Single User Security

If it doesn't relate to Debian, but you still want to share it, please do it here

Re: Single User Security

Postby dilberts_left_nut » 2019-01-21 07:11

1337 for dirs with the wrong permissions ... ;)
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4992
Joined: 2009-10-05 07:54
Location: enzed

Re: Single User Security

Postby bw123 » 2019-01-21 07:41

dilberts_left_nut wrote:1337 for dirs with the wrong permissions ... ;)


I ran windows that way for yrs. When I tried it on linux, I found out that it's just too easy to delete/edit/create something somewhere that hoses some part of the system, without realizing it, sometimes days or even weeks later. Mysteriously, the system just starts to degrade, and you really don't understand what error you made and where the problem is. Group ownership in particular seems to be somewhat important, in ways that can be hard to understand.

The problem with the strategy of setting everything up to run as root, and implementing user permissions later, is like driving all nails with the biggest sledgehammer you have. The nails are hard to remove later. You don't drive a nail unless you're sure.
User avatar
bw123
 
Posts: 3787
Joined: 2011-05-09 06:02

Re: Single User Security

Postby millpond » 2019-01-21 17:26

xepan wrote:HeadOnASticks "solution" (to a problem i still don't understand) is that he doesn't have to type a password

Yeah, pretty much, along with forbidding `su` access to users not in the wheel group, which I think is a great idea.

Unfortunately, in SID, at least for this system: There is no wheel group in /etc/group
millpond
 
Posts: 653
Joined: 2014-06-25 04:56

Re: Single User Security

Postby millpond » 2019-01-21 17:50

bw123 wrote:
dilberts_left_nut wrote:1337 for dirs with the wrong permissions ... ;)


I ran windows that way for yrs. When I tried it on linux, I found out that it's just too easy to delete/edit/create something somewhere that hoses some part of the system, without realizing it, sometimes days or even weeks later. Mysteriously, the system just starts to degrade, and you really don't understand what error you made and where the problem is. Group ownership in particular seems to be somewhat important, in ways that can be hard to understand.

The problem with the strategy of setting everything up to run as root, and implementing user permissions later, is like driving all nails with the biggest sledgehammer you have. The nails are hard to remove later. You don't drive a nail unless you're sure.


Good points, and my apparent surprise here is that there has been no FAQs around as to how to restore a system, that has been say, backed up to an NTFS system. A script to restore default permissions and groups. I remember a decade ago on Jaunty something like that happened, and I had to install it on a second drive and note the permissions in /etc/ and i believe, /usr/lib.

In order to gain total control over a system we needs must *understand* it, Not 'obey' it.
I am not persuing NO security. I am trying to make security issues at my own discretion. Isnt this one of the Four Freedoms?
Perhaps its changed in Lennux.


For example, there are plenty of 'hacking' books for taking control over Win systems, and modding them to taste.
Looking for something like that for Linux.

I do like that in Buster the /usr and /lib trees have been simplified. Perhaps that can be expanded to allow for more interaction with other platforms.
millpond
 
Posts: 653
Joined: 2014-06-25 04:56

Re: Single User Security

Postby Head_on_a_Stick » 2019-01-21 18:07

millpond wrote:There is no wheel group in /etc/group

Code: Select all
# groupadd wheel
User avatar
Head_on_a_Stick
 
Posts: 10321
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Single User Security

Postby GarryRicketson » 2019-01-21 18:16

For example, there are plenty of 'hacking' books for taking control over Win systems, and modding them to taste.
Looking for something like that for Linux.


It is hard to explain things to a windows user, Linux does have so called "hacking books", they are called the manual, IE :
Code: Select all
man man
and for example the
millpond wrote:
There is no wheel group in /etc/group
Obviously if a group does not exist one needs to create it, but I don't think windows uses or has those options, don't really know since I don't use it, and never have really.
H-O-A-S showed the command, but for more details, and a example of using the 'man' command:
Code: Select all
man groupadd
or http://man7.org/linux/man-pages/man8/groupadd.8.html
User avatar
GarryRicketson
 
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Single User Security

Postby millpond » 2019-01-21 18:17

llivv wrote:So I'm doing my best to be patient with the newfangled (in comparison) best practices I've developed over time and not let them interfere with others developing their own methods. Try to give pointer when I can and learn as much as possible from others too. It is the Linux/Gnu/Debian way to let anyone that wants to hacker on the software.


Linux was originally designed to be used for a student on a laptop. He adopted the prior sysv structure, including permissions - but the user was typically root and the idea of logging in as a user did not come till much later, and accounts were generally reserved for apps.
In other words the emphasis on file system security was based on keeping *apps* from superuser access, more than users - as it was originally a single user system.

Of course as it advanced and became used in production and enterprise the need for more and better security models became required.

The problem I have is that a clustered Wan systen designed to handle thousands of users, might not be appropriate for my needs, as the security measures can be stifling.

Imagine a system that by default does not even recognize insertion of USB stiicks?
(Strike one, for polkit).
millpond
 
Posts: 653
Joined: 2014-06-25 04:56

Re: Single User Security

Postby Head_on_a_Stick » 2019-01-21 18:20

@OP, have you tried Puppy Linux? That runs as root OOTB.

http://bkhome.org/archive/puppylinux/technical/root.htm

See also https://xkcd.com/1200/ :mrgreen:
User avatar
Head_on_a_Stick
 
Posts: 10321
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Single User Security

Postby millpond » 2019-01-21 21:33

Head_on_a_Stick wrote:
millpond wrote:So far the only real option appears to be a VM, or a VT for non-gui stuff.

How about systemd-nspawn?

