Re: Off-topic: Gmail Grrrr.
On Sun, Dec 29, 2013 at 12:22:57PM +, Lisi Reisz wrote: > On Sunday 29 December 2013 00:38:30 Weaver wrote: > > On Sat, December 28, 2013 3:49 pm, Lisi Reisz wrote: [..] > > > It is perfectly possible to lose all or part of one's memory > > > without an accident. All it requires is old age and the wrong > > > genes. It is fatal to keep no record anywhere other than in > > > one's memory. > > > > To be honest, I really can't remember that ever happening. > > Cheers! > > Can't remember what happening? People losing memory in old age? http://www.youtube.com/watch?v=Q3m0KYbCsPY -- "If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing." --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131229211418.GA565@tal
Re: Off-topic: Gmail Grrrr.
On Sun, 2013-12-29 at 12:22 +, Lisi Reisz wrote: > On Sunday 29 December 2013 00:38:30 Weaver wrote: > > On Sat, December 28, 2013 3:49 pm, Lisi Reisz wrote: > > > On Saturday 28 December 2013 11:56:37 Chris Bannister wrote: > > >> On Sat, Dec 28, 2013 at 02:43:11PM +0400, Reco wrote: > > >> > And storing banking information outside someone's head is > > >> > wrong on so many levels that I don't even know where to start > > >> > ;) > > >> > > >> If you have a nasty accident and lose parts of your memory is a > > >> damn good reason, and that is just as a start! :) > > > > > > It is perfectly possible to lose all or part of one's memory > > > without an accident. All it requires is old age and the wrong > > > genes. It is fatal to keep no record anywhere other than in > > > one's memory. > > > > To be honest, I really can't remember that ever happening. > > Cheers! > > Can't remember what happening? People losing memory in old age? Do > you indulge in euthanasia of anyone elderly you come across?? ;-) No he doesn't, he simply has forgotten, that he has forgotten something. A lame joke, or as we say in German, "The joke has got a beard". -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1388320453.1062.113.camel@archlinux
Re: Off-topic: Gmail Grrrr.
On Sunday 29 December 2013 00:38:30 Weaver wrote: > On Sat, December 28, 2013 3:49 pm, Lisi Reisz wrote: > > On Saturday 28 December 2013 11:56:37 Chris Bannister wrote: > >> On Sat, Dec 28, 2013 at 02:43:11PM +0400, Reco wrote: > >> > And storing banking information outside someone's head is > >> > wrong on so many levels that I don't even know where to start > >> > ;) > >> > >> If you have a nasty accident and lose parts of your memory is a > >> damn good reason, and that is just as a start! :) > > > > It is perfectly possible to lose all or part of one's memory > > without an accident. All it requires is old age and the wrong > > genes. It is fatal to keep no record anywhere other than in > > one's memory. > > To be honest, I really can't remember that ever happening. > Cheers! Can't remember what happening? People losing memory in old age? Do you indulge in euthanasia of anyone elderly you come across?? ;-) Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201312291222.57141.lisi.re...@gmail.com
Re: Off-topic: Gmail Grrrr.
On Sat, December 28, 2013 3:49 pm, Lisi Reisz wrote: > On Saturday 28 December 2013 11:56:37 Chris Bannister wrote: >> On Sat, Dec 28, 2013 at 02:43:11PM +0400, Reco wrote: >> > And storing banking information outside someone's head is wrong >> > on so many levels that I don't even know where to start ;) >> >> If you have a nasty accident and lose parts of your memory is a >> damn good reason, and that is just as a start! :) > > It is perfectly possible to lose all or part of one's memory without > an accident. All it requires is old age and the wrong genes. It is > fatal to keep no record anywhere other than in one's memory. To be honest, I really can't remember that ever happening. Cheers! Weaver -- "It is the duty of the patriot to protect his country from its government." -- Thomas Paine Registered Linux User: 554515 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f5636b2b0ca24c59852dc93a473ef5d5.squir...@fruiteater.riseup.net
Re: Off-topic: Gmail Grrrr.
On Saturday 28 December 2013 11:56:37 Chris Bannister wrote: > On Sat, Dec 28, 2013 at 02:43:11PM +0400, Reco wrote: > > And storing banking information outside someone's head is wrong > > on so many levels that I don't even know where to start ;) > > If you have a nasty accident and lose parts of your memory is a > damn good reason, and that is just as a start! :) It is perfectly possible to lose all or part of one's memory without an accident. All it requires is old age and the wrong genes. It is fatal to keep no record anywhere other than in one's memory. Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201312282349.22052.lisi.re...@gmail.com
Re: Off-topic: Gmail Grrrr.
