Anon, I thought you have get out the mailing list of this insecure OS.
Vào Th 7, 26 thg 10, 2024 vào lúc 02:25 Anon Loli
<anonl...@autistici.org> đã viết:
>
> On Thu, Oct 24, 2024 at 12:17:25PM -0600, nisp1953 wrote:
> > On Thu, Oct 24, 2024 at 11:32 AM Anon Loli <anonl...@autistici.org> wrote:
> > >
> > >
> > > OpenBSD does not do compartmentalization like many would love..
> > > OpenBSD is not QubesOS.
Use QubesOS.
Hmm, can any expert here explain why isolation by using virtualization
is not secure?
Perhaps the answer is "if you can't write secure OS how can you write
secure virtualization software", but Anon Loli would reject that...
> > > The 1st time I heard of pledge/unveil, I thought the same thoughts,
> >
> > <Snip>
> >
> > > In my eyes, OpenBSD is not a secure OS, but that is only because I have
> > > needs
> > > that OpenBSD developers don't deem worthy to fuss over, such as:
> > > - anything sensitive or required to exist, on /home/*,
> >
> > I solved this problem. I created a user account that cannot log into
> > root.(it's not in group wheel).
> > I changed the directory and file permissions on my regular user account:
> > find . -type d -exec chmod 750 {} \;
> > find . -type f -exec chmod 640 {} \;
> > Any that need execute bits I go back and chmod them.
> > Look, here are commands issued from the guest account, where the Go
> > modules are downloaded
> > (cleetus is my regular login):
> > $ ls /home/cleetus
> > ls: /home/cleetus/: Permission denied
> > $ cd /home/cleetus
> > ksh: cd: /home/cleetus - Permission denied
> >
> > So that guest account is kind of like a sand box.
> > I can login to 2 accounts at the same time on my OpenBSD. I do
> > Fn+Alt+Ctl +F2 say and I get a
> > login at an xterm. I don't need an X window system to write and compile
> > code.
> > EMACS or Vi will do just fine.
>
> What I meant by compartmentalization is not account separation, but
> compartmentalization for every program.
Programs are compartmentalized - they are unveiled. Even chromium do
not have access to any directory but your download directory and some
selected files in /etc, and full access to /tmp
Are you talking about running distributed binaries without pledge
and unveil? Don't do that. And mount every partition noexec.
> There are many many things that a program knows about your computer, including
> BUT NOT LIMITED TO:
I will see if chromium can do this stuff. Correct me if these problems
aren't solved by pledge or unveil.
> - what programs you have installed
no. unveil solved this issue
> - what programs you have running
> - how frequently and how long you use which programs
yes. Chromium have the ps promise.
> - what you use those programs for
no
> - when you run those programs
yes
> - dmesg and other hardware information
> - hardware access (but thankfully in OpenBSD mic and cam access are denied by
> default)
no hardware access -> no graphic
> - keylogging
X's issue. agree that it is mitigated on qubes
> - your IP address amongst other networking-related info (this is more for
> anonymity concerns though)
> - again, I consider everything sensitive, especially my /home/*
no. chromium do not have access to /home/*
>
> There is probably a 2x list of things a program can know about you without
> having to get root access.
> One needs root access usually only to modify core stuff, but one can destroy
> someone's life easily without root, like the xz source-attack almost defeated
> the purpose of open-source software ;).
Not the threat for OpenBSD developers.
> Of course that source-attack did not work for OpenBSD, but my guess is that
> it's only because the attacker wasn't targeting OpenBSD.
>
> The more SLOC you have, the bigger chance is that there is evil hidden
> somewhere.
I think you'd better shut up and tries to remove "bloat code" of OpenBSD.
You think you are Kongming, but you are still anonymous... ahaha
