> Finally the vast majority of Linux systems are single user.  That means
> Android phones/tablets and desktop PCs running GNOME, KDE, etc.
> There is no need to compromise init.

systemd takes care of Linux containers which provide or can provide user/application separation. A flaw in this leaves you with a false sense of security, in case you use it.

That is actually quite critical.

After all, I still have not come up with something explaining Linux containers and security as clearly as the jail(8) manpage states:

http://www.freebsd.org/cgi/man.cgi?query=jail&apropos=0&sektion=0&manpath=FreeBSD+10.1-RELEASE&arch=default&format=html

The best I could fined so far is http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security

and it gives me the impression: Do not rely on Linux containers, you have to add other measures to make it safe (no root user, SELinux, capabilities etc.)

There is nothing wrong with adding additional layers, of course. But the basic design is maybe not as good if I have to rely on these additions.

Until now I am not convinced to have a similar clear process separation as I have with FreeBSD's jail. Which makes Docker containers a bit of a gamble I am not willing to take if it comes to security.

(Additional comment very welcome.. at the moment I just don't know better)

Things like this are quite scary: http://www.zdnet.com/article/dropbox-google-drive-onedrive-files-man-cloud-attack/#ftag=RSSbaffb68

"The attack works by grabbing the password token, a small file that sits on a user's devices for convenience (which saves the user from entering their password each time)."

Taking away 'convenience' (yes, it is convenient for attackers to have access to private keys without a password;-)

.. this is easily preventable if you run a DropBox service (or whatever) in the jail and other apps as well, and there is a clear separation of data for all services running.

So, we (technicians) know how to do it.. Question: Why does it not work that way?

Regards
Peter


On Sun, Aug 9, 2015 at 3:32 PM, Russell Coker <russell@coker.com.au> wrote:
On Sat, 8 Aug 2015 05:14:21 PM Rick Moen wrote:
> > Open Source is the only chance not to lose privacy forever, and the
> > biggest player, Linux, has crucial software replaced by a quite unruly
> > mob. It will make it quiet hard to implement light-weight and safe IT
> > solutions.
>
> Snowden showed we've been far too complaisant about critical
> infrastructure security.  The only way I know to improve that situation
> is attending to fundamentals:  excess complexity/functionality, excess
> privilege, unnecessary trust, unnecessary code, lack of enforced policy,
> lack of well-planned and documented functionality and interconnections,
> default-permit, lack of alert monitoring, lack of roles with planned and
> defined rights.

What Snowden showed us is that too many people have been too complacent about
the political process.  Politics matters and the big 2 parties (in the US,
here, and other places) don't offer the answers.  The "lesser of 2 evils" will
still support spying.

The Snowden revelations have included little about OS level compromise and a
lot about compromise of hardware that the vast majority of Linux users
(including me) don't have the skill to oppose.

Finally the vast majority of Linux systems are single user.  That means
Android phones/tablets and desktop PCs running GNOME, KDE, etc.  There is no
need to compromise init.  As much as people like to complain about systemd
being supposedly bloated it's a tiny fraction of the size of any desktop
environment and has much less interaction with the outside world.  A hostile
party who compromises your MUA or web browser (both of which routinely and
predictably process data from potentially hostile sources on the Internet) can
probably do all the damage that they want to do to your system without root
access.

If a hostile party wants to gain root access to your PC what they will
probably do is compromise your MUA or web browser and then try a local root
exploit.  The Linux kernel is much larger than systemd and has many more
interfaces to sources of hostile data.

--
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
_______________________________________________
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main