On Sat, 2013-12-28 at 23:13 +1100, Zenaan Harkness wrote: > On 12/28/13, Chris Bannister wrote: > > On Sat, Dec 28, 2013 at 02:43:11PM +0400, Reco wrote: > >> And storing banking information outside someone's head is wrong on so > >> many levels that I don't even know where to start ;) > > > > If you have a nasty accident and lose parts of your memory is a damn > > good reason, and that is just as a start! :) > > I've thought for some years that a small inexpensive palm-size > computer, with a truecrypt/tcplay volume, which contains a text file > containing passwords. And how do you remember the passphrase for the encryption after the roof tile has fallen on your head? Even my idea with the not encrypted address book, a "written down aide-memoire in an address book on an USB stick or similar might help", has it's drawback. The user likely will forget to unplug the USB stick or unplugs the USB stick, get sidetracked by a telephone call and instead of putting down the stick on the PC tower, the user put down the stick on the telephone table and won't remember it. You are aware that users reply to phishing mails, seemingly not the users who had a nasty accident and need to store the data by a browser profile ;). You can not expect the same habits by all users. A paperhanger, hanging wallpapers 5 days a week, for 8 hours a day, does internalise procedures, movements. A paperhanger can't expect that you follow procedures, movements the same way as he does, if you hang papers every few years. You can't expect that a user acts as a power-user does, especially not when having a brain damage, being old etc.. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1388245864.1062.42.camel@archlinux
Re: Off-topic: Gmail Grrrr.
On Sun, 2013-12-29 at 00:56 +1300, Chris Bannister wrote: > On Sat, Dec 28, 2013 at 02:43:11PM +0400, Reco wrote: > > And storing banking information outside someone's head is wrong on so > > many levels that I don't even know where to start ;) > > If you have a nasty accident and lose parts of your memory is a damn > good reason, and that is just as a start! :) A 4 numbered PIN of a bank card that is seldom used already can be a PITA without being victim of an accident. The PINs change every few years and after a while there are similar PINs in your memory, something like 9972 vs 7929. A written down aide-memoire in an address book on an USB stick or similar might help. Mona Lisa Tux 79 Iceshelf City Icedove Street 29 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1388244198.1062.20.camel@archlinux
Re: Off-topic: Gmail Grrrr.
On Sun, 29 Dec 2013 00:56:37 +1300 Chris Bannister wrote: > On Sat, Dec 28, 2013 at 02:43:11PM +0400, Reco wrote: > > And storing banking information outside someone's head is wrong on so > > many levels that I don't even know where to start ;) > > If you have a nasty accident and lose parts of your memory is a damn > good reason, and that is just as a start! :) Um, but would not such accident will result in losing information of existence of bank account also? And I can always go to my bank in person, provide them my ID, and have my cash anyway. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131228162510.80daacaf3573ea2e5b3ec...@gmail.com
Re: Off-topic: Gmail Grrrr.
On 12/28/13, Chris Bannister wrote: > On Sat, Dec 28, 2013 at 02:43:11PM +0400, Reco wrote: >> And storing banking information outside someone's head is wrong on so >> many levels that I don't even know where to start ;) > > If you have a nasty accident and lose parts of your memory is a damn > good reason, and that is just as a start! :) I've thought for some years that a small inexpensive palm-size computer, with a truecrypt/tcplay volume, which contains a text file containing passwords. Text files are git-syncable (to backup crypt volumes (when mounted of course)) and this palm device could be unlocked with user-chosen combination of security options - a USB key or smartcard, pass phrase, voice, fingerprint etc. I know, a smart-phone :) But, the point being, a dedicated never-connected to any network device (ie no phone part, no wireless etc). And what gets unlocked (very temporarily) is just a text file - perhaps with a fancy Android-swipey GUI thing to scroll through or something. Sorry getting more OT I guess. I'll just, carry on ... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOsGNSQ4hatos8ED1kmd+0W0rPAmUf7w5m5Sm=vvg_w-x3o...@mail.gmail.com
Re: Off-topic: Gmail Grrrr.
On Sat, Dec 28, 2013 at 02:43:11PM +0400, Reco wrote: > And storing banking information outside someone's head is wrong on so > many levels that I don't even know where to start ;) If you have a nasty accident and lose parts of your memory is a damn good reason, and that is just as a start! :) -- "If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing." --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131228115637.GA26712@tal
Re: Off-topic: Gmail Grrrr.
