Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Single User Security

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
User avatar
llivv
Posts: 5340
Joined: 2007-02-14 18:10
Location: cold storage

Re: Single User Security

#16 Post by llivv »

Hello
and I agree about the comprise.
Perhaps for different reasons spawned from,
ip sniffing,
hacked secured tunnels
(probably from the the tunnels destination - would that be a hack or something else altogether? -go figure)

I look forward to reading more.
Even if a bit unorthodox compared to what is normally seen in this forum,

slipshod oops slipship :lol:
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#17 Post by millpond »

Yes, indeed 'unorthodox'. Even a bit eccentric.

But something of value to laptop owners who may be blocked from using gui restore tools, and certainly useful for home users who have 'trusted' family members who do not know or care to know about Linux security fashions.

Gksudo, gksu seems to be missing from Sid. Not good.

NB: What I am talking about is not something that should be tried by novice users without some experience about what and how system damage may occur. But one can do just as much damage as a 'user' as 'root' in the right places.

Nor would even suggest using this method as a primary system. In our primary system Lennux (Magaiea) is in a VM. On this machine Lennux is a (near) fully loaded development system for playing around in.

Of great interest is what *real* problems can arise in a system behind 2 NATs, ssh disabled, no servers running.
Can anyone log in? Would setting hosts.deny to all:all (paranoid) break anything? I've got my rether large hosts file from Windoze hooked up for blocking now....

Does SNORT still work? Ther've been so damn many changes, that I cannot keep a bead on them, and all my notes and references are 'deprecated' as Lennux bears little similarity to the traditional Linux system.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Single User Security

#18 Post by Head_on_a_Stick »

millpond wrote:Gksudo, gksu seems to be missing from Sid
They are now obsolete, use pkexec instead.

It is *very* easy to add new polkit rules for any application to run as root, perhaps do that instead of coming here and whining like a spoilt little child?
deadbang

xepan
Posts: 89
Joined: 2018-11-28 06:38

Re: Single User Security

#19 Post by xepan »

millpond wrote:Y
NB: What I am talking about is not something that should be tried by novice users without some experience about what and how system damage may occur. But one can do just as much damage as a 'user' as 'root' in the right places.
what would that be?
and don't start with anything happening in home, that is quite different from the damage root can do.

As far the 7-proxies approach (behind two NAT's, yada-yada) is concerned: for sure web-browsing and email might be a problem, i would guess. Though i for one mainly ignore those.
Depends on what you do, i guess, and in general security is a subject you want to be as specific and narrow as possible (say: how do i secure ssh? ), the opposite of your way to ask. What your wife does really doesn't add any info to the subject, to give an example. A VPN tries to solve one problem, disabling services solves a different problem; to give another example.
Also ask in the right community. forums debian net isn't really a security channel (but don't ask there like you ask here, duh).

probably something like chrootkit, too, though that might just as well be obsolete right now, due to the never ending changes in Linux land.
Mainly a firewall though.

https://www.debian.org/doc/manuals/secu ... ian-howto/

-
The things which get added to a very complex subject by running as root are the exact reasons why one shouldn't do it, so i guess you will have to live with those extra problems.

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#20 Post by millpond »

Head_on_a_Stick wrote:
millpond wrote:Gksudo, gksu seems to be missing from Sid
They are now obsolete, use pkexec instead.

It is *very* easy to add new polkit rules for any application to run as root, perhaps do that instead of coming here and whining like a spoilt little child?
Who the hell is whining?
Polkit is well under control here.
The issue at hand is what are the potential problems with running as superuser on a system specifically designed to run at minimum security levels. Ans what are best pracices for THIS mode.

Thank you for pkexec.
Fisrst i've heard of it.

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#21 Post by millpond »

https://www.debian.org/doc/manuals/secu ... ian-howto/
-----------------------------

This goes a long way for what I am looking for.
Bookmarked.

When I work on a project I always keep security issues as the last concern, so as to be able to avoid permissions problems while developing. Afterwards I can do as needed.
For example while working on websites I often use Win XAMPP, and then move to Linux and work out the permissions issues there.

CwF
Global Moderator
Global Moderator
Posts: 2625
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 190 times

Re: Single User Security

#22 Post by CwF »

...well, maybe if you had read my post..
and pkexec is polkit.

