| 1 |
Frank Peters posted on Tue, 17 Jun 2014 09:04:34 -0400 as excerpted: |
| 2 |
|
| 3 |
> The problem with all Linux distributions, and not just Gentoo, is that |
| 4 |
> they are directed toward a multi-user, networked environment. As a |
| 5 |
> consequence, they exhibit security and other features that generally |
| 6 |
> make no sense whatsoever for a single-user desktop machine that |
| 7 |
> optionally connects externally only with an ISP through a router/modem. |
| 8 |
|
| 9 |
> In the single-user, desktop environment, the probability of a buffer |
| 10 |
> overflow "attack" is virtually nil, especially if one is highly |
| 11 |
> selective about "surfing" the Internet and employing Internet software |
| 12 |
> (which I am). |
| 13 |
|
| 14 |
> My system is configured in a way that is quite contrary to recommended |
| 15 |
> Linux practice (for example I run only and always as the root superuser |
| 16 |
> and have no need for file permissions) but yet it makes perfect sense |
| 17 |
> for my situation. |
| 18 |
> |
| 19 |
> Are single desktop users that much of a minority? I would hope not. |
| 20 |
|
| 21 |
While I strongly disagree with your position, I equally strongly respect |
| 22 |
you for knowing what you want and sticking to it. As I said earlier, |
| 23 |
gentoo wouldn't be gentoo if it didn't both allow such a thing and make |
| 24 |
it reasonably easy by exposing and automating the tools necessary to do |
| 25 |
such things, and that sort of individualism is /exactly/ what gentoo is |
| 26 |
about. =:^) |
| 27 |
|
| 28 |
As to the disagreement, I guess I'm a single-human-user desktop system |
| 29 |
user too. But I recognize the benefits of running various daemons as |
| 30 |
their own (non-human) user, for instance, and in fact, I've gone to some |
| 31 |
lengths to setup two entirely separate user accounts, a generic user |
| 32 |
account and a sysadmin account, so I don't have to "take the name of root |
| 33 |
in vain" when I have my sysadmin hat on. |
| 34 |
|
| 35 |
My normal user is deliberately quite restricted, only a very few |
| 36 |
restricted sudo commands available, etc. It's the only one that runs X. |
| 37 |
One of the few things that user CAN do, however, is sudo (with password) |
| 38 |
to the admin user. |
| 39 |
|
| 40 |
The admin user in turn has unrestricted passwordless sudo, but does NOT |
| 41 |
operate as root /without/ that sudo. Running as the admin user, among |
| 42 |
other things I avoid live-editing a potentially damaging command (like |
| 43 |
rming a system file) as root -- I type the command in and initially run |
| 44 |
it as the unprivileged admin user. Of course then the risky command |
| 45 |
fails with a permissions error, but in so doing it lets me see exactly |
| 46 |
what it WOULD have done (which files it would rm, etc). If and only if |
| 47 |
it's the file(s) that I intended (and ONLY those files), I can quickly |
| 48 |
uparrow to bring the command back, hit home and add the sudo, to run the |
| 49 |
command for real. But that admin user doesn't run X, nor can I su or sudo |
| 50 |
any X-based apps as root, from my normal X-using user. Superuser is |
| 51 |
strictly limited to the commandline, and even then, I normally don't run |
| 52 |
a full shell as superuser, instead only executing specific commands as |
| 53 |
superuser using sudo. |
| 54 |
|
| 55 |
So quite in contrast to you, I don't normally even escalate to superuser |
| 56 |
even when I'm doing admin tasks, except for specific commands. But sudo |
| 57 |
and sudoedit (which I have aliased to simply s and se, respectively, with |
| 58 |
an smc for sudo mc, as another frequently used alias) are tools I use all |
| 59 |
the time. |
| 60 |
|
| 61 |
Meanwhile, as rich0 already alluded to, several of the recent malware |
| 62 |
incidents have been propagated via otherwise legitimate ad-networks, |
| 63 |
placing vuln-trigger ads on otherwise legitimate and widely respected web |
| 64 |
sites. If you're running ads on your favorite news site, you're |
| 65 |
potentially vulnerable, as that's specifically the channel of attack |
| 66 |
they're using these days. |
| 67 |
|
| 68 |
Now of course I run noscript and request-policy, both set to whitelist |
| 69 |
mode, blacklisting all off-site scripts and all site-to-site-connections |
| 70 |
except those that I've specifically allowed, and I also run privoxy, so I |
| 71 |
don't tend to see many ads. And I don't actually have any plugins |
| 72 |
registered either and DEFINITELY no servantware such as flash, another |
| 73 |
typical malware-injection method. |
| 74 |
|
| 75 |
But that doesn't mean I don't appreciate stack-smashing protection and |
| 76 |
the like for my browser, and in fact, every time /any/ program segfaults |
| 77 |
or the like, I find myself quickly evaluating the chance that said |
| 78 |
segfault was due to a buffer overflow, what might have triggered it, the |
| 79 |
data I was working on at the time and where it came from, and the |
| 80 |
potential risk of malware injection. So I'm certainly appreciating this |
| 81 |
SSP here as I appreciate the lowering of risk profile it brings! =:^) |
| 82 |
|
| 83 |
But obviously your use-case and mine are about as contrasted as they |
| 84 |
could be even if we're both running single-human-user desktop systems; |
| 85 |
you're running as root all the time, while I try not to even run a shell |
| 86 |
as root. You don't care about SSP and the like, while I definitely |
| 87 |
appreciate the lower risk profile and spend a significant amount of my |
| 88 |
time educating myself on current security issues and actively avoiding |
| 89 |
things that might increase my risk profile. |
| 90 |
|
| 91 |
But as I said, I can and do still respect that. You have every right to |
| 92 |
run that way if you like, and gentoo even tends to make it easier for you |
| 93 |
to do so. =:^) |
| 94 |
|
| 95 |
-- |
| 96 |
Duncan - List replies preferred. No HTML msgs. |
| 97 |
"Every nonfree program has a lord, a master -- |
| 98 |
and if you use the program, he is your master." Richard Stallman |
Archives