Hi. On Sat, 28 Dec 2013 21:01:31 +1100 Zenaan Harkness wrote: > On 12/25/13, Reco wrote: > > On Tue, 24 Dec 2013 15:51:25 +0100 > > Ralf Mardorf wrote: > > > >> On Tue, 2013-12-24 at 15:40 +0100, Ralf Mardorf wrote: > >> > On Tue, 2013-12-24 at 18:04 +0400, Reco wrote: > >> > > I wrote "one runs two instances of firefox with different profiles > > To friends stuck in proprietary land, I have suggested here and there > that they do their internet banking in a separate firefox profile from > their youtube and facebook etc. > > On the rare occasion they have later swapped to GNU, one individual of > course wanted to keep using her various (she uses quite a few) > profiles, all of which she keeps in separate Truecrypt volumes! An interesting approach, but not something I would practice myself. See, using Truecrypt (or LUKS, or whatever) implies that whatever is stored inside is valuable enough to keep it encrypted. Anything that is put into a crypto container is safe until one begins to use it. And storing banking information outside someone's head is wrong on so many levels that I don't even know where to start ;) > > Tell me, which one is more KISS: > > > > 1) Appending certain 'keywords' to a link. > > 2) Parsing such link. > > 3) Relying on a custom script. > > > > Or, just: > > > > Run the link in a browser for the current user account. > > When one user is running multiple "identities" be in Unix-account > logins, Firefox profiles, or something else yet, this is always going > to be more complicated to the one-identity-only problem. > > I agree that separate Linux accounts appears to have some definitely > favourable options. But is the setting up of separate _user_ accounts, > for "only one user", and training that user (lets say grandma), for > the sake of some extra security, an established and easy pathway? I believe you're confusing 'hard to setup' with 'hard to use'. Of course the end user would be given appropriate icons (or menu entries, or whatever) which will say 'Press me for Youtube and Netflix', 'Press me for bankning only'. See Android. They are using different uids for different applications from the beginning, and nobody complains that 'Android is teh hard'. > > Rhetorical question I know. And yes, of course, training Grandma to > use multiple Firefox profiles is probably not going to be much easier. > And in both cases "banking" icon on desktop vs "family and photos" > icon on desktop is going to be the same, from grandma's perspective, > no matter what's under the hood. > > I think what we need is some more software/memes/workflows to be > established for the easy (eg gui) management of multiple identities > (or "security contexts" or ...) That would require all browser makers to change IMO. So far their attitude was 'put all your activities into one big browser window'. > XFCE still doesn't have a sanctioned XFCE "user management" applet, > and those from other DE's are not designed with "automate restrictions > for banking-only firefox profile" type user-account creation idea. > > Maybe an opportunity for libre-software desktop promoter-developers... That's the point of another different discussion, but my opinion on that is - useradd, userdel and passwd work good enough. On that unlikely occasion I'll need pointy and clicky GUI for user management task - I'll use usermode package (which is already here, and uses GTK2). Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131228144311.d3affcd938d6ca5faa5b3...@gmail.com
Re: Off-topic: Gmail Grrrr.
On 12/25/13, Reco wrote: > On Tue, 24 Dec 2013 15:51:25 +0100 > Ralf Mardorf wrote: > >> On Tue, 2013-12-24 at 15:40 +0100, Ralf Mardorf wrote: >> > On Tue, 2013-12-24 at 18:04 +0400, Reco wrote: >> > > I wrote "one runs two instances of firefox with different profiles To friends stuck in proprietary land, I have suggested here and there that they do their internet banking in a separate firefox profile from their youtube and facebook etc. On the rare occasion they have later swapped to GNU, one individual of course wanted to keep using her various (she uses quite a few) profiles, all of which she keeps in separate Truecrypt volumes! > Tell me, which one is more KISS: > > 1) Appending certain 'keywords' to a link. > 2) Parsing such link. > 3) Relying on a custom script. > > Or, just: > > Run the link in a browser for the current user account. When one user is running multiple "identities" be in Unix-account logins, Firefox profiles, or something else yet, this is always going to be more complicated to the one-identity-only problem. I agree that separate Linux accounts appears to have some definitely favourable options. But is the setting up of separate _user_ accounts, for "only one user", and training that user (lets say grandma), for the sake of some extra security, an established and easy pathway? Rhetorical question I know. And yes, of course, training Grandma to use multiple Firefox profiles is probably not going to be much easier. And in both cases "banking" icon on desktop vs "family and photos" icon on desktop is going to be the same, from grandma's perspective, no matter what's under the hood. I think what we need is some more software/memes/workflows to be established for the easy (eg gui) management of multiple identities (or "security contexts" or ...) XFCE still doesn't have a sanctioned XFCE "user management" applet, and those from other DE's are not designed with "automate restrictions for banking-only firefox profile" type user-account creation idea. Maybe an opportunity for libre-software desktop promoter-developers... >> > The main thing is >> > >> > - KISS >> > - a user has got no root privileges or assumed the user s admin too, >> > than it's simply nonsense to become root and too add another user. >> > >> > Sometimes it's useful to add another user and sometimes it's not. > > Hardly an issue, as adding a user is done once per OS lifetime, not > each time browser starts. Again, user accounts, and firefox profiles, are particular "technologies". We probably ought think in terms of "identities" and how best to facilitate the use-cases for the types of identities that we (or "our Debian users") will want to manage. The particular tech under the hood ought be secondary. ... > - You have one user with browser profile with flash plugin enabled. Any > damage that's done via flash plugin is limited to this account data. > - You have a different user with browser profile with java plugin > enabled. Again, any damage that's done via java plugin is limited to > this account data. > - You have a third user for Google Chrome, which has an interesting > habit to read files in user's $HOME for unknown reasons. > - And, you have the main account, which is allowed to run browsers with > rights of three previous users, and stripped down (no plugins, disabled > cookies and JS) browser for that clicked link. > It's basic damage control, applied in advance. This is a good type of thinking of course. Depending on the type of online identity, an extra Firefox profile might be plenty, and in some cases perhaps preferred. Of course, for my "internet banking, paypal and bill payments" identity, the stricter protection provided between Linux user accounts appears on the surface to make a lot of sense. Separation of ebay and amazon etc product browsing, vs using PayPal to actually make a specific payment, and how to separate these two browser functions into separate "personal identity security contexts" is a more complex issue I think... >> Sometimes it's even more useful if a family does share one account with >> different settings. It belongs to the things they want to share or not >> want to share. True. People do this. > That's wrong thing. Would somebody think of the children ;)! > Having a different account for each family member saves one from 'who > deleted my important file' incidents, which is invaluable. True. This happens. > At least in my family everyone has a different account on every host I > have in my house. And people usually know (and children can be > more-or-less easily taught) about usernames/passwords. It's the 'browser > profiles' which are complete life-changing discovery for them. Every tech has its place. Goals (as you pointed out some above) are the real question, and many of those questions are not yet well answered, it seems self evident. Best regards to all, Zenaan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "u
Re: Off-topic: Gmail Grrrr.
On 25/12/13 14:08, Joel Rees wrote: > On Tue, Dec 24, 2013 at 9:42 PM, Reco wrote: >> Hi. >> >> On Tue, 24 Dec 2013 13:29:28 +0100 >> Ralf Mardorf wrote: >> >>> This would lead to "Error: cannot open display: :0.0". >>> Sure, $ xhost +; sudo -u [...] does the trick, >> >> No, if you do it smart way, such as (in .xsessionrc): >> >> xauth extract - $DISPLAY | sudo -u user1 -- sh -c \ >> "cat -> /home/user1/.Xauthority" >> xauth extract - $DISPLAY | sudo -u user2 -- sh -c \ >> "cat -> /home/user1/.Xauthority" >> >> And configure sudo to keep $DISPLAY. >> [...] > > I'm using "xhost" to do something similar, maybe the same thing? I > described it a couple of years ago: > > http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html > > I'd be interested in comments. > Why not use sux instead? from "man sux":- "sux is a wrapper around the standard su command which will transfer your X credentials to the target user. Note, suxterm forces ARGS to be 'xterm', and will try to launch an xterminal window." Kind regards. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52be74fe.1000...@gmail.com
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
Hi. On Wed, 25 Dec 2013 08:33:12 +0100 Ralf Mardorf wrote: > On Wed, 2013-12-25 at 08:28 +0100, Ralf Mardorf wrote: > > On Wed, 2013-12-25 at 11:05 +0400, Reco wrote: > > > And that assumes you're keeping browsing history. Why people are doin' > > > this is something that I can never understand. > > > > Ok, in this case I recommend to use > > > > [rocketmouse@archlinux ~]$ pacman -Q tor-browser-en > > tor-browser-en 3.5-1 Wow. You don't take half-measures, do you? I was referring to a simple 'Clear history when Firefox closes' checkbox. > > For my Debian and *buntu install I don't have it installed, since I > > seldom/never need it, it's only installed for my Arch Linux, just in > > case I should need it. TOR has its' uses for me, but installing the thing just to clear browser history is an overkill. > > IOW a history is useful, is useful, is useful :). > > > > About what are we talking? > > > > The easiest way still is to use profiles. Easy != secure. Convenient != secure. > Ok, security is something > > else. At least suppress trackers and if needed use a TOR browser tuned > > regarding to security, like "normal" anonymous Firefox browsing the TOR > ^^ sorry, I already was > thinking about an add-on, but there is the "private window" option, > which is a Firfox default option. > > Firefox browsing doesn't provide a history. 'Private window' is useless for me. I mean - 'not keeping browser history'? I don't keep it anyway. 'Not keeping cookies'? All cookies are purged on browser close. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131225120111.142c711251eb69e16d6ac...@gmail.com
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
On Wed, 2013-12-25 at 08:28 +0100, Ralf Mardorf wrote: > On Wed, 2013-12-25 at 11:05 +0400, Reco wrote: > > And that assumes you're keeping browsing history. Why people are doin' > > this is something that I can never understand. > > Ok, in this case I recommend to use > > [rocketmouse@archlinux ~]$ pacman -Q tor-browser-en > tor-browser-en 3.5-1 > > For my Debian and *buntu install I don't have it installed, since I > seldom/never need it, it's only installed for my Arch Linux, just in > case I should need it. > > IOW a history is useful, is useful, is useful :). > > About what are we talking? > > The easiest way still is to use profiles. Ok, security is something > else. At least suppress trackers and if needed use a TOR browser tuned > regarding to security, like "normal" anonymous Firefox browsing the TOR ^^ sorry, I already was thinking about an add-on, but there is the "private window" option, which is a Firfox default option. > Firefox browsing doesn't provide a history. > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387956792.8138.98.camel@archlinux
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
On Wed, 2013-12-25 at 11:05 +0400, Reco wrote: > And that assumes you're keeping browsing history. Why people are doin' > this is something that I can never understand. Ok, in this case I recommend to use [rocketmouse@archlinux ~]$ pacman -Q tor-browser-en tor-browser-en 3.5-1 For my Debian and *buntu install I don't have it installed, since I seldom/never need it, it's only installed for my Arch Linux, just in case I should need it. IOW a history is useful, is useful, is useful :). About what are we talking? The easiest way still is to use profiles. Ok, security is something else. At least suppress trackers and if needed use a TOR browser tuned regarding to security, like "normal" anonymous Firefox browsing the TOR Firefox browsing doesn't provide a history. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387956491.8138.95.camel@archlinux
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
Hi. On Wed, 25 Dec 2013 07:33:53 +0100 Ralf Mardorf wrote: > On Wed, 2013-12-25 at 10:15 +0400, Reco wrote: > > b) That sneaky sandbox user can override firefox with something > > like /home/user9-boxed/bin/firefox, which is bad. > > Here we are again ;). > > Using a profile, supported by firefox, is the easiest and securest way. An ability to read and write an arbitrary file in user's $HOME cannot be called 'secure'. And even if I'd trust browser (firefox is a free software, after all), there is a matter of plugins. > > I only use another user, instead of a profile, if I need a password, > e.g. to make a history including adult content unavailable for kids. And that assumes you're keeping browsing history. Why people are doin' this is something that I can never understand. Still, even if we disregard this 'browsing history' topic, there is a matter of online advertisement, which is known to show banners based on a user habits. And IMO not all children should see all these banners. > > If you care for security, this is one reason to prefer profiles. If I'd care for security that much, I'd use LXC for running a browser. Since I'm lazy, I just use a couple of accounts. > > Btw. somebody on this list once called it a sledgehammer and I agree, > but if I don't use a profile, but another user then I don't care: > > xhost + > gksudo -u chuser "$*" > xhost - > exit > > I still don't understand what's bad with using profiles. A profile > doesn't have any drawback. See above. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131225110526.16137e81dbcdca35fcd68...@gmail.com
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
On Wed, 2013-12-25 at 10:15 +0400, Reco wrote: > b) That sneaky sandbox user can override firefox with something > like /home/user9-boxed/bin/firefox, which is bad. Here we are again ;). Using a profile, supported by firefox, is the easiest and securest way. I only use another user, instead of a profile, if I need a password, e.g. to make a history including adult content unavailable for kids. If you care for security, this is one reason to prefer profiles. Btw. somebody on this list once called it a sledgehammer and I agree, but if I don't use a profile, but another user then I don't care: xhost + gksudo -u chuser "$*" xhost - exit I still don't understand what's bad with using profiles. A profile doesn't have any drawback. :D Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387953233.8138.86.camel@archlinux
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
Hi.
On Wed, 25 Dec 2013 12:08:01 +0900
Joel Rees wrote:
> On Tue, Dec 24, 2013 at 9:42 PM, Reco wrote:
> > Hi.
> >
> > On Tue, 24 Dec 2013 13:29:28 +0100
> > Ralf Mardorf wrote:
> >
> >> This would lead to "Error: cannot open display: :0.0".
> >> Sure, $ xhost +; sudo -u [...] does the trick,
> >
> > No, if you do it smart way, such as (in .xsessionrc):
> >
> > xauth extract - $DISPLAY | sudo -u user1 -- sh -c \
> > "cat -> /home/user1/.Xauthority"
> > xauth extract - $DISPLAY | sudo -u user2 -- sh -c \
> > "cat -> /home/user1/.Xauthority"
> >
> > And configure sudo to keep $DISPLAY.
> > [...]
>
> I'm using "xhost" to do something similar, maybe the same thing? I
> described it a couple of years ago:
>
> http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html
>
> I'd be interested in comments.
Result is definitely the same, although I'd use
xhost +si:localuser:${1}
instead of
xhost local:${1}
Not there is much difference about it, given that Debian (or Fedora, or
any major distribution for that matter) does not ship XSECURITY
extension for a long time.
And I'd use
sudo -H -u ${1} /usr/bin/firefox $2
instead of
sudo -H -u ${1} firefox $2
because:
a) Without -H sudo can keep $HOME, which will force firefox to search
it's profile in the different user's home (kinda beats the purpose of
sandbox, isn't it?).
b) That sneaky sandbox user can override firefox with something
like /home/user9-boxed/bin/firefox, which is bad.
What I'm curious about, is that you did not have to permit sudo to keep
$DISPLAY environment variable. Is it something that Fedora allows by
default? Because Debian surely does not (env_reset by default).
Reco
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/20131225101505.a913d65d212d52505052d...@gmail.com
Re: Off-topic: Gmail Grrrr.
On Tue, Dec 24, 2013 at 9:42 PM, Reco wrote: > Hi. > > On Tue, 24 Dec 2013 13:29:28 +0100 > Ralf Mardorf wrote: > >> This would lead to "Error: cannot open display: :0.0". >> Sure, $ xhost +; sudo -u [...] does the trick, > > No, if you do it smart way, such as (in .xsessionrc): > > xauth extract - $DISPLAY | sudo -u user1 -- sh -c \ > "cat -> /home/user1/.Xauthority" > xauth extract - $DISPLAY | sudo -u user2 -- sh -c \ > "cat -> /home/user1/.Xauthority" > > And configure sudo to keep $DISPLAY. > [...] I'm using "xhost" to do something similar, maybe the same thing? I described it a couple of years ago: http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html I'd be interested in comments. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caar43iohtijp_3vjwp+xupxp+ybt1gdl+18v9u4wrjrbtfq...@mail.gmail.com
Re: Off-topic: Gmail Grrrr.
