Re: making Debian secure by default

Thu, 28 Mar 2024 10:02:50 -0700 

Hi,

On Thu, Mar 28, 2024 at 12:22:57PM -0400, Lee wrote:
> For heavens sake, the man page says
> 
>        Traditionally, write access is allowed by default.  However,  as  users
>        become  more  conscious  of various security risks, there is a trend to
>        remove write access by default, at least for the primary  login  shell.
>        To  make  sure  your ttys are set the way you want them to be set, mesg
>        should be executed in your login scripts.
> 
> Clearly at least the man page writer realized there was a threat there
> _and chose not to remove the threat_ !?

For context, that was likely written by someone a decade or more
ago, someone who did not have responsibility for any other part of
Linux. Since that time even the parts that were in charge of setting
terminal permissions might have changed implementation and
maintainers several times.

It's not that they chose not to keep the rest of the system
consistent with their opinion, it's more likely that they could not.

Documentation and integration is perpetually out of date in Linux.
Also no one can agree on which documentation is canonical, and very
few people read any of it. I'm just as guilty as anyone: having no
use for "wall" or "mesg" for decades, I hadn't read its man page and
didn't notice that terminals were group-writeable.

> Is there really nothing better than sudo find / <something to show
> files with uid or gid perms> and try to figure out which of those
> program are not necessary?

I don't think there is, no. After finding each of those things you
would need to do some research on each one. Those that are
particularly worrisome probably already do have some notes
somewhere.

> $ sudo crontab -l
>    ...
>  47  4  *  *  *  (apt update >> apt-update.log 2>/dev/null) && \
>                       (apt list --upgradable 2>/dev/null |\
>                       egrep -v '^Listing' >| /etc/motd)

You may like to look in to "apticron-systemd" for a systemd timer
that does the above. (drop the "-systemd" if you prefer a cron job
equivalent)

apticorn is mentioned in the Debian Administrator's Handbook which
is worth a read even though it only covers up to Debian 11.

    
https://www.debian.org/doc/manuals/debian-handbook/sect.regular-upgrades.en.html

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply via email to