Adopt, adapt & improve: viewtopic.php?f=16&t=129390



Now this is exactly what I have been looking for

https://wiki.archlinux.org/index.php/Systemd-nspawn
https://dabase.com/e/12009/

Thinking about using it with /opt.
Or making an /opt2

Might even add email to the system.

Cage all the possiible/probable vectors.

This system has 2 processors, and 4G - so the Lennux method might be preferable to a VM.

Spasibo.
millpond
 
Posts: 653
Joined: 2014-06-25 04:56

Re: Single User Security

Postby millpond » 2019-01-21 22:50

llivv wrote:I never thought of this thread as a post asking for a solution to a specific issue, but rather as a discussion thread to probe for ideas on different ways to secure a box and also learn more about the ways Debian is changing currently.


su man page is one of the manuals I keep a close eye on, it's changed several times making for some unusual advice/depreciation statements in stable testing and sid.

With all these "Path problems" and "Directory merge and link" issues rearing their ugly hacks, changing policy, initializing CoC's everywhere, and implementing new tools that obfuscate the changes made, even pottering can't find simple commits in systemd.

I see huge changes being made with little to no regard to backward compatibility.


.


Indeed, I think it a good idea for some key issued to be raised: Particularly how much power devs should have over a user's desktop.
Nothing infuriates me more than as root, the 'access denied' message.
Security issues are quite important, but its the user who should determine the risks. For example I know full well the risks of rm -f / .foo.
My solution is not to restrict my access, but to either use a scripted alias, or in practice use one of my file managers for system management.

I beleive apps, and not users should be sandboxed on a single user system.

With the current direction Lennux is heading, there will soon come a time when I will simply say WHOA! and stop. I've got the source and packages of the Debian archives, and I might then decide to freeze the system and selectively upgrade through source, or even possible switching to an arch/slackware model - if it is possible to migrate the system to it.

Has this ever been done before? With a system over 200G and 25k packages?

My prior 'fully stocked' system was 32 bit and was upgraded from squeeze to jessie, where I stopped. It was spread across 3 disks and worked fine until the primary seagate drive dropped dead suddenly. It was also heavily modded, but ran mostly through rooted tabs in Xterms.

Ultimately i would like to run all my Win apps in wine, after M$ kills off Win7 (like it did XP). Which is one reason to keep with SId so far and its latest RC versions.
millpond
 
Posts: 653
Joined: 2014-06-25 04:56

Re: Single User Security

Postby millpond » 2019-01-21 23:00

xepan wrote:
millpond wrote:

As an exampke: I use personalized directories for my files. In running my P2p client and FF (as a user)

What are personalized directories?

I know in advance that the next comment will again make use of terms no one has heard of yet.
I am out.


For example I prefer my download directory to be off / and have evertthing dumped into that. Where I cannot change the dir location to it, I symlink it. This allows me to wite scripts using that directory to be much simpler. And run across multiple machines and architectures. (Same script for all).

There are others, such as a personalized CPAN directory that I use to access from all accounts.

I do not keep personal info or pictures in anything resembling a typical home/media directory fo example. An encryptor booger would have a hard time even finding that type of stuff.
millpond
 
Posts: 653
Joined: 2014-06-25 04:56

Re: Single User Security

Postby millpond » 2019-01-21 23:03

xepan wrote:
CwF wrote:
xepan wrote:... is that he doesn't have to type a password (?).
Prettty much the only application i need to run as root is gparted anyway.

See my first response for no passwords. See if you have a /etc/sudoers.d/ file. For gparted there is now a policy file for /usr/share/polkit-1/actions. With polkit installed, modify the org.gnome.gparted file with <allow_active>yes</allow_active>,

As of now i just left all systems as they were and it works like a charme.


Like my mint and magaeia systems.

No need to touch them. Not made for heavy lifting.
millpond
 
Posts: 653
Joined: 2014-06-25 04:56

Re: Single User Security

Postby millpond » 2019-01-21 23:14

GarryRicketson wrote:
For example, there are plenty of 'hacking' books for taking control over Win systems, and modding them to taste.
Looking for something like that for Linux.


It is hard to explain things to a windows user, Linux does have so called "hacking books", they are called the manual, IE : [code]man man



Unfortunately most man pages are written in technogibberish, and many if not most lack realistic examples.

I can pretty much figure them out with time, and google - but with the mess that Lennux has become, Its quite the chore to even know WHAT to look for.

buster:/# man "magic cookie"
No manual entry for magic cookie

As for being a Win user, well I was using DOS/Win even before Linux existed. Its not a bad system, only a bad corporate model that its controlled by. Kinda like what RedHat is aspiring to be.
millpond
 
Posts: 653
Joined: 2014-06-25 04:56

Re: Single User Security

Postby bw123 » 2019-01-22 00:21

The criticism about man pages is common. It usually ranges from, "Hard to understand, cryptic, too technical" -or- "Not enough information and examples" and it seems like many people don't read them at all, and never try to help by contributing. I find it aggravating when documentation is missing, incomplete, or unavailable but I'd say man pages are a must if you're serious about running the system, especially in an unconventional way.

One of my favorite helpers for man pages is apropos, but there are many other tools to help find information on the system.

Code: Select all
$ apropos cookie
User avatar
bw123
 
Posts: 3787
Joined: 2011-05-09 06:02

Re: Single User Security

Postby Bulkley » 2019-01-22 00:23

I beleive apps, and not users should be sandboxed on a single user system.


Have you tried appimages? They are self-contained and run quite nicely in user-space.
Bulkley
 
Posts: 5826
Joined: 2006-02-11 18:35

PreviousNext

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable