On 2020.06.26 16:03, james wrote:
On 6/26/20 12:38 PM, Daniel Frey wrote:
On 6/20/20 7:04 PM, William Kenworthy wrote:
Thanks for filing the bug.
Gah! I forgot about this!
I filed a bug now, I hope I made it clear enough. Others can pipe in
there with comments if they like.
I did indicate the two potential proposals to correct the issue in
the bug itself.
https://bugs.gentoo.org/729752
Dan
BEFORE I contribute to this bug, I'm posting here to see if others
are or have interest, in my thoughts on this issue and my related
needs for extreme security, via Gentoo. Below is far from complete,
but it only provides a very snippets of my (secure) pathway forward
with Gentoo.
Interesting thread, thanks to all contributors. I'd like to add 'my
selfish' interest, as they also be espoused by other, more focused,
gentoo users.
INTRO:
I rarely build gentoo systems, for many reasons, that are not pretty
singularly focused. It drastically reduces security, performance and
upgrade issues. For me, the days of a any system, having groups or
users, are in the history books of very bad ideas. uP are so cheap
and less than $100, gets you a very 'bad ass' computer (Rasp. Pi 4+)
16 G map-able ram. Furthermore, SOON, usb_4 devices are going to
obsolete the entire concept of a 'hard drive'; hence the death (my
prediction) of groups and users on multi-USER systems, albeit slowly.
Multi-function, Multi-tasking, and light weight, focused transient
clusters are the future. YMMV.
So solving a problem, that was real and big, decades ago, fails to
look at the future. For me, Gentoo is future proof. I suggest a well
documented pathway forward; totally without the concept of groups and
users, on a typical, highly secure system. Which is now the baseline
for real systems, particularly with a ipv4 or ipv6 static ip, that
provide focused and highly restricted functionalities. CA servers are
going private, as the public and root CA servers, are suspect, at
best, as to being pristinely secure. Yes boys and girls most
Certificate Authorities are HACK! Even the main root CAs.
The F. Feds are the original culprits, but now it is a feeding
frenzy. The planet is now hacked, and groups and users concepts are
the past. imho! Danger Will Robinson Danger!
So can some of the smarter (gentoo) folks illuminate how to totally
avoid groups and users, except for the minimum required, application
specific? For example like serial line tools, or outline a set of
tweaks/setting to avoid these altogether?
I build embedded G. systems. I build single purpose G systems. I
build security G. systems (often with the ethernet, in only listen
mode. I build G. Firewalls.
I build G. highly restricted/filtered servers. NONE of those need
users or groups. And if they do, I can obfuscate codes to provide
that need, to where filters and focused software gets what it needs
to provide functions.
Yep, I'm moving to a total 'State_Machine_design' for critical
services. Strip out every thing else.....
Am I alone, or have/are others contemplating such high secure
pathways? I'd be fantastic to find a kernel hacker that is on the
pathway of extreme minimization too; private email is fine; if that
is in your wheel_house.
curiously alone?,
James
While you may not be alone, I do believe you're in a rather small
group. There are probably more who are interested in watching it
progress than who can actually participate and contribute. And while
what you propose may well be part of the future, and it may even be a
large part of it, it won't be so anywhere near soon enough to avoid the
need to continue to improve current systems, even if the improvements
are only usability related, and not directly related to security. This
current issue is nothing more than an annoyance, but it's a major
annoyance for many Gentoo users, possibly more-so for the more casual
users. (Is "casual Gentoo user" an oxymoron?) As the bug proposes,
there are ways of solving it without decreasing security.
Jack