On Tue, 24 Dec 2013 15:51:25 +0100 Ralf Mardorf wrote: > On Tue, 2013-12-24 at 15:40 +0100, Ralf Mardorf wrote: > > On Tue, 2013-12-24 at 18:04 +0400, Reco wrote: > > > I wrote "one runs two instances of firefox with different profiles > > > > and I replied that you can start your default browser with a profile > > too. The issue you pointed out is the same for the profile approach and > > another user account approach. If you want to open the link by the > > browser that is intended for a special history, you need to check the > > link for keywords, it doesn't matter what approach you use. The script > > simply checks for one keyword to open a browser that is able to play > > flash thingies. You can do this with many keywords and then chose a > > browser by profile or by another account that should be opened. Tell me, which one is more KISS: 1) Appending certain 'keywords' to a link. 2) Parsing such link. 3) Relying on a custom script. Or, just: Run the link in a browser for the current user account. > > The main thing is > > > > - KISS > > - a user has got no root privileges or assumed the user s admin too, > > than it's simply nonsense to become root and too add another user. > > > > Sometimes it's useful to add another user and sometimes it's not. Hardly an issue, as adding a user is done once per OS lifetime, not each time browser starts. > > I > > marked it as OT, because having another account for another family > > member is useful, but having other accounts for profiles, for different > > work-flows is completely wrong. No, it's completely right thing to do. Let me explain: - You have one user with browser profile with flash plugin enabled. Any damage that's done via flash plugin is limited to this account data. - You have a different user with browser profile with java plugin enabled. Again, any damage that's done via java plugin is limited to this account data. - You have a third user for Google Chrome, which has an interesting habit to read files in user's $HOME for unknown reasons. - And, you have the main account, which is allowed to run browsers with rights of three previous users, and stripped down (no plugins, disabled cookies and JS) browser for that clicked link. It's basic damage control, applied in advance. > > > > I'm in in passing and English isn't my native language, so that you > > missed the point of what I try to explain might be my bad. I never pretended that I'm a native English speaker. I can understand you good enough. > Sometimes it's even more useful if a family does share one account with > different settings. It belongs to the things they want to share or not > want to share. That's wrong thing. Would somebody think of the children ;)! Having a different account for each family member saves one from 'who deleted my important file' incidents, which is invaluable. At least in my family everyone has a different account on every host I have in my house. And people usually know (and children can be more-or-less easily taught) about usernames/passwords. It's the 'browser profiles' which are complete life-changing discovery for them. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131224192614.0d66ca7ce95d27e16b578...@gmail.com
Re: Off-topic: Gmail Grrrr.
On Tue, 2013-12-24 at 15:40 +0100, Ralf Mardorf wrote: > On Tue, 2013-12-24 at 18:04 +0400, Reco wrote: > > I wrote "one runs two instances of firefox with different profiles > > and I replied that you can start your default browser with a profile > too. The issue you pointed out is the same for the profile approach and > another user account approach. If you want to open the link by the > browser that is intended for a special history, you need to check the > link for keywords, it doesn't matter what approach you use. The script > simply checks for one keyword to open a browser that is able to play > flash thingies. You can do this with many keywords and then chose a > browser by profile or by another account that should be opened. > > The main thing is > > - KISS > - a user has got no root privileges or assumed the user s admin too, > than it's simply nonsense to become root and too add another user. > > Sometimes it's useful to add another user and sometimes it's not. I > marked it as OT, because having another account for another family > member is useful, but having other accounts for profiles, for different > work-flows is completely wrong. > > I'm in in passing and English isn't my native language, so that you > missed the point of what I try to explain might be my bad. PS: Sometimes it's even more useful if a family does share one account with different settings. It belongs to the things they want to share or not want to share. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387896685.8138.13.camel@archlinux
Re: Off-topic: Gmail Grrrr.
On Tue, 2013-12-24 at 18:04 +0400, Reco wrote: > I wrote "one runs two instances of firefox with different profiles and I replied that you can start your default browser with a profile too. The issue you pointed out is the same for the profile approach and another user account approach. If you want to open the link by the browser that is intended for a special history, you need to check the link for keywords, it doesn't matter what approach you use. The script simply checks for one keyword to open a browser that is able to play flash thingies. You can do this with many keywords and then chose a browser by profile or by another account that should be opened. The main thing is - KISS - a user has got no root privileges or assumed the user s admin too, than it's simply nonsense to become root and too add another user. Sometimes it's useful to add another user and sometimes it's not. I marked it as OT, because having another account for another family member is useful, but having other accounts for profiles, for different work-flows is completely wrong. I'm in in passing and English isn't my native language, so that you missed the point of what I try to explain might be my bad. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387896030.8138.9.camel@archlinux
Re: Off-topic: Gmail Grrrr.
On Tue, 24 Dec 2013 14:54:35 +0100 Ralf Mardorf wrote: > A last note, before I go off-line for holidays. > > A user is allowed to add a profile, but a user needs to ask the admin to > add a new user ;). Ok, I've read all your contribution to the thread. Let us start with something simple. You're writing, that there's this script that checks which browser is to run actually. Nice thing, but note that I wrote "one runs two instances of firefox with different profiles". How exactly this script should help the user to distinguish one firefox from another firefox? > 20 profiles = 20 users and you will do all those settings instead of > running a browser profile? This isn't the KISS principle and I prefer it > the KISS way. And note, it is 20 users who are unable to overwrite each other's files. Or read each other's files. KISS principle is no substitute for a basic security. > A user is allowed to add a profile, but a user needs > to ask the admin to add a new user ;). Fail to see how exactly it complicates things if user and admin is the same person. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131224180450.69fea9eecd822ede71ca0...@gmail.com
Re: Off-topic: Gmail Grrrr.
A last note, before I go off-line for holidays. A user is allowed to add a profile, but a user needs to ask the admin to add a new user ;). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387893275.5471.68.camel@archlinux
Re: Off-topic: Gmail Grrrr.
> > Sudo can be configured for passwordless access, but that's not the > > point. > > That is a point, you want users to tinker with root privileges, when > there is a better, a KISS solution that is idiotproof. Sorry, with privileges, not root privileges. Anyway completely unneeded, and anti-KISS. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387892945.5471.66.camel@archlinux
Re: Off-topic: Gmail Grrrr.
Oops, Reco wrote, not I ;). > On Tue, 2013-12-24 at 14:35 +0100, Ralf Mardorf wrote: > > Sudo can be configured for passwordless access, but that's not the > > point. > > That is a point, you want users to tinker with root privileges, when > there is a better, a KISS solution that is idiotproof. Happy holidays, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387892694.5471.64.camel@archlinux
Re: Off-topic: Gmail Grrrr.
On Tue, 2013-12-24 at 14:35 +0100, Ralf Mardorf wrote: > Sudo can be configured for passwordless access, but that's not the > point. That is a point, you want users to tinker with root privileges, when there is a better, a KISS solution that is idiotproof. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387892430.5471.62.camel@archlinux
Re: Off-topic: Gmail Grrrr.
On Tue, 2013-12-24 at 16:42 +0400, Reco wrote: > Hi. > > On Tue, 24 Dec 2013 13:29:28 +0100 > Ralf Mardorf wrote: > > > This would lead to "Error: cannot open display: :0.0". > > Sure, $ xhost +; sudo -u [...] does the trick, > > No, if you do it smart way, such as (in .xsessionrc): > > xauth extract - $DISPLAY | sudo -u user1 -- sh -c \ > "cat -> /home/user1/.Xauthority" > xauth extract - $DISPLAY | sudo -u user2 -- sh -c \ > "cat -> /home/user1/.Xauthority" > > And configure sudo to keep $DISPLAY. 20 profiles = 20 users and you will do all those settings instead of running a browser profile? This isn't the KISS principle and I prefer it the KISS way. It's not smart to make something complicated, when there is an easy solution. A lot of Linux software for good reasons provides profiles. > > > but simply using a > > profile, Firefox options -PStart with , you > > don't need to add another user, you don't need to type a password. > > Sudo can be configured for passwordless access, but that's not the > point. > > Say, one runs two instances of firefox with different profiles under the > same OS user. One also runs, say, MUA such as Evolution and clicks a > link in this MUA. Now, the question is - which instance of firefox will > open the link? From my experience the result is unpredictable. The default browser could start with a profile too and take a look at my script, you even could check the link for keywords. But again, I prefer the KISS way. The default browser for some users anyway is an issue, e.g. they don't want that browser X is opened, when browser Y is running, that's why I wrote a script to help some of them, I don't need it myself: $ cat debro #!/bin/dash # Name:Debro # Description: Use default or opened web browser # Comment: Launch default web browser or use already opened web browser # Command: /usr/local/bin/debro %u # Default browser default_b=qupzilla # Alternative browsers in order of usage browser_1=firefox browser_2=opera browser_3=rekonq last_brow=google-chrome-stable # Browser for tube websites with flash content tube_brow=google-chrome-stable if [ "$(id -u)" = "0" ]; then echo "It is not allowed to run Debro with root privileges"; exit 1 fi echo "$*" | grep tube > /dev/null case $? in 0) test -f /usr/bin/$tube_brow && exec $tube_brow "$*";; esac pidof $default_b > /dev/null case $? in 0) exec $default_b "$*";; esac pidof $browser_1 > /dev/null case $? in 0) exec $browser_1 "$*";; esac pidof $browser_2 > /dev/null case $? in 0) exec $browser_2 "$*";; esac pidof $browser_3 > /dev/null case $? in 0) exec $browser_3 "$*";; esac pidof $last_brow > /dev/null case $? in 0) exec $last_brow "$*";; *) test -f /usr/bin/$default_b && exec $default_b "$*";; esac echo "No /usr/bin/$default_b available" exit 1 Regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387892134.5471.60.camel@archlinux
Re: Off-topic: Gmail Grrrr.