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Single User Security

#23 Post by bw123 »

millpond wrote:
...The issue at hand is what are the potential problems with running as superuser on a system specifically designed to run at minimum security levels. Ans what are best pracices for THIS mode.
...
That's easy, don't do it. It's not a MODE, it's like swimming with sharks. yeah you can like put a bandaid on the cut and smoke something to stay calm, but the damn sharks are unpredictable. Blood in the water ring any bells? Have you ever wondered why Malware and Virus scanners are millions of dollar bidnezzes on wndows machines?

Airgap the machine, and make a lot of backups. I'm sure the wife can stay off facebook while running as root?

edit: I thought at first you were another user that had a similar username. This person was very sensible and contributed a lot to the forum, but sadly I forget the correct name. It was something similar to millpond, and I took your post seriously for this reason. Now, after reading several of your posts, I don't.
resigned by AI ChatGPT

Bulkley
Posts: 6382
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

Re: Single User Security

#24 Post by Bulkley »

bw123 wrote:That's easy, don't do it.
Agreed.

What the OP is trying so hard to do is way too complicated and just going to cause endless trouble.

Possible alternatives:
Kiosk OS - runs in memory; reboot starts fresh.
Live-USB with persistence - I suggest MX Linux which is full featured and easy to set up persistence.
Multiseat configuration - one computer serving two or more terminals.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Single User Security

#25 Post by dilberts_left_nut »

Or just learn how permissions work.
AdrianTM wrote:There's no hacker in my grandma...

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#26 Post by millpond »

CwF wrote:...well, maybe if you had read my post..
and pkexec is polkit.
Hmmm... pk... Polkit.

I did read your post. Very good points.

My scripts do not use sudo. I first started using Linux beore Debian even existed so regard much of the newer stuff as an imposition. I can, and have run those scripts out of rooted terminals, but am simply inquiring as to whether anyone has taken the opposite approach and have the superuser using 'using user level terminals' to run anything suspect. Like ssh. And browsers. So far the only real option appears to be a VM, or a VT for non-gui stuff.

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#27 Post by millpond »

Bulkley wrote:
bw123 wrote:That's easy, don't do it.
Agreed.

What the OP is trying so hard to do is way too complicated and just going to cause endless trouble.

Possible alternatives:
Kiosk OS - runs in memory; reboot starts fresh.
Live-USB with persistence - I suggest MX Linux which is full featured and easy to set up persistence.
Multiseat configuration - one computer serving two or more terminals.
OK.

Multiseat.

Can this currently be done with TWO users using X?

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: Single User Security

#28 Post by millpond »

Bulkley wrote:
bw123 wrote:That's easy, don't do it.
Agreed.

What the OP is trying so hard to do is way too complicated and just going to cause endless trouble.

Possible alternatives:
Kiosk OS - runs in memory; reboot starts fresh.
Live-USB with persistence - I suggest MX Linux which is full featured and easy to set up persistence.
Multiseat configuration - one computer serving two or more terminals.
I know how they work, but find it incredibly annoying spending countless hours troubleshooting scripts only to find its an obscure permission problem. I prefer getting things working as superuser, and THEN running it at user level. After 25 years, whatever 'risks' involved appear to be minimal.

I have used this approach on my heavily modded ecommerce website, without any issues. Permissions have been set, and set correctly.
For about 8 years now.

xepan
Posts: 89
Joined: 2018-11-28 06:38

Re: Single User Security

#29 Post by xepan »

millpond wrote:much of the newer stuff as an imposition. I can, and have run those scripts out of rooted terminals, but am simply inquiring as to whether anyone has taken the opposite approach and have the superuser using 'using user level terminals' to run anything suspect. Like ssh.
What are root and user terminals?
terminal-emulators? probably.
But what the heck is a user terminal and a root terminal?

I sure can run ssh as web-browsers as root.
You might want to give a real and detailed example what you are speaking of.
Last edited by xepan on 2019-01-19 17:14, edited 1 time in total.

CwF
Global Moderator
Global Moderator
Posts: 2625
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 190 times

Re: Single User Security

#30 Post by CwF »

@xepan, you could maybe edit that, I don't think CwF said that...
..and I believe 'user' and 'root' are common terms, as is "terminal'. *-emulator is not more specific or critically clarifying.

@millpond; I'm not sure what I missed in my first response other than 'groups' maybe. The solution to whatever issue you have yet to declare is likely solved with a specific sudoers.d declaration which means you type 'sudo' if ran as user. Typing 'pkexec' with a corresponding polkit declaration in /usr/share/polkit-1/actions is likely not applicable, maybe... If your process would benefit from terminal feedback, then the terminal could be called up with pkexec. Otherwise use sudo.

Also missed in that first response:
CwF wrote: I assume you have already purged any gksu use.
So your response that gksu is missing means I'm wasting time here.

xepan
Posts: 89
Joined: 2018-11-28 06:38

Re: Single User Security

#31 Post by xepan »

@CwF: sorry. i changed it.

User avatar
llivv
Posts: 5340
Joined: 2007-02-14 18:10
Location: cold storage

Re: Single User Security

#32 Post by llivv »

I'm still interested in understanding how millpond is setting his things up. Yes No I don't understand what a rooted terminal is, but if millpond has been using linux for 25 to 30 years I'm more interested in how things were done in linux before my time.
It's kind of like the communication gap between younger and older generations. And it's not funny how that communication gap very rarely get bridged.
So I'm doing my best to be patient with the newfangled (in comparison) best practices I've developed over time and not let them interfere with others developing their own methods. Try to give pointer when I can and learn as much as possible from others too. It is the Linux/Gnu/Debian way to let anyone that wants to hacker on the software.
I've already figured out that millponds eccentric (off centered, [1] if you will) methods are not mainstream and I'm waiting for that light to go on when I actually figure out how the setup works.
I was just thinking about the rooted terminal and wondering if it's like uml which many here have surely heard of?
Or perhaps running xserver using xsm which I haven't done for a long time.
Does that make sense?

[1] DogFishHead Brewery "for the slightly off-centered" Cheers
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

CwF
Global Moderator
Global Moderator
Posts: 2625
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 190 times

Re: Single User Security

#33 Post by CwF »

You're exactly right llivv. The term 'rooted' is a misappropriated term from smart phone lingo. When a factory device or computer without any 'factory' root account is then subjected to 'rooting' software to gain access, then the device is "rooted". I think the correct term here is simply a root user terminal. In this case formerly provided by gksu for a user, or the default while loogen on as root.
So first, figure out the newer polkit policy and add a policy file for the preferred terminal-emulator. Where that isn't applicable, do the sudoer.d thing, and there you go.

My two cents is on the fact that there are a hundred gksu references on the system(s). To avoid that, maybe everything is happening in gksu provided terminals, which is now broken. So the temptation is to simply run as root.

Since gksu is absent from buster there are a handful of things that need a choice. You could simply leave the stretch versions in place. Or you can check sid for policy kit versions. Once everything has an authority reference of some kind other than gksu, then purge it and move on...

Or, I'm way off and there are other issues!?

Of note, all my images have a fully graphical desktop for the root user and it's set up for what root might do. Which it never does, since I never need it...since I have users and they work too, so...ya.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Single User Security

#34 Post by Head_on_a_Stick »

millpond wrote:So far the only real option appears to be a VM, or a VT for non-gui stuff.
How about systemd-nspawn?

Adopt, adapt & improve: http://forums.debian.net/viewtopic.php?f=16&t=129390
deadbang

xepan
Posts: 89
Joined: 2018-11-28 06:38

Re: Single User Security

#35 Post by xepan »

CwF wrote:Yo.

My two cents is on the fact that there are a hundred gksu references on the system(s). To avoid that, maybe everything is happening in gksu provided terminals, which is now broken. So the temptation is to simply run as root.
Perhaps you can give me an example for one of those references, i am still pretty confused.
I haven't got gksu installed (neither polkit, btw), and on voidlinux i don't even find pkexec (which confuses me even more). But as of now i didn't run in any problems. (described above as restrictions). I also don't remind any problems with the other distros and OS'es i tried including Debian.
I never really set up anything to gain such.

thanks in advance.

Post Reply