| 1 |
On 26 June 2020 22:03:35 CEST, james <garftd@×××××××.net> wrote: |
| 2 |
>On 6/26/20 12:38 PM, Daniel Frey wrote: |
| 3 |
>> On 6/20/20 7:04 PM, William Kenworthy wrote: |
| 4 |
>>> Thanks for filing the bug. |
| 5 |
>> |
| 6 |
>> Gah! I forgot about this! |
| 7 |
>> |
| 8 |
>> I filed a bug now, I hope I made it clear enough. Others can pipe in |
| 9 |
>> there with comments if they like. |
| 10 |
>> |
| 11 |
>> I did indicate the two potential proposals to correct the issue in |
| 12 |
>the |
| 13 |
>> bug itself. |
| 14 |
>> |
| 15 |
>> https://bugs.gentoo.org/729752 |
| 16 |
>> |
| 17 |
>> Dan |
| 18 |
> |
| 19 |
>BEFORE I contribute to this bug, I'm posting here to see if others are |
| 20 |
>or have interest, in my thoughts on this issue and my related needs for |
| 21 |
> |
| 22 |
>extreme security, via Gentoo. Below is far from complete, but it only |
| 23 |
>provides a very snippets of my (secure) pathway forward with Gentoo. |
| 24 |
> |
| 25 |
>Interesting thread, thanks to all contributors. I'd like to add 'my |
| 26 |
>selfish' interest, as they also be espoused by other, more focused, |
| 27 |
>gentoo users. |
| 28 |
> |
| 29 |
>INTRO: |
| 30 |
> |
| 31 |
>I rarely build gentoo systems, for many reasons, that are not pretty |
| 32 |
>singularly focused. It drastically reduces security, performance and |
| 33 |
>upgrade issues. For me, the days of a any system, having groups or |
| 34 |
>users, are in the history books of very bad ideas. uP are so cheap and |
| 35 |
>less than $100, gets you a very 'bad ass' computer (Rasp. Pi 4+) 16 G |
| 36 |
>map-able ram. Furthermore, SOON, usb_4 devices are going to obsolete |
| 37 |
>the |
| 38 |
>entire concept of a 'hard drive'; hence the death (my prediction) of |
| 39 |
>groups and users on multi-USER systems, albeit slowly. |
| 40 |
> |
| 41 |
>Multi-function, Multi-tasking, and light weight, focused transient |
| 42 |
>clusters are the future. YMMV. |
| 43 |
> |
| 44 |
> |
| 45 |
>So solving a problem, that was real and big, decades ago, fails to look |
| 46 |
> |
| 47 |
>at the future. For me, Gentoo is future proof. I suggest a well |
| 48 |
>documented pathway forward; totally without the concept of groups and |
| 49 |
>users, on a typical, highly secure system. Which is now the baseline |
| 50 |
>for |
| 51 |
>real systems, particularly with a ipv4 or ipv6 static ip, that provide |
| 52 |
>focused and highly restricted functionalities. CA servers are going |
| 53 |
>private, as the public and root CA servers, are suspect, at best, as to |
| 54 |
> |
| 55 |
>being pristinely secure. Yes boys and girls most Certificate |
| 56 |
>Authorities |
| 57 |
>are HACK! Even the main root CAs. |
| 58 |
> |
| 59 |
>The F. Feds are the original culprits, but now it is a feeding frenzy. |
| 60 |
>The planet is now hacked, and groups and users concepts are the past. |
| 61 |
>imho! Danger Will Robinson Danger! |
| 62 |
> |
| 63 |
>So can some of the smarter (gentoo) folks illuminate how to totally |
| 64 |
>avoid groups and users, except for the minimum required, application |
| 65 |
>specific? For example like serial line tools, or outline a set of |
| 66 |
>tweaks/setting to avoid these altogether? |
| 67 |
> |
| 68 |
>I build embedded G. systems. I build single purpose G systems. I build |
| 69 |
>security G. systems (often with the ethernet, in only listen mode. I |
| 70 |
>build G. Firewalls. |
| 71 |
>I build G. highly restricted/filtered servers. NONE of those need users |
| 72 |
> |
| 73 |
>or groups. And if they do, I can obfuscate codes to provide that need, |
| 74 |
>to where filters and focused software gets what it needs to provide |
| 75 |
>functions. |
| 76 |
> |
| 77 |
>Yep, I'm moving to a total 'State_Machine_design' for critical |
| 78 |
>services. |
| 79 |
>Strip out every thing else..... |
| 80 |
> |
| 81 |
>Am I alone, or have/are others contemplating such high secure pathways? |
| 82 |
> |
| 83 |
>I'd be fantastic to find a kernel hacker that is on the pathway of |
| 84 |
>extreme minimization too; private email is fine; if that is in your |
| 85 |
>wheel_house. |
| 86 |
> |
| 87 |
> |
| 88 |
>curiously alone?, |
| 89 |
>James |
| 90 |
|
| 91 |
James, |
| 92 |
|
| 93 |
Doesn't this imply that all the software and people interacting with the systems all have root-level access? |
| 94 |
|
| 95 |
One of the reasons MS systems were so vulnerable in the past was because they did not support seperated users. It's also still a problem with a lot of legacy systems. |
| 96 |
|
| 97 |
As long as more than 1 person can access the system, seperate users and groups/ACLs are necessary. |
| 98 |
|
| 99 |
Can you explain how having no users makes a system more secure? |
| 100 |
|
| 101 |
-- |
| 102 |
Joost |
| 103 |
-- |
| 104 |
Sent from my Android device with K-9 Mail. Please excuse my brevity. |
Archives