1 |
On 6/26/20 4:40 PM, Rich Freeman wrote: |
2 |
> On Fri, Jun 26, 2020 at 4:03 PM james <garftd@×××××××.net> wrote: |
3 |
>> |
4 |
>> So can some of the smarter (gentoo) folks illuminate how to totally |
5 |
>> avoid groups and users, except for the minimum required, application |
6 |
>> specific? For example like serial line tools, or outline a set of |
7 |
>> tweaks/setting to avoid these altogether? |
8 |
>> |
9 |
> |
10 |
> IMO if extra security is your goal then if anything you want to have |
11 |
> MORE use of users rather than less. Everything should be least |
12 |
> privilege, and usually that means having separate UIDs for everything, |
13 |
> and then layering on stuff like namespaces/SELinux/capabilities/etc on |
14 |
> top of that to further tailor things. |
15 |
|
16 |
OK, that's a pathway forward, that I no longer believe in, though viable. |
17 |
|
18 |
I think the days of systems design and implementation, that require a |
19 |
default, multi-user, scenario, are arcane and subject to many attack |
20 |
vectors. Granted many will and do disagree, and new pathways are rarely |
21 |
well lighted in my experiences. |
22 |
|
23 |
|
24 |
|
25 |
> Of course the more config you have like this, the more there is to |
26 |
> audit. However, you also have to consider the failure mode. When you |
27 |
> have layers of security and some layer fails, chances are that the |
28 |
> failure still results in more containment than what you would have had |
29 |
> if you didn't build the layers in the first place. |
30 |
|
31 |
Security Schema are many and all are under attack. Most of what I need |
32 |
from a 'well behaved' collective of microprocessors and microcontrollers |
33 |
are in-house and need little (data) from the outside. The need to share |
34 |
outside is nice, but can be limited, dynamically for a wide variety of |
35 |
reason. The deep desire to share, in part-and-parcel, is to be human. |
36 |
For me, as a christian, its far deeper of a need, but that on me. Quick |
37 |
and automated shut-off, is a concept I like very, very much. |
38 |
|
39 |
Currently, the need to be able to "snap my fingers" and instantly |
40 |
isolate, is mostly prevented because our USA government forces chip |
41 |
manufacturers to put "bullshit and backdoors" into most all processors |
42 |
and controllers. That shit has to STOP. They, including our F. Feds do |
43 |
not have that right. If we do not fix this, SATAN gets control; hence |
44 |
the end-times are upon us, like a thief in the night. That's my belief |
45 |
and I know many that think it is too late, to fix. the first step is to |
46 |
have 100% of critical systems components manufactured in the USA. Each |
47 |
country can and should do their own thing. Leaders have now realized, |
48 |
letting folks that rule the large corporations, "have it their way" has |
49 |
landed up in a pile of problems. |
50 |
|
51 |
|
52 |
|
53 |
> Now, one thing that would result in fewer UIDs is installing less |
54 |
> stuff. Maybe that is what you're getting at, and of course reducing |
55 |
> the attack surface is a good thing. However, keep in mind that a UID |
56 |
> in /etc/passwd doesn't actually do anything if no process runs with |
57 |
> that UID - it is just a line in a text file. So, having a uucp group |
58 |
> when no processes have access to it doesn't really cause issues. |
59 |
|
60 |
unless the remotes can inject into that causal hardware relationship and |
61 |
exploit it? Who knows what lurks in them micro-codes of silicon these |
62 |
days.... much of the hardware has hidden Rf channels, well hidden and it |
63 |
requires quite expensive systems that the semiconductor companies |
64 |
provide, mostly to governments, on a use-to-be limited basis. That's why |
65 |
the USA is forcing AMD to bring 7-nm manufacturing to US soil, so they |
66 |
are under USA rule-sets. Makes the Mafia look like choir boys...... |
67 |
|
68 |
here's one publicized: |
69 |
https://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/ |
70 |
|
71 |
|
72 |
and a bit deeper: |
73 |
|
74 |
https://freetechsforum.com/minix-%E2%80%8Bintels-hidden-chip-operating-system/ |
75 |
|
76 |
> Removing the group doesn't actually make things more secure, because |
77 |
> processes can use a gid even if it doesn't exist in /etc/groups. |
78 |
> Effectively any POSIX system has every uid/gid available even if there |
79 |
> is no /etc/passwd at all. |
80 |
|
81 |
|
82 |
And that is coded into the parts of the kernel, we cannot eliminate? |
83 |
Typical sploits? |
84 |
|
85 |
Curiously, a bit deeper explanation? |
86 |
I'm no expert at this stuff, but I am very interested to hear more, from |
87 |
your perspective and experiences which you are comfortable sharing. |
88 |
|
89 |
|
90 |
James |