On 15 Jul 2013, at 16:29, Norbert Hartl <[email protected]> wrote: > > Am 12.07.2013 um 20:11 schrieb Mariano Martinez Peck <[email protected]>: > >> >>> >>> This problem is often solved using filesystem permissions. Often programs >>> are started as root and so they can read files where root is the only one >>> having read permisson. After doing priviledged stuff the program drops its >>> priviledge and acts as a normal user. In case of a pharo image that >>> wouldn't be to easy. You could have a small program started as root reads >>> the information from the file and starts pharo as normal user passing the >>> information in. Or you could start pharo and another priviledged program >>> that reads the password file and sets the information in the pharo image >>> via socket or something similar. Or you are able to start the pharo process >>> with a dedicated user and arrange the filesystem permission in a way that >>> only this user has read access. Basically they are all the same. >>> >>> >>> mmm i understand. Doesn't look easy. The last one "Or you are able to start >>> the pharo process with a dedicated user and arrange the filesystem >>> permission in a way that only this user has read access" sounds one more >>> thing to do that could help. The only thing this can fail is if the user >>> the hacker use to get inside is the same that runs Pharo or one with root >>> provilegies. >>> >> Exactly. If someone is able to gain root priviledge there is not much left >> you can do. That is one of the reasons why programs should have no special >> priviledges or drop them after doing important stuff. Writing a C >> application that starts your image, read password file and drops priviledge >> is not as hard as it sounds. Probably the way you pass the information to >> the image is a bit more. You certainly can not pass it as an argument to the >> image without further measurement because it would be visible by programs >> like ps. But there are ways to hide it or you can you use a pipe. >> >> >> Norbert...just curious...I guess it's a good idea if I have no ssh access >> for the user that runs the Pharo image and that will likely have read access >> to such file, right? >> So that way they only way to get inside the system is with another user and >> then jump to the one than runs Pharo. So there are at least 2 users there >> and not one. >> It makes sense right? >> > Not to me :) It's like I tried to explain lately with the password encrypted > with a password. If it comes to security you can always make things more > complicated and building chains. In the end the security is defined by its > weakest link. So you need to find out where are weaknesses. > > Assuming that if you can login via ssh it doesn't mean anyone else can. > Basically there are two possibilities. Either ssh has a security hole or you > loose your key with password. What else should happen? If ssh has a security > hole it doesn't matter which user tries to log in. And using another user > means that someone is on the machine. I think getting access to a machine is > a _much_ more difficult than to get root access if you are loggend into a > machine. > > So my advise would be: Smalltalk and security are the two ends of the > productivity scale. While smalltalk can make you really productive, security > can keep you from achieving anything. Btw. that is the reason why I decided > to go for programming instead of security 15 years ago. > > So instead making it complicated for yourself without gaining anything you > need to define exactly what is the scope that you want to protect and against > which measuements you want to protect yourself. > > If you don't trust ssh order a KVM switch with remote capabilities at your > provider. With that you can have access to the console of the computer and > you can turn off ssh completely. But how do you copy files to the machine > then….??? Ah and btw. while we are at it. I hope you don't use linux. Why > designing a tight security strategy if you put it on top of an immature > operating system? Use OpenBSD instead! > I hope you can see what I'm trying to tell you. There is no such thing as > security. There is only a probability that someone breaks into your machine. > Lowering this probability means most of the time making the system a lot more > cumbersome. So for every project there is a setting that leverages best for > the needs. But before that you have to know what is really necessary so put a > probability onto every measurement and not try to be too paranoid.
I also don't understand the fuss, unless it is for a banking application that needs to adhere to some hard standard for certification (in which case you need help from people specialised in that area anyway). Having critical information in config files (/etc, ~/.ssh, the server's HTTPS private certificates and so on) is almost unavoidable and why should you not trust your machine ? The next question then is, can you trust keeping a password in RAM ? If security is managed well on the machine and you don't do stupid things, you should be OK. Some sysadmin friend could do an audit, for example. If someone gets (root) access to the machine that would be a catastrophic event anyway ;-) Sven > Norbert > >> >> >>> If those are no options than it will be hard. Of course you can encypt the >>> password file itself but that won't work without extra measurement. That is >>> always the trap in thinking about security. The encryption of the password >>> file would be possible only if you have something you can decrypt it with. >>> And that information would have exactly the same security implications as >>> the password itself. Thus it solves nothing but only shifts the >>> responsibility for security to another piece of information. >>> >>> >>> yes, but as I wrote a bit, it will make it a bit more complicated! >>> >> >>> Thanks Norbert for the ideas. >>> >> My pleasure! >> >> Norbert >> >> >> >> >> >> -- >> Mariano >> http://marianopeck.wordpress.com >
