From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E40FA1382C5 for ; Fri, 26 Jun 2020 20:36:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DFBD3E09E9; Fri, 26 Jun 2020 20:36:28 +0000 (UTC) Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7C4BBE09E0 for ; Fri, 26 Jun 2020 20:36:27 +0000 (UTC) Received: by mail-qk1-f173.google.com with SMTP id e11so10044203qkm.3 for ; Fri, 26 Jun 2020 13:36:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:reply-to:subject:to:cc:mime-version :in-reply-to:message-id:content-disposition :content-transfer-encoding; bh=3pxHEjAEGQcHjiYtQjG7nHL1zfTz+KKLMpwMl+l0K80=; b=W2VsrMKDNwJO1LdEk1AzT3aR7rg0kDXvQYsK1/fG/ES96X7/qmeD2bmEgVXzrAZjSS ReXgsb0D6IcmOodnDCvH7tFdgkB79/uH6p0flgC37WoIbMRfMAsmnXLbZrWLGbjp40AR 3stO5n2xanrI5KoNzRNGe2QBp5jxVQ9QO9A+DlOIuMlLKP7qoZjo+v8WcHM8x4jgOMr/ QzLUILJDwg6TnJ7OBzS84Z9Na/7Fsn5kHVBrSTQH/5MFBCOuq045YRv3BH0j/PEI4wmh CzAzckR9T3+9lKteSzS/5qbzkwKURDlFCLgMAak/UoS3EbmZ++DU/pMU3qK2PWFb7krc 4/JQ== X-Gm-Message-State: AOAM532gMdzUbcX39Q6p++E282TznXI08fuEh/IFhxMI3roxOwkDOO9X BCRDZ6JXDbB9hODHfsP22w5Ar5bIqgI= X-Google-Smtp-Source: ABdhPJw5fpydVqxew2FIY0CD4VL1rhoVekHpUHB4RSixBC1i1Qb/YCKcpxqA4Pghl8Mlz8zKIHhROw== X-Received: by 2002:a37:a04b:: with SMTP id j72mr4625911qke.328.1593203786415; Fri, 26 Jun 2020 13:36:26 -0700 (PDT) Received: from ffortso9 (c-76-23-130-96.hsd1.ct.comcast.net. [76.23.130.96]) by smtp.gmail.com with ESMTPSA id z19sm10860671qtz.81.2020.06.26.13.36.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jun 2020 13:36:26 -0700 (PDT) Date: Fri, 26 Jun 2020 16:36:24 -0400 From: Jack Subject: Re: [gentoo-user] What's with all these "acct-group" ebuilds recently? To: gentoo-user@lists.gentoo.org Cc: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <601864fe-757e-f179-99fa-6885d76dd218@verizon.net> X-Mailer: Balsa 2.5.10-65-geb847a2f0 Message-Id: Content-Type: text/plain; charset=us-ascii; DelSp=Yes; Format=Flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable X-Archives-Salt: e42f04b7-8af0-4a93-9601-4df5eea709e6 X-Archives-Hash: f22ab3f1bc06e4bd81ba86ac635377a9 On 2020.06.26 16:03, james wrote: > On 6/26/20 12:38 PM, Daniel Frey wrote: >> On 6/20/20 7:04 PM, William Kenworthy wrote: >>> Thanks for filing the bug. >>=20 >> Gah! I forgot about this! >>=20 >> I filed a bug now, I hope I made it clear enough. Others can pipe in =20 >> there with comments if they like. >>=20 >> I did indicate the two potential proposals to correct the issue in =20 >> the bug itself. >>=20 >> https://bugs.gentoo.org/729752 >>=20 >> Dan >=20 > BEFORE I contribute to this bug, I'm posting here to see if others =20 > are or have interest, in my thoughts on this issue and my related =20 > needs for extreme security, via Gentoo. Below is far from complete, =20 > but it only provides a very snippets of my (secure) pathway forward =20 > with Gentoo. >=20 > Interesting thread, thanks to all contributors. I'd like to add 'my =20 > selfish' interest, as they also be espoused by other, more focused, =20 > gentoo users. >=20 > INTRO: >=20 > I rarely build gentoo systems, for many reasons, that are not pretty =20 > singularly focused. It drastically reduces security, performance and =20 > upgrade issues. For me, the days of a any system, having groups or =20 > users, are in the history books of very bad ideas. uP are so cheap =20 > and less than $100, gets you a very 'bad ass' computer (Rasp. Pi 4+) =20 > 16 G map-able ram. Furthermore, SOON, usb_4 devices are going to =20 > obsolete the entire concept of a 'hard drive'; hence the death (my =20 > prediction) of groups and users on multi-USER systems, albeit slowly. >=20 > Multi-function, Multi-tasking, and light weight, focused transient =20 > clusters are the future. YMMV. >=20 >=20 > So solving a problem, that was real and big, decades ago, fails to =20 > look at the future. For me, Gentoo is future proof. I suggest a well =20 > documented pathway forward; totally without the concept of groups and =20 > users, on a typical, highly secure system. Which is now the baseline =20 > for real systems, particularly with a ipv4 or ipv6 static ip, that =20 > provide focused and highly restricted functionalities. CA servers are =20 > going private, as the public and root CA servers, are suspect, at =20 > best, as to being pristinely secure. Yes boys and girls most =20 > Certificate Authorities are HACK! Even the main root CAs. >=20 > The F. Feds are the original culprits, but now it is a feeding =20 > frenzy. The planet is now hacked, and groups and users concepts are =20 > the past. imho! Danger Will Robinson Danger! >=20 > So can some of the smarter (gentoo) folks illuminate how to totally =20 > avoid groups and users, except for the minimum required, application =20 > specific? For example like serial line tools, or outline a set of =20 > tweaks/setting to avoid these altogether? >=20 > I build embedded G. systems. I build single purpose G systems. I =20 > build security G. systems (often with the ethernet, in only listen =20 > mode. I build G. Firewalls. > I build G. highly restricted/filtered servers. NONE of those need =20 > users or groups. And if they do, I can obfuscate codes to provide =20 > that need, to where filters and focused software gets what it needs =20 > to provide functions. >=20 > Yep, I'm moving to a total 'State_Machine_design' for critical =20 > services. Strip out every thing else..... >=20 > Am I alone, or have/are others contemplating such high secure =20 > pathways? I'd be fantastic to find a kernel hacker that is on the =20 > pathway of extreme minimization too; private email is fine; if that =20 > is in your wheel_house. >=20 >=20 > curiously alone?, > James While you may not be alone, I do believe you're in a rather small =20 group. There are probably more who are interested in watching it =20 progress than who can actually participate and contribute. And while =20 what you propose may well be part of the future, and it may even be a =20 large part of it, it won't be so anywhere near soon enough to avoid the =20 need to continue to improve current systems, even if the improvements =20 are only usability related, and not directly related to security. This =20 current issue is nothing more than an annoyance, but it's a major =20 annoyance for many Gentoo users, possibly more-so for the more casual =20 users. (Is "casual Gentoo user" an oxymoron?) As the bug proposes, =20 there are ways of solving it without decreasing security. Jack