From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 670E31382C5 for ; Fri, 26 Jun 2020 20:03:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F3F67E0997; Fri, 26 Jun 2020 20:03:44 +0000 (UTC) Received: from sonic314-20.consmr.mail.gq1.yahoo.com (sonic314-20.consmr.mail.gq1.yahoo.com [98.137.69.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9ABE2E0976 for ; Fri, 26 Jun 2020 20:03:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1593201822; bh=TT0yrVVz+I2q7hOsU0CHlX4QSJLNT8nIuQUgd1TOaDw=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=OQpPnWD70+E/5T0B6Mqayrl+ukI7iQSvIT7CaYbuK/NF+PvWYV2MogAK61HbcqmLDqNfyHyf3ikZ05f5m7jpPCIFVAYKXnu2C48u2MWmpXZNGXTP0uHl8RSdKLsfR4KfFDtnWfDNJCorkOmyL70rkZCU2+meRExfLOUutMNKVpFYIThISC76twVT/9ZP/pH9Bi+MqY0p81yX+t2dx6uP1ymoLlU9tnFZt8TRnlqNb59BO++Ugqj42A0iP19o8a7QYAyyLe7817gad0SH4kHV88S06nJ14iA3GrxNOxi9CCUvRJDq24nkDXEzJYC8AYDjlo8xKMG0DABHbvihuUTAcQ== X-YMail-OSG: 0XjomMwVM1lB02qTmJD5F3MkxzQnDPqm38ZR3xPwtm3I8jGRjxW6nZ2q.YJfk7Y VGgkA0bH7tRXhk_bT9gsc7xtsKx0IPUZE4vd1PyRVkUnkkmQdguyF3gEDD.GqkQ8vUXc7tZtukto R_hT_0ydAelYoDm99i5X2XBVnBBuQqfUXkz3TeQQqKUOBxeAqu_f6XTMthPVvVbjYF_qtQClDac2 5KSvTN5SjsrT6qlvdZF9zxP1h5YiXv8z63MeyBCe63WYvM2DL7lS2VSTZm48oTO4nzdwZ.yFFdvd tc.zwTWpquZPVRtPUazKA4RemYF2KcLOgHTO2t7sAuwg8gEV207nFfOrrqUot7RB9.lOSx0YQLrz GP107_6YEMyABDSqzxNvo.EzoXAmqzuK4Fd5mpMUsL7raxsT.5Pjaib6HL70fbpixVJi7uIBheQM sablvs_QbcMJcdaWdfIWHKcDex38xTm.arQbZc6GjznravGZJUhptdCYqgi0XVoAJZWAuWbPzlgS UxJ1kwPVygVYJm90ww6wuCgXldBwioStWEQEi9SFFj84JJaanpEN8BnTANWyoYxeu80VBOuNRThy u1Gc1GEcwa3edv0PA04Wj57oR8O4sdUi8..MGbKNKN6Kcsb_zeFlsNKZlJbHaPuqXiQV5FEU_WSW 4KC17Pdva5V5Bu.n6nW66c7ogODdBAiEp8izg90790rgs8A63OMX_EZvpYD5tSgE1SLCOepgmc2G bxMgRkRkt1cXQRDS2MnD0ceEq7tZ3nGydCwrZScCCnUdRh3V0fD.mvk06NaC01L.mbXN9nO1ddL_ NxKQtWRqxUVuoPDVTfwZE5ElMA99hWz6u4eJnOXSpJl6aQLA1IdontNCgW3gZCheTTx1aaBei9Rd r8LRcVS_PZm3tZFhm7JLFkHSpgjd7r89Ycxhws0N0ntrCx13cIYe4G9W9e2cAEp83lnbh5NSE6uH Q3hpIS5Gu8PEXdvwtMZYF7hBIsXowM5HWwFdpEM7zwfZvOsS6y0uuuKBhen3t953p_81gZsdfAHK 7esmsgudRPhnC.nVpavgb_m2NgwoWh2qQolfdJZzMW8xeY5JisWidsaiz4hlwCeZ3pFxxO3atvdL XT3c5st9yt49JXxWOc2nFpHGW8wAP7H08t4p2H78tU58DA.sutg0cBiaJpTdfRKh9GpwGkdaX9Do tn6cfxQUYn9bTxB7hHNDd8t3ICXhCpQCMtnuSB2EBs0H5mlLsy34SVFy6yCXbVPEOIOUeobVe1oA PgG.551qQLJ2jWkyBfjUo_yb4zJeNlgAftAA9O0gbtu_mpmb9V5gRnLro_IRxPXzsy55GUqvn_zQ c9YFd5TC83sHHvGv0U2uvpYMgkoWMHjPCyfqofO86LbHq5v7Lf5fJ6GD4LpXJybUAeMnmc0ofUC8 bkrQxRnLjtu.BljB5naOAgNOwaSL1mOS_cLbx.3mDPXokaTjyf4BqtdpjtO30TA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.gq1.yahoo.com with HTTP; Fri, 26 Jun 2020 20:03:42 +0000 Received: by smtp428.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 7b52ea90673286132811f67fd0634f85; Fri, 26 Jun 2020 20:03:36 +0000 (UTC) Subject: Re: [gentoo-user] What's with all these "acct-group" ebuilds recently? To: gentoo-user@lists.gentoo.org References: <20200620040430.GA31108@waltdnes.org> <45f40170-7b4d-19d6-58a5-bdacc7333d65@gmail.com> <87d05tzhuj.fsf@wedjat.horus-it.com> <3cf8f8d8-2442-dde2-a703-f6ab4b76beb2@gmail.com> <68d2cc6e-3c0c-59e2-84ac-9c2d6eff6ca1@gmail.com> <686d3afd-332b-484e-029c-d8d433a06e05@gmail.com> From: james Message-ID: <601864fe-757e-f179-99fa-6885d76dd218@verizon.net> Date: Fri, 26 Jun 2020 16:03:35 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <686d3afd-332b-484e-029c-d8d433a06e05@gmail.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Mailer: WebService/1.1.16179 hermes_aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.7) X-Archives-Salt: 1d76b395-419c-487c-b18d-a6c745fea2b0 X-Archives-Hash: b7076e8129bf632df6e954f54018124f On 6/26/20 12:38 PM, Daniel Frey wrote: > On 6/20/20 7:04 PM, William Kenworthy wrote: >> Thanks for filing the bug. > > Gah! I forgot about this! > > I filed a bug now, I hope I made it clear enough. Others can pipe in > there with comments if they like. > > I did indicate the two potential proposals to correct the issue in the > bug itself. > > https://bugs.gentoo.org/729752 > > Dan BEFORE I contribute to this bug, I'm posting here to see if others are or have interest, in my thoughts on this issue and my related needs for extreme security, via Gentoo. Below is far from complete, but it only provides a very snippets of my (secure) pathway forward with Gentoo. Interesting thread, thanks to all contributors. I'd like to add 'my selfish' interest, as they also be espoused by other, more focused, gentoo users. INTRO: I rarely build gentoo systems, for many reasons, that are not pretty singularly focused. It drastically reduces security, performance and upgrade issues. For me, the days of a any system, having groups or users, are in the history books of very bad ideas. uP are so cheap and less than $100, gets you a very 'bad ass' computer (Rasp. Pi 4+) 16 G map-able ram. Furthermore, SOON, usb_4 devices are going to obsolete the entire concept of a 'hard drive'; hence the death (my prediction) of groups and users on multi-USER systems, albeit slowly. Multi-function, Multi-tasking, and light weight, focused transient clusters are the future. YMMV. So solving a problem, that was real and big, decades ago, fails to look at the future. For me, Gentoo is future proof. I suggest a well documented pathway forward; totally without the concept of groups and users, on a typical, highly secure system. Which is now the baseline for real systems, particularly with a ipv4 or ipv6 static ip, that provide focused and highly restricted functionalities. CA servers are going private, as the public and root CA servers, are suspect, at best, as to being pristinely secure. Yes boys and girls most Certificate Authorities are HACK! Even the main root CAs. The F. Feds are the original culprits, but now it is a feeding frenzy. The planet is now hacked, and groups and users concepts are the past. imho! Danger Will Robinson Danger! So can some of the smarter (gentoo) folks illuminate how to totally avoid groups and users, except for the minimum required, application specific? For example like serial line tools, or outline a set of tweaks/setting to avoid these altogether? I build embedded G. systems. I build single purpose G systems. I build security G. systems (often with the ethernet, in only listen mode. I build G. Firewalls. I build G. highly restricted/filtered servers. NONE of those need users or groups. And if they do, I can obfuscate codes to provide that need, to where filters and focused software gets what it needs to provide functions. Yep, I'm moving to a total 'State_Machine_design' for critical services. Strip out every thing else..... Am I alone, or have/are others contemplating such high secure pathways? I'd be fantastic to find a kernel hacker that is on the pathway of extreme minimization too; private email is fine; if that is in your wheel_house. curiously alone?, James