On Thu, Oct 10 2024 at 05:36:25 PM +02:00:00, Lennart Poettering
wrote:
I wished Fedora would focus more on making Measured Boot by default a
thing (other distros are working towards that, for example SUSE has
been investing in that), but Fedora is not precisely leading in this
effort right now.
On Fri, 2024-10-11 at 09:43 +0200, Lennart Poettering wrote:
> On Do, 10.10.24 17:22, Simo Sorce (s...@redhat.com) wrote:
>
> > On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> > > On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
> > >
> > > >
> > >
> > > This was again
On Do, 10.10.24 17:22, Simo Sorce (s...@redhat.com) wrote:
> On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> > On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
> >
> > >
> >
> > This was again a reference to the fact that IPA folks aren't willing
> > to restrict their allo
On Чцв, 10 кас 2024, Stephen Gallagher wrote:
On Thu, Oct 10, 2024 at 5:23 PM Simo Sorce wrote:
On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
>
> >
>
> This was again a reference to the fact that IPA folks aren't willi
On Thu, Oct 10, 2024 at 5:23 PM Simo Sorce wrote:
>
> On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> > On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
> >
> > >
> >
> > This was again a reference to the fact that IPA folks aren't willing
> > to restrict their allocations
On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
>
> >
>
> This was again a reference to the fact that IPA folks aren't willing
> to restrict their allocations to some reasonable UID range, as
> mentoined elsewhere in this
On Mi, 09.10.24 20:17, Fedora Development ML (devel@lists.fedoraproject.org)
wrote:
> Am 09.10.24 um 17:12 schrieb Simo Sorce:
> > > Hence I am very curious where you think the security issues are?
> > Sorry, I did not mean in any way to imply there are open security issue
> > with systemd-homed,
On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
> > I am pretty sure the security model is a lot cleaner than anything the
> > sssd/IPA world would do, because we lock disk encryption to user
> > provided credentials, FIDO2/PKCS#11 and such, and can suspend the home
> > dir's encryption
On Wed, Oct 9, 2024 at 2:19 PM Kilian Hanich via devel <
devel@lists.fedoraproject.org> wrote:
> Am 09.10.24 um 17:12 schrieb Simo Sorce:
> >> Hence I am very curious where you think the security issues are?
> > Sorry, I did not mean in any way to imply there are open security issue
> > with syste
Am 09.10.24 um 17:12 schrieb Simo Sorce:
Hence I am very curious where you think the security issues are?
Sorry, I did not mean in any way to imply there are open security issue
with systemd-homed, I meant only that we need to analyze the security
assumptions in the context of making this a defa
On Tue, 2024-10-08 at 17:57 +0200, Lennart Poettering wrote:
> On Mo, 07.10.24 12:59, Simo Sorce (s...@redhat.com) wrote:
>
> > > The homed approach would make other things possible too. For example,
> > > sharing of /home in dual-boot scenarios. Right now a manual setup
> > > needs to be done, an
> On 9 Oct 2024, at 10:04, Zbigniew Jędrzejewski-Szmek
> wrote:
>
> On Tue, Oct 08, 2024 at 06:14:29PM +0100, Barry Scott wrote:
>>> On 4 Oct 2024, at 16:05, Zbigniew Jędrzejewski-Szmek
>>> wrote:
>>>
>>> Hi folks,
>>>
>>> I was recently doing a bunch of test reinstalls of Fedora [1],
>>>
On Tue, Oct 08, 2024 at 06:14:29PM +0100, Barry Scott wrote:
> > On 4 Oct 2024, at 16:05, Zbigniew Jędrzejewski-Szmek
> > wrote:
> >
> > Hi folks,
> >
> > I was recently doing a bunch of test reinstalls of Fedora [1],
> > looking to see if it's complicated to retain the user directories
> > dur
On Di, 08.10.24 22:21, Chris Murphy (li...@colorremedies.com) wrote:
> >> And at least on my setup with many read-only snapshots in
> >> ~/, permissions changes wouldn't be permitted, even by the root
> >> user.
> >
> > Not sure I grok what you are trying to say here?
>
> Read-only snapshot conten
On Mi, 09.10.24 09:59, Lennart Poettering (mzerq...@0pointer.de) wrote:
> That said, for compat with traditional subuid/subgid as per the table
> on https://systemd.io/UIDS-GIDS the UID/GID range 524288…1879048191 is
> mapped 1:1 on homed homes, thus if you use those things work as
> before.
