marc wrote: >> For me security refers primarily to file access. This takes me back to >> my question. If I craete a new user, named zoom for example, and have >> it run zoom, won't that limit access files on my HD? > > Yes, under two conditions: > > - your other users (holding confidential data) have more restrictive > permissions on their directories (chmod 700 ~) > > - the application won't try a local privilege escalation exploit > (kernel or CPU bug, or even back door). >
An additional layer of security would be for users to have encrypted home folders. Somehow I managed that on my ascii machine, but I'm not seeing the --encrypt-home option in adduser now. With encrypted home, as long as the user is not logged in, other users (even root) will not have access to useful data. Or, instead of encrypting home, you could only encrypt sensitive data, and make sure it's not currently unencrypted while using the new user and zoom. As a side note, this is one thing that drove me away from systemd. On the previous distro I used, I noticed that I could log on userA (with encrypted home), then log off userA, and userA's home folder remained mounted unencrypted until reboot. This was one of the first things I tested for functionality in Devuan -- and it does what I expected it to do: when logging off, the unencrypted home is unmounted. Not that I have anything to hide. Seriously, if someone were to confiscate or clone my hardware and manage to break the encryption, they would be very puzzled why I bothered to do so. :-) _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
