On 26 June 2020 22:03:35 CEST, james <gar...@verizon.net> wrote: >On 6/26/20 12:38 PM, Daniel Frey wrote: >> On 6/20/20 7:04 PM, William Kenworthy wrote: >>> Thanks for filing the bug. >> >> Gah! I forgot about this! >> >> I filed a bug now, I hope I made it clear enough. Others can pipe in >> there with comments if they like. >> >> I did indicate the two potential proposals to correct the issue in >the >> bug itself. >> >> https://bugs.gentoo.org/729752 >> >> Dan > >BEFORE I contribute to this bug, I'm posting here to see if others are >or have interest, in my thoughts on this issue and my related needs for > >extreme security, via Gentoo. Below is far from complete, but it only >provides a very snippets of my (secure) pathway forward with Gentoo. > >Interesting thread, thanks to all contributors. I'd like to add 'my >selfish' interest, as they also be espoused by other, more focused, >gentoo users. > >INTRO: > >I rarely build gentoo systems, for many reasons, that are not pretty >singularly focused. It drastically reduces security, performance and >upgrade issues. For me, the days of a any system, having groups or >users, are in the history books of very bad ideas. uP are so cheap and >less than $100, gets you a very 'bad ass' computer (Rasp. Pi 4+) 16 G >map-able ram. Furthermore, SOON, usb_4 devices are going to obsolete >the >entire concept of a 'hard drive'; hence the death (my prediction) of >groups and users on multi-USER systems, albeit slowly. > >Multi-function, Multi-tasking, and light weight, focused transient >clusters are the future. YMMV. > > >So solving a problem, that was real and big, decades ago, fails to look > >at the future. For me, Gentoo is future proof. I suggest a well >documented pathway forward; totally without the concept of groups and >users, on a typical, highly secure system. Which is now the baseline >for >real systems, particularly with a ipv4 or ipv6 static ip, that provide >focused and highly restricted functionalities. CA servers are going >private, as the public and root CA servers, are suspect, at best, as to > >being pristinely secure. Yes boys and girls most Certificate >Authorities >are HACK! Even the main root CAs. > >The F. Feds are the original culprits, but now it is a feeding frenzy. >The planet is now hacked, and groups and users concepts are the past. >imho! Danger Will Robinson Danger! > >So can some of the smarter (gentoo) folks illuminate how to totally >avoid groups and users, except for the minimum required, application >specific? For example like serial line tools, or outline a set of >tweaks/setting to avoid these altogether? > >I build embedded G. systems. I build single purpose G systems. I build >security G. systems (often with the ethernet, in only listen mode. I >build G. Firewalls. >I build G. highly restricted/filtered servers. NONE of those need users > >or groups. And if they do, I can obfuscate codes to provide that need, >to where filters and focused software gets what it needs to provide >functions. > >Yep, I'm moving to a total 'State_Machine_design' for critical >services. >Strip out every thing else..... > >Am I alone, or have/are others contemplating such high secure pathways? > >I'd be fantastic to find a kernel hacker that is on the pathway of >extreme minimization too; private email is fine; if that is in your >wheel_house. > > >curiously alone?, >James
James, Doesn't this imply that all the software and people interacting with the systems all have root-level access? One of the reasons MS systems were so vulnerable in the past was because they did not support seperated users. It's also still a problem with a lot of legacy systems. As long as more than 1 person can access the system, seperate users and groups/ACLs are necessary. Can you explain how having no users makes a system more secure? -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
