On Fri, Jun 26, 2020 at 4:03 PM james <gar...@verizon.net> wrote: > > So can some of the smarter (gentoo) folks illuminate how to totally > avoid groups and users, except for the minimum required, application > specific? For example like serial line tools, or outline a set of > tweaks/setting to avoid these altogether? >
IMO if extra security is your goal then if anything you want to have MORE use of users rather than less. Everything should be least privilege, and usually that means having separate UIDs for everything, and then layering on stuff like namespaces/SELinux/capabilities/etc on top of that to further tailor things. Of course the more config you have like this, the more there is to audit. However, you also have to consider the failure mode. When you have layers of security and some layer fails, chances are that the failure still results in more containment than what you would have had if you didn't build the layers in the first place. Now, one thing that would result in fewer UIDs is installing less stuff. Maybe that is what you're getting at, and of course reducing the attack surface is a good thing. However, keep in mind that a UID in /etc/passwd doesn't actually do anything if no process runs with that UID - it is just a line in a text file. So, having a uucp group when no processes have access to it doesn't really cause issues. Removing the group doesn't actually make things more secure, because processes can use a gid even if it doesn't exist in /etc/groups. Effectively any POSIX system has every uid/gid available even if there is no /etc/passwd at all. -- Rich
