1 |
On 26 June 2020 22:03:35 CEST, james <garftd@×××××××.net> wrote: |
2 |
>On 6/26/20 12:38 PM, Daniel Frey wrote: |
3 |
>> On 6/20/20 7:04 PM, William Kenworthy wrote: |
4 |
>>> Thanks for filing the bug. |
5 |
>> |
6 |
>> Gah! I forgot about this! |
7 |
>> |
8 |
>> I filed a bug now, I hope I made it clear enough. Others can pipe in |
9 |
>> there with comments if they like. |
10 |
>> |
11 |
>> I did indicate the two potential proposals to correct the issue in |
12 |
>the |
13 |
>> bug itself. |
14 |
>> |
15 |
>> https://bugs.gentoo.org/729752 |
16 |
>> |
17 |
>> Dan |
18 |
> |
19 |
>BEFORE I contribute to this bug, I'm posting here to see if others are |
20 |
>or have interest, in my thoughts on this issue and my related needs for |
21 |
> |
22 |
>extreme security, via Gentoo. Below is far from complete, but it only |
23 |
>provides a very snippets of my (secure) pathway forward with Gentoo. |
24 |
> |
25 |
>Interesting thread, thanks to all contributors. I'd like to add 'my |
26 |
>selfish' interest, as they also be espoused by other, more focused, |
27 |
>gentoo users. |
28 |
> |
29 |
>INTRO: |
30 |
> |
31 |
>I rarely build gentoo systems, for many reasons, that are not pretty |
32 |
>singularly focused. It drastically reduces security, performance and |
33 |
>upgrade issues. For me, the days of a any system, having groups or |
34 |
>users, are in the history books of very bad ideas. uP are so cheap and |
35 |
>less than $100, gets you a very 'bad ass' computer (Rasp. Pi 4+) 16 G |
36 |
>map-able ram. Furthermore, SOON, usb_4 devices are going to obsolete |
37 |
>the |
38 |
>entire concept of a 'hard drive'; hence the death (my prediction) of |
39 |
>groups and users on multi-USER systems, albeit slowly. |
40 |
> |
41 |
>Multi-function, Multi-tasking, and light weight, focused transient |
42 |
>clusters are the future. YMMV. |
43 |
> |
44 |
> |
45 |
>So solving a problem, that was real and big, decades ago, fails to look |
46 |
> |
47 |
>at the future. For me, Gentoo is future proof. I suggest a well |
48 |
>documented pathway forward; totally without the concept of groups and |
49 |
>users, on a typical, highly secure system. Which is now the baseline |
50 |
>for |
51 |
>real systems, particularly with a ipv4 or ipv6 static ip, that provide |
52 |
>focused and highly restricted functionalities. CA servers are going |
53 |
>private, as the public and root CA servers, are suspect, at best, as to |
54 |
> |
55 |
>being pristinely secure. Yes boys and girls most Certificate |
56 |
>Authorities |
57 |
>are HACK! Even the main root CAs. |
58 |
> |
59 |
>The F. Feds are the original culprits, but now it is a feeding frenzy. |
60 |
>The planet is now hacked, and groups and users concepts are the past. |
61 |
>imho! Danger Will Robinson Danger! |
62 |
> |
63 |
>So can some of the smarter (gentoo) folks illuminate how to totally |
64 |
>avoid groups and users, except for the minimum required, application |
65 |
>specific? For example like serial line tools, or outline a set of |
66 |
>tweaks/setting to avoid these altogether? |
67 |
> |
68 |
>I build embedded G. systems. I build single purpose G systems. I build |
69 |
>security G. systems (often with the ethernet, in only listen mode. I |
70 |
>build G. Firewalls. |
71 |
>I build G. highly restricted/filtered servers. NONE of those need users |
72 |
> |
73 |
>or groups. And if they do, I can obfuscate codes to provide that need, |
74 |
>to where filters and focused software gets what it needs to provide |
75 |
>functions. |
76 |
> |
77 |
>Yep, I'm moving to a total 'State_Machine_design' for critical |
78 |
>services. |
79 |
>Strip out every thing else..... |
80 |
> |
81 |
>Am I alone, or have/are others contemplating such high secure pathways? |
82 |
> |
83 |
>I'd be fantastic to find a kernel hacker that is on the pathway of |
84 |
>extreme minimization too; private email is fine; if that is in your |
85 |
>wheel_house. |
86 |
> |
87 |
> |
88 |
>curiously alone?, |
89 |
>James |
90 |
|
91 |
James, |
92 |
|
93 |
Doesn't this imply that all the software and people interacting with the systems all have root-level access? |
94 |
|
95 |
One of the reasons MS systems were so vulnerable in the past was because they did not support seperated users. It's also still a problem with a lot of legacy systems. |
96 |
|
97 |
As long as more than 1 person can access the system, seperate users and groups/ACLs are necessary. |
98 |
|
99 |
Can you explain how having no users makes a system more secure? |
100 |
|
101 |
-- |
102 |
Joost |
103 |
-- |
104 |
Sent from my Android device with K-9 Mail. Please excuse my brevity. |