Just
On Di, 08.10.24 11:42, Chris Adams (li...@cmadams.net) wrote:
> Once upon a time, Lennart Poettering said:
> > Oh, that hasn't been the case for a long time anymore. Nowadays files
> > on disk are owned by the "nobody" user always, and idmapped mounts are
> > used to map them transiently to the U
On Di, 08.10.24 12:46, Stephen Gallagher (sgall...@redhat.com) wrote:
> I suspect you're talking past one another here; in practice, IPA has a
> random set of ID ranges that (IIRC) essentially owns the ID space of
> 10,000 - 2,010,000. (It's possible for the installer to set an
> arbitrary range o
On Tue, Oct 8, 2024, at 1:14 PM, Barry Scott wrote:
> I like the idea of being able to reinstall and keep the /home.
> But I'd rather not use systemd-homed to get the feature.
It's an explicit feature request for the new installer's "Guided" partitioning
path. The current UI (also for Fedora 4
On Tue, Oct 8, 2024, at 11:59 AM, Lennart Poettering wrote:
> On Mo, 07.10.24 20:55, Chris Murphy (li...@colorremedies.com) wrote:
>
>> And at least on my setup with many read-only snapshots in
>> ~/, permissions changes wouldn't be permitted, even by the root
>> user.
>
> Not sure I grok what yo
> On 4 Oct 2024, at 16:05, Zbigniew Jędrzejewski-Szmek
> wrote:
>
> Hi folks,
>
> I was recently doing a bunch of test reinstalls of Fedora [1],
> looking to see if it's complicated to retain the user directories
> during a reinstall. The answer is, sadly, that it's possible only with
> some
On Tue, Oct 8, 2024 at 12:35 PM Lennart Poettering wrote:
>
> On Di, 08.10.24 12:23, Stephen Gallagher (sgall...@redhat.com) wrote:
>
> > On Tue, Oct 8, 2024 at 12:19 PM Lennart Poettering
> > wrote:
> > >
> > > On Di, 08.10.24 18:07, Fedora Development ML
> > > (devel@lists.fedoraproject.org)
Once upon a time, Lennart Poettering said:
> I am pretty sure all files inside of a home dir should carry the same
> selinux label, identifying it as a user's file.
That's incorrect, as there are a variety of restricted things, starting
as basic as SSH keys and authorized hosts.
--
Chris Adams
On Tuesday 8 October 2024 17:07:53 BST Kilian Hanich via devel wrote:
> Am 08.10.24 um 17:32 schrieb Lennart Poettering:
>
> > For example, I am fundamentally opposed to the model
> > these systems generally pursue of turning UID numbers into centrally,
> > organization-wide managed concepts.
>
>
Once upon a time, Lennart Poettering said:
> Oh, that hasn't been the case for a long time anymore. Nowadays files
> on disk are owned by the "nobody" user always, and idmapped mounts are
> used to map them transiently to the UID/GID assigned to the user on
> the local machine.
How do rootless co
On Di, 08.10.24 12:23, Stephen Gallagher (sgall...@redhat.com) wrote:
> On Tue, Oct 8, 2024 at 12:19 PM Lennart Poettering
> wrote:
> >
> > On Di, 08.10.24 18:07, Fedora Development ML
> > (devel@lists.fedoraproject.org) wrote:
> >
> > > Am 08.10.24 um 17:32 schrieb Lennart Poettering:
> > > >
On Di, 08.10.24 09:24, Neal Gompa (ngomp...@gmail.com) wrote:
> On Tue, Oct 8, 2024 at 9:22 AM Michael Catanzaro
> wrote:
> >
> > On Mon, Oct 7 2024 at 12:59:46 PM -04:00:00, Simo Sorce
> > wrote:
> > > Changing a default like this is not something to do lightly IMHO.
> >
> > I'm interested in
On Tue, Oct 8, 2024 at 12:19 PM Lennart Poettering wrote:
>
> On Di, 08.10.24 18:07, Fedora Development ML (devel@lists.fedoraproject.org)
> wrote:
>
> > Am 08.10.24 um 17:32 schrieb Lennart Poettering:
> > > For example, I am fundamentally opposed to the model
> > > these systems generally pursu
On Di, 08.10.24 18:07, Fedora Development ML (devel@lists.fedoraproject.org)
wrote:
> Am 08.10.24 um 17:32 schrieb Lennart Poettering:
> > For example, I am fundamentally opposed to the model
> > these systems generally pursue of turning UID numbers into centrally,
> > organization-wide managed c
On Mo, 07.10.24 14:15, Alexander Bokovoy (aboko...@redhat.com) wrote:
> > > https://github.com/fedora-selinux/selinux-policy/pull/939#issuecomment-1409217811
> > > No follow up happened on that, sadly.
> > >
> > > I do not see any work done on that yet. Without having SELinux support
> > > properl
Am 08.10.24 um 17:32 schrieb Lennart Poettering:
For example, I am fundamentally opposed to the model
these systems generally pursue of turning UID numbers into centrally,
organization-wide managed concepts.
Wait a second, some organization have more than 70k people (and in this
day and age, the
On Mo, 07.10.24 20:55, Chris Murphy (li...@colorremedies.com) wrote:
> > What happens if there are conflicts of uid or gid ?
>
> uid/gid are recursively changed at mount time to avoid
> conflicts. For large homes, this could result in a lot of metadata
> writes.
Oh, that hasn't been the case for
On Mo, 07.10.24 12:59, Simo Sorce (s...@redhat.com) wrote:
> > The homed approach would make other things possible too. For example,
> > sharing of /home in dual-boot scenarios. Right now a manual setup
> > needs to be done, and login details need to be propagated each time,
> > but with homed, du
On Sa, 05.10.24 10:53, Alexander Bokovoy (aboko...@redhat.com) wrote:
> > The homed approach would make other things possible too. For example,
> > sharing of /home in dual-boot scenarios. Right now a manual setup
> > needs to be done, and login details need to be propagated each time,
> > but wit
On Mo, 07.10.24 20:42, Chris Murphy (li...@colorremedies.com) wrote:
> > You should be able to combine the three sources of users freely
> > without problems – if you like. But these three sources of user
> > definitions should be on similar footing, and not try to abstract each
> > other.
> >
> >
On Tue, 2024-10-08 at 08:22 -0500, Michael Catanzaro wrote:
> On Mon, Oct 7 2024 at 12:59:46 PM -04:00:00, Simo Sorce
> wrote:
> > Changing a default like this is not something to do lightly IMHO.
>
> I'm interested in systemd-homed because we currently have no other
> plausible path towards en
On Tue, Oct 8, 2024 at 9:22 AM Michael Catanzaro wrote:
>
> On Mon, Oct 7 2024 at 12:59:46 PM -04:00:00, Simo Sorce
> wrote:
> > Changing a default like this is not something to do lightly IMHO.
>
> I'm interested in systemd-homed because we currently have no other
> plausible path towards encryp
On Mon, Oct 7 2024 at 12:59:46 PM -04:00:00, Simo Sorce
wrote:
Changing a default like this is not something to do lightly IMHO.
I'm interested in systemd-homed because we currently have no other
plausible path towards encryption of user data by default [1] (since
use of LUKS full-disk encry
On Mon, Oct 7, 2024, at 12:59 PM, Simo Sorce wrote:
> What happens if I plug a disk into a laptop that sports a "homed"
> directory, will the laptop suddenly allow a stranger to just login into
> the machine?
No, the account needs to be allowed by that machine's admin.
>
> What happens if ther
On Mon, Oct 7, 2024, at 7:12 AM, Lennart Poettering wrote:
> On Fr, 04.10.24 11:20, Neal Gompa (ngomp...@gmail.com) wrote:
>
>> > The primary purpose of systemd-homed is to use per-user encryption
>> > using loopback devices. This still has various problem related to
>> > resizing and suspend. Wo
On Sat, 2024-10-05 at 07:36 +, Zbigniew Jędrzejewski-Szmek wrote:
> On Fri, Oct 04, 2024 at 12:17:14PM -0400, David Cantrell wrote:
> > The common use case for this is the Fedora laptop user which in nearly every
> > case is going to have one local user account.
> >
> > I have always split /ho
On Sa, 05.10.24 05:50, Neal Gompa (ngomp...@gmail.com) wrote:
> > > So from my point of view, homed *should not* be incompatible with this
> > > use-case, even though it currently is.
