| 1 |
On Fri, Jun 26, 2020 at 4:03 PM james <garftd@×××××××.net> wrote: |
| 2 |
> |
| 3 |
> So can some of the smarter (gentoo) folks illuminate how to totally |
| 4 |
> avoid groups and users, except for the minimum required, application |
| 5 |
> specific? For example like serial line tools, or outline a set of |
| 6 |
> tweaks/setting to avoid these altogether? |
| 7 |
> |
| 8 |
|
| 9 |
IMO if extra security is your goal then if anything you want to have |
| 10 |
MORE use of users rather than less. Everything should be least |
| 11 |
privilege, and usually that means having separate UIDs for everything, |
| 12 |
and then layering on stuff like namespaces/SELinux/capabilities/etc on |
| 13 |
top of that to further tailor things. |
| 14 |
|
| 15 |
Of course the more config you have like this, the more there is to |
| 16 |
audit. However, you also have to consider the failure mode. When you |
| 17 |
have layers of security and some layer fails, chances are that the |
| 18 |
failure still results in more containment than what you would have had |
| 19 |
if you didn't build the layers in the first place. |
| 20 |
|
| 21 |
Now, one thing that would result in fewer UIDs is installing less |
| 22 |
stuff. Maybe that is what you're getting at, and of course reducing |
| 23 |
the attack surface is a good thing. However, keep in mind that a UID |
| 24 |
in /etc/passwd doesn't actually do anything if no process runs with |
| 25 |
that UID - it is just a line in a text file. So, having a uucp group |
| 26 |
when no processes have access to it doesn't really cause issues. |
| 27 |
Removing the group doesn't actually make things more secure, because |
| 28 |
processes can use a gid even if it doesn't exist in /etc/groups. |
| 29 |
Effectively any POSIX system has every uid/gid available even if there |
| 30 |
is no /etc/passwd at all. |
| 31 |
|
| 32 |
-- |
| 33 |
Rich |
Archives