1 |
Frank Peters posted on Tue, 17 Jun 2014 09:04:34 -0400 as excerpted: |
2 |
|
3 |
> The problem with all Linux distributions, and not just Gentoo, is that |
4 |
> they are directed toward a multi-user, networked environment. As a |
5 |
> consequence, they exhibit security and other features that generally |
6 |
> make no sense whatsoever for a single-user desktop machine that |
7 |
> optionally connects externally only with an ISP through a router/modem. |
8 |
|
9 |
> In the single-user, desktop environment, the probability of a buffer |
10 |
> overflow "attack" is virtually nil, especially if one is highly |
11 |
> selective about "surfing" the Internet and employing Internet software |
12 |
> (which I am). |
13 |
|
14 |
> My system is configured in a way that is quite contrary to recommended |
15 |
> Linux practice (for example I run only and always as the root superuser |
16 |
> and have no need for file permissions) but yet it makes perfect sense |
17 |
> for my situation. |
18 |
> |
19 |
> Are single desktop users that much of a minority? I would hope not. |
20 |
|
21 |
While I strongly disagree with your position, I equally strongly respect |
22 |
you for knowing what you want and sticking to it. As I said earlier, |
23 |
gentoo wouldn't be gentoo if it didn't both allow such a thing and make |
24 |
it reasonably easy by exposing and automating the tools necessary to do |
25 |
such things, and that sort of individualism is /exactly/ what gentoo is |
26 |
about. =:^) |
27 |
|
28 |
As to the disagreement, I guess I'm a single-human-user desktop system |
29 |
user too. But I recognize the benefits of running various daemons as |
30 |
their own (non-human) user, for instance, and in fact, I've gone to some |
31 |
lengths to setup two entirely separate user accounts, a generic user |
32 |
account and a sysadmin account, so I don't have to "take the name of root |
33 |
in vain" when I have my sysadmin hat on. |
34 |
|
35 |
My normal user is deliberately quite restricted, only a very few |
36 |
restricted sudo commands available, etc. It's the only one that runs X. |
37 |
One of the few things that user CAN do, however, is sudo (with password) |
38 |
to the admin user. |
39 |
|
40 |
The admin user in turn has unrestricted passwordless sudo, but does NOT |
41 |
operate as root /without/ that sudo. Running as the admin user, among |
42 |
other things I avoid live-editing a potentially damaging command (like |
43 |
rming a system file) as root -- I type the command in and initially run |
44 |
it as the unprivileged admin user. Of course then the risky command |
45 |
fails with a permissions error, but in so doing it lets me see exactly |
46 |
what it WOULD have done (which files it would rm, etc). If and only if |
47 |
it's the file(s) that I intended (and ONLY those files), I can quickly |
48 |
uparrow to bring the command back, hit home and add the sudo, to run the |
49 |
command for real. But that admin user doesn't run X, nor can I su or sudo |
50 |
any X-based apps as root, from my normal X-using user. Superuser is |
51 |
strictly limited to the commandline, and even then, I normally don't run |
52 |
a full shell as superuser, instead only executing specific commands as |
53 |
superuser using sudo. |
54 |
|
55 |
So quite in contrast to you, I don't normally even escalate to superuser |
56 |
even when I'm doing admin tasks, except for specific commands. But sudo |
57 |
and sudoedit (which I have aliased to simply s and se, respectively, with |
58 |
an smc for sudo mc, as another frequently used alias) are tools I use all |
59 |
the time. |
60 |
|
61 |
Meanwhile, as rich0 already alluded to, several of the recent malware |
62 |
incidents have been propagated via otherwise legitimate ad-networks, |
63 |
placing vuln-trigger ads on otherwise legitimate and widely respected web |
64 |
sites. If you're running ads on your favorite news site, you're |
65 |
potentially vulnerable, as that's specifically the channel of attack |
66 |
they're using these days. |
67 |
|
68 |
Now of course I run noscript and request-policy, both set to whitelist |
69 |
mode, blacklisting all off-site scripts and all site-to-site-connections |
70 |
except those that I've specifically allowed, and I also run privoxy, so I |
71 |
don't tend to see many ads. And I don't actually have any plugins |
72 |
registered either and DEFINITELY no servantware such as flash, another |
73 |
typical malware-injection method. |
74 |
|
75 |
But that doesn't mean I don't appreciate stack-smashing protection and |
76 |
the like for my browser, and in fact, every time /any/ program segfaults |
77 |
or the like, I find myself quickly evaluating the chance that said |
78 |
segfault was due to a buffer overflow, what might have triggered it, the |
79 |
data I was working on at the time and where it came from, and the |
80 |
potential risk of malware injection. So I'm certainly appreciating this |
81 |
SSP here as I appreciate the lowering of risk profile it brings! =:^) |
82 |
|
83 |
But obviously your use-case and mine are about as contrasted as they |
84 |
could be even if we're both running single-human-user desktop systems; |
85 |
you're running as root all the time, while I try not to even run a shell |
86 |
as root. You don't care about SSP and the like, while I definitely |
87 |
appreciate the lower risk profile and spend a significant amount of my |
88 |
time educating myself on current security issues and actively avoiding |
89 |
things that might increase my risk profile. |
90 |
|
91 |
But as I said, I can and do still respect that. You have every right to |
92 |
run that way if you like, and gentoo even tends to make it easier for you |
93 |
to do so. =:^) |
94 |
|
95 |
-- |
96 |
Duncan - List replies preferred. No HTML msgs. |
97 |
"Every nonfree program has a lord, a master -- |
98 |
and if you use the program, he is your master." Richard Stallman |