> >
> > I would just use normal users for that case. This functionality is
> > not going away and there would be n
On Fr, 04.10.24 13:20, Neal Gompa (ngomp...@gmail.com) wrote:
> On Fri, Oct 4, 2024 at 11:36 AM Zbigniew Jędrzejewski-Szmek
> wrote:
> >
> > On Fri, Oct 04, 2024 at 11:20:48AM -0400, Neal Gompa wrote:
> > > When this was first explored a few years ago, the main problem that
> > > came up was that
On Пан, 07 кас 2024, Zdenek Pytela wrote:
On Mon, Oct 7, 2024 at 12:36 PM Alexander Bokovoy
wrote:
On Няд, 06 кас 2024, Zbigniew Jędrzejewski-Szmek wrote:
>On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote:
>> Can we move systemd-homed configuration and activation into somethin
On Fr, 04.10.24 11:20, Neal Gompa (ngomp...@gmail.com) wrote:
> > The primary purpose of systemd-homed is to use per-user encryption
> > using loopback devices. This still has various problem related to
> > resizing and suspend. Work is being done [see 3,4 for recent developments],
> > but it's no
On Mon, Oct 7, 2024 at 12:36 PM Alexander Bokovoy
wrote:
> On Няд, 06 кас 2024, Zbigniew Jędrzejewski-Szmek wrote:
> >On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote:
> >> Can we move systemd-homed configuration and activation into something
> >> that could be explicitly enabled
On Няд, 06 кас 2024, Zbigniew Jędrzejewski-Szmek wrote:
On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote:
Can we move systemd-homed configuration and activation into something
that could be explicitly enabled by the administrators? Whether this is
done during installation or pos
On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote:
> Can we move systemd-homed configuration and activation into something
> that could be explicitly enabled by the administrators? Whether this is
> done during installation or post, it still would need to be a concious
> step made b
On Sat, Oct 5, 2024 at 3:45 AM Zbigniew Jędrzejewski-Szmek
wrote:
>
> On Fri, Oct 04, 2024 at 01:20:40PM -0400, Neal Gompa wrote:
> > It's fairly normal these days that the users are self-contained and
> > otherwise local, *except* for login credentials. This use-case is
> > important to support b
On Суб, 05 кас 2024, Zbigniew Jędrzejewski-Szmek wrote:
On Fri, Oct 04, 2024 at 12:17:14PM -0400, David Cantrell wrote:
The common use case for this is the Fedora laptop user which in nearly every
case is going to have one local user account.
I have always split /home from the rest of the syste
On Fri, Oct 04, 2024 at 01:20:40PM -0400, Neal Gompa wrote:
> It's fairly normal these days that the users are self-contained and
> otherwise local, *except* for login credentials. This use-case is
> important to support because this is pretty much how business laptops
> need to work.
>
> In the l
On Fri, Oct 04, 2024 at 12:17:14PM -0400, David Cantrell wrote:
> The common use case for this is the Fedora laptop user which in nearly every
> case is going to have one local user account.
>
> I have always split /home from the rest of the system and I know others do
> as well. I would rather s
On Fri, Oct 4, 2024 at 11:36 AM Zbigniew Jędrzejewski-Szmek
wrote:
>
> On Fri, Oct 04, 2024 at 11:20:48AM -0400, Neal Gompa wrote:
> > When this was first explored a few years ago, the main problem that
> > came up was that homed is functionally incompatible with centralized
> > login systems (SSS
On 10/4/24 11:05, Zbigniew Jędrzejewski-Szmek wrote:
Hi folks,
I was recently doing a bunch of test reinstalls of Fedora [1],
looking to see if it's complicated to retain the user directories
during a reinstall. The answer is, sadly, that it's possible only with
some manual tinkering. This is a
On Fri, Oct 04, 2024 at 11:20:48AM -0400, Neal Gompa wrote:
> When this was first explored a few years ago, the main problem that
> came up was that homed is functionally incompatible with centralized
> login systems (SSSD to FreeIPA/AD, OIDC, etc.). If this has changed,
> then it would make sense
On Fri, Oct 4, 2024 at 11:05 AM Zbigniew Jędrzejewski-Szmek
wrote:
>
> Hi folks,
>
> I was recently doing a bunch of test reinstalls of Fedora [1],
> looking to see if it's complicated to retain the user directories
> during a reinstall. The answer is, sadly, that it's possible only with
> some ma
Hi folks,
I was recently doing a bunch of test reinstalls of Fedora [1],
looking to see if it's complicated to retain the user directories
during a reinstall. The answer is, sadly, that it's possible only with
some manual tinkering. This is a known problem [2].
With a little bit of trickery, Anac
56 matches
Mail list logo
