Single User Security

If it doesn't relate to Debian, but you still want to share it, please do it here

Re: Single User Security

Postby llivv » 2019-01-17 16:38

Hello
and I agree about the comprise.
Perhaps for different reasons spawned from,
ip sniffing,
hacked secured tunnels
(probably from the the tunnels destination - would that be a hack or something else altogether? -go figure)

I look forward to reading more.
Even if a bit unorthodox compared to what is normally seen in this forum,

slipshod oops slipship :lol:
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.
User avatar
llivv
 
Posts: 5638
Joined: 2007-02-14 18:10
Location: cold storage

Re: Single User Security

Postby millpond » 2019-01-17 22:44

Yes, indeed 'unorthodox'. Even a bit eccentric.

But something of value to laptop owners who may be blocked from using gui restore tools, and certainly useful for home users who have 'trusted' family members who do not know or care to know about Linux security fashions.

Gksudo, gksu seems to be missing from Sid. Not good.

NB: What I am talking about is not something that should be tried by novice users without some experience about what and how system damage may occur. But one can do just as much damage as a 'user' as 'root' in the right places.

Nor would even suggest using this method as a primary system. In our primary system Lennux (Magaiea) is in a VM. On this machine Lennux is a (near) fully loaded development system for playing around in.

Of great interest is what *real* problems can arise in a system behind 2 NATs, ssh disabled, no servers running.
Can anyone log in? Would setting hosts.deny to all:all (paranoid) break anything? I've got my rether large hosts file from Windoze hooked up for blocking now....

Does SNORT still work? Ther've been so damn many changes, that I cannot keep a bead on them, and all my notes and references are 'deprecated' as Lennux bears little similarity to the traditional Linux system.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby Head_on_a_Stick » 2019-01-18 05:28

millpond wrote:Gksudo, gksu seems to be missing from Sid

They are now obsolete, use pkexec instead.

It is *very* easy to add new polkit rules for any application to run as root, perhaps do that instead of coming here and whining like a spoilt little child?
"The trouble with the world is that the stupid are cocksure and the intelligent full of doubt." — Bertrand Russell
User avatar
Head_on_a_Stick
 
Posts: 8842
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Single User Security

Postby xepan » 2019-01-18 07:28

millpond wrote:Y
NB: What I am talking about is not something that should be tried by novice users without some experience about what and how system damage may occur. But one can do just as much damage as a 'user' as 'root' in the right places.


what would that be?
and don't start with anything happening in home, that is quite different from the damage root can do.

As far the 7-proxies approach (behind two NAT's, yada-yada) is concerned: for sure web-browsing and email might be a problem, i would guess. Though i for one mainly ignore those.
Depends on what you do, i guess, and in general security is a subject you want to be as specific and narrow as possible (say: how do i secure ssh? ), the opposite of your way to ask. What your wife does really doesn't add any info to the subject, to give an example. A VPN tries to solve one problem, disabling services solves a different problem; to give another example.
Also ask in the right community. forums debian net isn't really a security channel (but don't ask there like you ask here, duh).

probably something like chrootkit, too, though that might just as well be obsolete right now, due to the never ending changes in Linux land.
Mainly a firewall though.

https://www.debian.org/doc/manuals/secu ... ian-howto/

-
The things which get added to a very complex subject by running as root are the exact reasons why one shouldn't do it, so i guess you will have to live with those extra problems.
xepan
 
Posts: 87
Joined: 2018-11-28 06:38

Re: Single User Security

Postby millpond » 2019-01-18 17:17

Head_on_a_Stick wrote:
millpond wrote:Gksudo, gksu seems to be missing from Sid

They are now obsolete, use pkexec instead.

It is *very* easy to add new polkit rules for any application to run as root, perhaps do that instead of coming here and whining like a spoilt little child?


Who the hell is whining?
Polkit is well under control here.
The issue at hand is what are the potential problems with running as superuser on a system specifically designed to run at minimum security levels. Ans what are best pracices for THIS mode.

Thank you for pkexec.
Fisrst i've heard of it.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby millpond » 2019-01-18 17:24

https://www.debian.org/doc/manuals/secu ... ian-howto/
-----------------------------

This goes a long way for what I am looking for.
Bookmarked.

When I work on a project I always keep security issues as the last concern, so as to be able to avoid permissions problems while developing. Afterwards I can do as needed.
For example while working on websites I often use Win XAMPP, and then move to Linux and work out the permissions issues there.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby CwF » 2019-01-18 19:01

...well, maybe if you had read my post..
and pkexec is polkit.
CwF
 
Posts: 217
Joined: 2018-06-20 15:16

Re: Single User Security

Postby bw123 » 2019-01-18 19:45

millpond wrote:
...The issue at hand is what are the potential problems with running as superuser on a system specifically designed to run at minimum security levels. Ans what are best pracices for THIS mode.
...


