rules for any application to run as root, perhaps do that instead of coming here and whining like a spoilt little child?
Polkit is well under control here.
The issue at hand is what are the potential problems with running as superuser on a system specifically designed to run at minimum security levels. Ans what are best pracices for THIS mode.
Thank you for pkexec.
Fisrst i've heard of it.
Re: Single User Security
https://www.debian.org/doc/manuals/secu ... ian-howto/
-----------------------------
This goes a long way for what I am looking for.
Bookmarked.
When I work on a project I always keep security issues as the last concern, so as to be able to avoid permissions problems while developing. Afterwards I can do as needed.
For example while working on websites I often use Win XAMPP, and then move to Linux and work out the permissions issues there.
-----------------------------
This goes a long way for what I am looking for.
Bookmarked.
When I work on a project I always keep security issues as the last concern, so as to be able to avoid permissions problems while developing. Afterwards I can do as needed.
For example while working on websites I often use Win XAMPP, and then move to Linux and work out the permissions issues there.
Re: Single User Security
That's easy, don't do it. It's not a MODE, it's like swimming with sharks. yeah you can like put a bandaid on the cut and smoke something to stay calm, but the damn sharks are unpredictable. Blood in the water ring any bells? Have you ever wondered why Malware and Virus scanners are millions of dollar bidnezzes on wndows machines?millpond wrote:
...The issue at hand is what are the potential problems with running as superuser on a system specifically designed to run at minimum security levels. Ans what are best pracices for THIS mode.
...
Airgap the machine, and make a lot of backups. I'm sure the wife can stay off facebook while running as root?
edit: I thought at first you were another user that had a similar username. This person was very sensible and contributed a lot to the forum, but sadly I forget the correct name. It was something similar to millpond, and I took your post seriously for this reason. Now, after reading several of your posts, I don't.
resigned by AI ChatGPT
Re: Single User Security
Agreed.bw123 wrote:That's easy, don't do it.
What the OP is trying so hard to do is way too complicated and just going to cause endless trouble.
Possible alternatives:
Kiosk OS - runs in memory; reboot starts fresh.
Live-USB with persistence - I suggest MX Linux which is full featured and easy to set up persistence.
Multiseat configuration - one computer serving two or more terminals.
- dilberts_left_nut
- Administrator
- Posts: 5343
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 12 times
- Been thanked: 66 times
Re: Single User Security
Or just learn how permissions work.
AdrianTM wrote:There's no hacker in my grandma...
Re: Single User Security
Hmmm... pk... Polkit.CwF wrote:...well, maybe if you had read my post..
and pkexec is polkit.
I did read your post. Very good points.
My scripts do not use sudo. I first started using Linux beore Debian even existed so regard much of the newer stuff as an imposition. I can, and have run those scripts out of rooted terminals, but am simply inquiring as to whether anyone has taken the opposite approach and have the superuser using 'using user level terminals' to run anything suspect. Like ssh. And browsers. So far the only real option appears to be a VM, or a VT for non-gui stuff.
Re: Single User Security
OK.Bulkley wrote:Agreed.bw123 wrote:That's easy, don't do it.
What the OP is trying so hard to do is way too complicated and just going to cause endless trouble.
Possible alternatives:
Kiosk OS - runs in memory; reboot starts fresh.
Live-USB with persistence - I suggest MX Linux which is full featured and easy to set up persistence.
Multiseat configuration - one computer serving two or more terminals.
Multiseat.
Can this currently be done with TWO users using X?
Re: Single User Security
I know how they work, but find it incredibly annoying spending countless hours troubleshooting scripts only to find its an obscure permission problem. I prefer getting things working as superuser, and THEN running it at user level. After 25 years, whatever 'risks' involved appear to be minimal.Bulkley wrote:Agreed.bw123 wrote:That's easy, don't do it.
What the OP is trying so hard to do is way too complicated and just going to cause endless trouble.
Possible alternatives:
Kiosk OS - runs in memory; reboot starts fresh.
Live-USB with persistence - I suggest MX Linux which is full featured and easy to set up persistence.
Multiseat configuration - one computer serving two or more terminals.
I have used this approach on my heavily modded ecommerce website, without any issues. Permissions have been set, and set correctly.
For about 8 years now.
Re: Single User Security
What are root and user terminals?millpond wrote:much of the newer stuff as an imposition. I can, and have run those scripts out of rooted terminals, but am simply inquiring as to whether anyone has taken the opposite approach and have the superuser using 'using user level terminals' to run anything suspect. Like ssh.
terminal-emulators? probably.
But what the heck is a user terminal and a root terminal?
I sure can run ssh as web-browsers as root.
You might want to give a real and detailed example what you are speaking of.
Last edited by xepan on 2019-01-19 17:14, edited 1 time in total.
-
- Global Moderator
- Posts: 2625
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 190 times
Re: Single User Security
@xepan, you could maybe edit that, I don't think CwF said that...
..and I believe 'user' and 'root' are common terms, as is "terminal'. *-emulator is not more specific or critically clarifying.
@millpond; I'm not sure what I missed in my first response other than 'groups' maybe. The solution to whatever issue you have yet to declare is likely solved with a specific sudoers.d declaration which means you type 'sudo' if ran as user. Typing 'pkexec' with a corresponding polkit declaration in /usr/share/polkit-1/actions is likely not applicable, maybe... If your process would benefit from terminal feedback, then the terminal could be called up with pkexec. Otherwise use sudo.
Also missed in that first response:
..and I believe 'user' and 'root' are common terms, as is "terminal'. *-emulator is not more specific or critically clarifying.
@millpond; I'm not sure what I missed in my first response other than 'groups' maybe. The solution to whatever issue you have yet to declare is likely solved with a specific sudoers.d declaration which means you type 'sudo' if ran as user. Typing 'pkexec' with a corresponding polkit declaration in /usr/share/polkit-1/actions is likely not applicable, maybe... If your process would benefit from terminal feedback, then the terminal could be called up with pkexec. Otherwise use sudo.
Also missed in that first response:
So your response that gksu is missing means I'm wasting time here.CwF wrote: I assume you have already purged any gksu use.
Re: Single User Security
I'm still interested in understanding how millpond is setting his things up. Yes No I don't understand what a rooted terminal is, but if millpond has been using linux for 25 to 30 years I'm more interested in how things were done in linux before my time.
It's kind of like the communication gap between younger and older generations. And it's not funny how that communication gap very rarely get bridged.
So I'm doing my best to be patient with the newfangled (in comparison) best practices I've developed over time and not let them interfere with others developing their own methods. Try to give pointer when I can and learn as much as possible from others too. It is the Linux/Gnu/Debian way to let anyone that wants to hacker on the software.
I've already figured out that millponds eccentric (off centered, [1] if you will) methods are not mainstream and I'm waiting for that light to go on when I actually figure out how the setup works.
I was just thinking about the rooted terminal and wondering if it's like uml which many here have surely heard of?
Or perhaps running xserver using xsm which I haven't done for a long time.
Does that make sense?
[1] DogFishHead Brewery "for the slightly off-centered" Cheers
It's kind of like the communication gap between younger and older generations. And it's not funny how that communication gap very rarely get bridged.
So I'm doing my best to be patient with the newfangled (in comparison) best practices I've developed over time and not let them interfere with others developing their own methods. Try to give pointer when I can and learn as much as possible from others too. It is the Linux/Gnu/Debian way to let anyone that wants to hacker on the software.
I've already figured out that millponds eccentric (off centered, [1] if you will) methods are not mainstream and I'm waiting for that light to go on when I actually figure out how the setup works.
I was just thinking about the rooted terminal and wondering if it's like uml which many here have surely heard of?
Or perhaps running xserver using xsm which I haven't done for a long time.
Does that make sense?
[1] DogFishHead Brewery "for the slightly off-centered" Cheers
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.
-
- Global Moderator
- Posts: 2625
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 190 times
Re: Single User Security
You're exactly right llivv. The term 'rooted' is a misappropriated term from smart phone lingo. When a factory device or computer without any 'factory' root account is then subjected to 'rooting' software to gain access, then the device is "rooted". I think the correct term here is simply a root user terminal. In this case formerly provided by gksu for a user, or the default while loogen on as root.
So first, figure out the newer polkit policy and add a policy file for the preferred terminal-emulator. Where that isn't applicable, do the sudoer.d thing, and there you go.
My two cents is on the fact that there are a hundred gksu references on the system(s). To avoid that, maybe everything is happening in gksu provided terminals, which is now broken. So the temptation is to simply run as root.
Since gksu is absent from buster there are a handful of things that need a choice. You could simply leave the stretch versions in place. Or you can check sid for policy kit versions. Once everything has an authority reference of some kind other than gksu, then purge it and move on...
Or, I'm way off and there are other issues!?
Of note, all my images have a fully graphical desktop for the root user and it's set up for what root might do. Which it never does, since I never need it...since I have users and they work too, so...ya.
So first, figure out the newer polkit policy and add a policy file for the preferred terminal-emulator. Where that isn't applicable, do the sudoer.d thing, and there you go.
My two cents is on the fact that there are a hundred gksu references on the system(s). To avoid that, maybe everything is happening in gksu provided terminals, which is now broken. So the temptation is to simply run as root.
Since gksu is absent from buster there are a handful of things that need a choice. You could simply leave the stretch versions in place. Or you can check sid for policy kit versions. Once everything has an authority reference of some kind other than gksu, then purge it and move on...
Or, I'm way off and there are other issues!?
Of note, all my images have a fully graphical desktop for the root user and it's set up for what root might do. Which it never does, since I never need it...since I have users and they work too, so...ya.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Single User Security
How about systemd-nspawn?millpond wrote:So far the only real option appears to be a VM, or a VT for non-gui stuff.
Adopt, adapt & improve: http://forums.debian.net/viewtopic.php?f=16&t=129390
deadbang
Re: Single User Security
Perhaps you can give me an example for one of those references, i am still pretty confused.CwF wrote:Yo.
My two cents is on the fact that there are a hundred gksu references on the system(s). To avoid that, maybe everything is happening in gksu provided terminals, which is now broken. So the temptation is to simply run as root.
I haven't got gksu installed (neither polkit, btw), and on voidlinux i don't even find pkexec (which confuses me even more). But as of now i didn't run in any problems. (described above as restrictions). I also don't remind any problems with the other distros and OS'es i tried including Debian.
I never really set up anything to gain such.
thanks in advance.