Hi. On Tue, 24 Dec 2013 13:29:28 +0100 Ralf Mardorf wrote: > This would lead to "Error: cannot open display: :0.0". > Sure, $ xhost +; sudo -u [...] does the trick, No, if you do it smart way, such as (in .xsessionrc): xauth extract - $DISPLAY | sudo -u user1 -- sh -c \ "cat -> /home/user1/.Xauthority" xauth extract - $DISPLAY | sudo -u user2 -- sh -c \ "cat -> /home/user1/.Xauthority" And configure sudo to keep $DISPLAY. > but simply using a > profile, Firefox options -PStart with , you > don't need to add another user, you don't need to type a password. Sudo can be configured for passwordless access, but that's not the point. Say, one runs two instances of firefox with different profiles under the same OS user. One also runs, say, MUA such as Evolution and clicks a link in this MUA. Now, the question is - which instance of firefox will open the link? From my experience the result is unpredictable. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131224164223.e775053aea741d36d0956...@gmail.com
Re: Off-topic: Gmail Grrrr.
On Tue, 2013-12-24 at 16:17 +0400, Reco wrote: > On Tue, 24 Dec 2013 13:13:26 +0100 > Ralf Mardorf wrote: > > > If I start Firefox with profile A, I might have cookies enabled by > > default and the history only includes Linux links. > > > > When using Firefox profile B, I perhaps have cookies disabled by default > > and the history only includes links to audio gear. > > > > So if I search the history for radio, I would get software related to > > radio by profile A and service manuals, semiconductor vendors by profile > > B, after doing research, bevor it was useful to decide what I should > > bookmark. > > > > And again, e.g. different security settings, one profile without > > add-ons, the other profile perhaps with 20 add-on. > > Ok. And how exactly using different users for these profiles limits you? > > What's so hard in running 'sudo -u user1 firefox' and 'sudo -u user2 > firefox'? This would lead to "Error: cannot open display: :0.0". Sure, $ xhost +; sudo -u [...] does the trick, but simply using a profile, Firefox options -PStart with , you don't need to add another user, you don't need to type a password. Regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387888168.5471.52.camel@archlinux
Re: Off-topic: Gmail Grrrr.
On Tue, 24 Dec 2013 13:13:26 +0100 Ralf Mardorf wrote: > If I start Firefox with profile A, I might have cookies enabled by > default and the history only includes Linux links. > > When using Firefox profile B, I perhaps have cookies disabled by default > and the history only includes links to audio gear. > > So if I search the history for radio, I would get software related to > radio by profile A and service manuals, semiconductor vendors by profile > B, after doing research, bevor it was useful to decide what I should > bookmark. > > And again, e.g. different security settings, one profile without > add-ons, the other profile perhaps with 20 add-on. Ok. And how exactly using different users for these profiles limits you? What's so hard in running 'sudo -u user1 firefox' and 'sudo -u user2 firefox'? Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131224161725.d3b0a544e78004da7...@gmail.com
Re: Off-topic: Gmail Grrrr.
On Tue, 2013-12-24 at 16:05 +0400, Reco wrote: > Hi. > > On Tue, 24 Dec 2013 12:55:23 +0100 > Ralf Mardorf wrote: > > > I want to have different profiles on Linux machines to have different > > settings, different histories without changing the user. > > A classic example of a 'XY problem', Ralf. > > What problem are you trying to solve with this approach? If I start Firefox with profile A, I might have cookies enabled by default and the history only includes Linux links. When using Firefox profile B, I perhaps have cookies disabled by default and the history only includes links to audio gear. So if I search the history for radio, I would get software related to radio by profile A and service manuals, semiconductor vendors by profile B, after doing research, bevor it was useful to decide what I should bookmark. And again, e.g. different security settings, one profile without add-ons, the other profile perhaps with 20 add-on. Regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387887206.5471.49.camel@archlinux
Re: Off-topic: Gmail Grrrr.
Hi. On Tue, 24 Dec 2013 12:55:23 +0100 Ralf Mardorf wrote: > I want to have different profiles on Linux machines to have different > settings, different histories without changing the user. A classic example of a 'XY problem', Ralf. What problem are you trying to solve with this approach? Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131224160515.1a7721e645c97fd6062f4...@gmail.com
Off-topic: Gmail Grrrr.
On Tue, 2013-12-24 at 08:08 +, Bonno Bloksma wrote: > Different browser profiles is like the way Outlook (Express) on > Windows have/had different profiles. That is a leftover from the old > times like Windows 3, 9x, etc when there was no possibility to have > different logins. Unix style computers have been multi user from the > beginning, so not using that possibility to differentiate between > users and then working around that limitation seems weird. I want to have different profiles on Linux machines to have different settings, different histories without changing the user. Regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387886123.5471.41.camel@archlinux
