On Thu, Oct 24, 2024 at 12:17:25PM -0600, nisp1953 wrote:
> On Thu, Oct 24, 2024 at 11:32 AM Anon Loli <anonl...@autistici.org> wrote:
> >
> >
> > OpenBSD does not do compartmentalization like many would love..
> > OpenBSD is not QubesOS.
> > The 1st time I heard of pledge/unveil, I thought the same thoughts,
>
> <Snip>
>
> > In my eyes, OpenBSD is not a secure OS, but that is only because I have
> > needs
> > that OpenBSD developers don't deem worthy to fuss over, such as:
> > - anything sensitive or required to exist, on /home/*,
>
> I solved this problem. I created a user account that cannot log into
> root.(it's not in group wheel).
> I changed the directory and file permissions on my regular user account:
> find . -type d -exec chmod 750 {} \;
> find . -type f -exec chmod 640 {} \;
> Any that need execute bits I go back and chmod them.
> Look, here are commands issued from the guest account, where the Go
> modules are downloaded
> (cleetus is my regular login):
> $ ls /home/cleetus
> ls: /home/cleetus/: Permission denied
> $ cd /home/cleetus
> ksh: cd: /home/cleetus - Permission denied
>
> So that guest account is kind of like a sand box.
> I can login to 2 accounts at the same time on my OpenBSD. I do
> Fn+Alt+Ctl +F2 say and I get a
> login at an xterm. I don't need an X window system to write and compile code.
> EMACS or Vi will do just fine.
What I meant by compartmentalization is not account separation, but
compartmentalization for every program.
There are many many things that a program knows about your computer, including
BUT NOT LIMITED TO:
- what programs you have installed
- what programs you have running
- how frequently and how long you use which programs
- what you use those programs for
- when you run those programs
- dmesg and other hardware information
- hardware access (but thankfully in OpenBSD mic and cam access are denied by
default)
- keylogging
- your IP address amongst other networking-related info (this is more for
anonymity concerns though)
- again, I consider everything sensitive, especially my /home/*
There is probably a 2x list of things a program can know about you without
having to get root access.
One needs root access usually only to modify core stuff, but one can destroy
someone's life easily without root, like the xz source-attack almost defeated
the purpose of open-source software ;).
Of course that source-attack did not work for OpenBSD, but my guess is that
it's only because the attacker wasn't targeting OpenBSD.
The more SLOC you have, the bigger chance is that there is evil hidden
somewhere.
All you need sometimes is 1 sneaky line amongst thousands, and sometimes even
millions SLOC.
Imaigne if we all used same core hardware, imagine the amount of issues that
would simply parish.
IMAGINE THAT!
Why am I mentioning that? Because I heard that like 70% of OpenBSD codebase is
hardware compatibility and what-not...
Probably also has to do something with why the Linux kernel has probably over
70 000 000 SLOC by now.
I don't think that even Linus Torvalds understands his own project anymore.
I once upon a time ran a project that had 10 000 SLOC. I knew where what was
and what it did only because I wrote it (copying some code or writing my
own - doesn't matter, it all went trough my hands).
I can't imagine understanding someone else's 10 000 SLOC project... mostly
because I am not experienced in studying other people's projects, but I think
that you get my idea?
BLOAT is everywhere.
I'm sorry if you people think that there is a OS secure (while still usable)
enough out there... but then you cry about xz-like attacks, or spread your legs
to the privacy-invasive programs which are too bloated to be audited *COUGH
COUGH* ALL MODERN WEB BROWSERS!!!!!!!!!!!!!!!
Try auditing source code of Mozilla Firefox ;)))))))))))
It will take half a lifetime just downloading all of it's garbage!
Try auditing Vim.
Yes - I'm saying that supporting most if not all of legacy hardware is bad for
software projects because in theory the source code just continues to grow,
because the time is a constant move onwards.
--
Anon Loli
#########
This mortal strives for omnisciency. Some tags: perfectionist, minimalist,
researcher, scientist, philosopher, developer, autist, anarchist, data hoarder,
99 other tags and interests.
I am always up for conversing as long as you meet these requirements:
1. Use PGP encryption for all data shared,
2. Use a open source operating system, NOT Windows, NOT MacOS,
3. Have a open mind - are ready to let go of any and all imperfect views on
anything, if they are.
Let's change this world for the better, one action at a time
########################
<anonl...@autistici.org>
signature.asc
Description: PGP signature