That's easy, don't do it. It's not a MODE, it's like swimming with sharks. yeah you can like put a bandaid on the cut and smoke something to stay calm, but the damn sharks are unpredictable. Blood in the water ring any bells? Have you ever wondered why Malware and Virus scanners are millions of dollar bidnezzes on wndows machines?

Airgap the machine, and make a lot of backups. I'm sure the wife can stay off facebook while running as root?

edit: I thought at first you were another user that had a similar username. This person was very sensible and contributed a lot to the forum, but sadly I forget the correct name. It was something similar to millpond, and I took your post seriously for this reason. Now, after reading several of your posts, I don't.
User avatar
bw123
 
Posts: 3757
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Single User Security

Postby Bulkley » 2019-01-18 20:49

bw123 wrote:That's easy, don't do it.


Agreed.

What the OP is trying so hard to do is way too complicated and just going to cause endless trouble.

Possible alternatives:
Kiosk OS - runs in memory; reboot starts fresh.
Live-USB with persistence - I suggest MX Linux which is full featured and easy to set up persistence.
Multiseat configuration - one computer serving two or more terminals.
Bulkley
 
Posts: 5723
Joined: 2006-02-11 18:35

Re: Single User Security

Postby dilberts_left_nut » 2019-01-18 20:54

Or just learn how permissions work.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4934
Joined: 2009-10-05 07:54
Location: enzed

Re: Single User Security

Postby millpond » 2019-01-19 00:19

CwF wrote:...well, maybe if you had read my post..
and pkexec is polkit.


Hmmm... pk... Polkit.

I did read your post. Very good points.

My scripts do not use sudo. I first started using Linux beore Debian even existed so regard much of the newer stuff as an imposition. I can, and have run those scripts out of rooted terminals, but am simply inquiring as to whether anyone has taken the opposite approach and have the superuser using 'using user level terminals' to run anything suspect. Like ssh. And browsers. So far the only real option appears to be a VM, or a VT for non-gui stuff.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby millpond » 2019-01-19 00:24

Bulkley wrote:
bw123 wrote:That's easy, don't do it.


Agreed.

What the OP is trying so hard to do is way too complicated and just going to cause endless trouble.

Possible alternatives:
Kiosk OS - runs in memory; reboot starts fresh.
Live-USB with persistence - I suggest MX Linux which is full featured and easy to set up persistence.
Multiseat configuration - one computer serving two or more terminals.


OK.

Multiseat.

Can this currently be done with TWO users using X?
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby millpond » 2019-01-19 00:36

Bulkley wrote:
bw123 wrote:That's easy, don't do it.


Agreed.

What the OP is trying so hard to do is way too complicated and just going to cause endless trouble.

Possible alternatives:
Kiosk OS - runs in memory; reboot starts fresh.
Live-USB with persistence - I suggest MX Linux which is full featured and easy to set up persistence.
Multiseat configuration - one computer serving two or more terminals.


I know how they work, but find it incredibly annoying spending countless hours troubleshooting scripts only to find its an obscure permission problem. I prefer getting things working as superuser, and THEN running it at user level. After 25 years, whatever 'risks' involved appear to be minimal.

I have used this approach on my heavily modded ecommerce website, without any issues. Permissions have been set, and set correctly.
For about 8 years now.
millpond
 
Posts: 638
Joined: 2014-06-25 04:56

Re: Single User Security

Postby xepan » 2019-01-19 08:33

millpond wrote:much of the newer stuff as an imposition. I can, and have run those scripts out of rooted terminals, but am simply inquiring as to whether anyone has taken the opposite approach and have the superuser using 'using user level terminals' to run anything suspect. Like ssh.

What are root and user terminals?
terminal-emulators? probably.
But what the heck is a user terminal and a root terminal?

I sure can run ssh as web-browsers as root.
You might want to give a real and detailed example what you are speaking of.
Last edited by xepan on 2019-01-19 17:14, edited 1 time in total.
xepan
 
Posts: 87
Joined: 2018-11-28 06:38

Re: Single User Security

Postby CwF » 2019-01-19 14:24

@xepan, you could maybe edit that, I don't think CwF said that...
..and I believe 'user' and 'root' are common terms, as is "terminal'. *-emulator is not more specific or critically clarifying.

@millpond; I'm not sure what I missed in my first response other than 'groups' maybe. The solution to whatever issue you have yet to declare is likely solved with a specific sudoers.d declaration which means you type 'sudo' if ran as user. Typing 'pkexec' with a corresponding polkit declaration in /usr/share/polkit-1/actions is likely not applicable, maybe... If your process would benefit from terminal feedback, then the terminal could be called up with pkexec. Otherwise use sudo.

Also missed in that first response:
CwF wrote: I assume you have already purged any gksu use.

So your response that gksu is missing means I'm wasting time here.
CwF
 
Posts: 217
Joined: 2018-06-20 15:16

PreviousNext

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable