From: Rich Freeman <rich0@gentoo.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] What's with all these "acct-group" ebuilds recently?
Date: Fri, 26 Jun 2020 16:40:09 -0400 [thread overview]
Message-ID: <CAGfcS_mkiAi38+YYkUwmWoYxDnQ3hJBhadFbswTrsx+crJ7VuQ@mail.gmail.com> (raw)
In-Reply-To: <601864fe-757e-f179-99fa-6885d76dd218@verizon.net>
On Fri, Jun 26, 2020 at 4:03 PM james <garftd@verizon.net> wrote:
>
> So can some of the smarter (gentoo) folks illuminate how to totally
> avoid groups and users, except for the minimum required, application
> specific? For example like serial line tools, or outline a set of
> tweaks/setting to avoid these altogether?
>
IMO if extra security is your goal then if anything you want to have
MORE use of users rather than less. Everything should be least
privilege, and usually that means having separate UIDs for everything,
and then layering on stuff like namespaces/SELinux/capabilities/etc on
top of that to further tailor things.
Of course the more config you have like this, the more there is to
audit. However, you also have to consider the failure mode. When you
have layers of security and some layer fails, chances are that the
failure still results in more containment than what you would have had
if you didn't build the layers in the first place.
Now, one thing that would result in fewer UIDs is installing less
stuff. Maybe that is what you're getting at, and of course reducing
the attack surface is a good thing. However, keep in mind that a UID
in /etc/passwd doesn't actually do anything if no process runs with
that UID - it is just a line in a text file. So, having a uucp group
when no processes have access to it doesn't really cause issues.
Removing the group doesn't actually make things more secure, because
processes can use a gid even if it doesn't exist in /etc/groups.
Effectively any POSIX system has every uid/gid available even if there
is no /etc/passwd at all.
--
Rich
next prev parent reply other threads:[~2020-06-26 20:40 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-20 4:04 [gentoo-user] What's with all these "acct-group" ebuilds recently? Walter Dnes
2020-06-20 7:50 ` Dale
2020-06-20 12:23 ` Sean O'Myers
2020-06-20 15:31 ` Daniel Frey
2020-06-20 18:56 ` Ralph Seichter
2020-06-20 23:06 ` Daniel Frey
2020-06-20 23:25 ` Michael Orlitzky
2020-06-21 0:32 ` Paul Colquhoun
2020-06-20 23:36 ` Ralph Seichter
2020-06-21 1:21 ` Rich Freeman
2020-06-21 1:40 ` Daniel Frey
2020-06-21 2:04 ` William Kenworthy
2020-06-21 5:05 ` Daniel Frey
2020-06-21 10:35 ` Rich Freeman
2020-06-26 16:38 ` Daniel Frey
2020-06-26 20:03 ` james
2020-06-26 20:29 ` J. Roeleveld
2020-06-26 20:36 ` Jack
2020-06-27 1:51 ` james
2020-06-26 20:40 ` Rich Freeman [this message]
2020-06-27 2:18 ` james
2020-06-27 10:43 ` Rich Freeman
2020-06-27 19:22 ` Sid Spry
2020-06-26 20:52 ` Michael Orlitzky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGfcS_mkiAi38+YYkUwmWoYxDnQ3hJBhadFbswTrsx+crJ7VuQ@mail.gmail.com \
--to=rich0@gentoo.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox