wtf is snort messing up with my notes?
shadow
npub19ukt...h9k5
linux user account isolation. remove /usr/bin permissions for specified user only
set default as no permissions for new files:
sudo setfacl -d -m u:untrusted:--- /usr/bin
remove all permissions from all files:
find /usr/bin/ -type f | while read f; do sudo setfacl -m u:untrusted:--- $f; done
whitelist what you need:
sudo setfacl -x u:untrusted /usr/bin/ls
linux user account isolation. remove /usr/bin permissions for specified user only
set default as no permissions for new files:
sudo setfacl -d -m u:untrusted --- /usr/bin
remove all permissions from all files:
find /usr/bin/ -type f | while read f; do sudo setfacl -m u:untrusted --- $f; done
whitelist what you need:
sudo setfacl -x u:untrusted /usr/bin/ls
linux user account isolation. remove /usr/bin permissions for specified user only
set default as no permissions for new files:
sudo setfacl -d -m u:untrusted:--- /usr/bin
remove all permissions from all files:
find /usr/bin/ -type f | while read f; do sudo setfacl -m u:untrusted:--- $f; done
whitelist what you need:
sudo setfacl -x u:untrusted /usr/bin/ls
thoughts about linux user isolation
/usr/bin/ contains too much all the stuff isolated user can mess with by default
should we apply whitelist to all system binaries to achive good isolation?
isolated user should not be able to mess with stuff that control overal system. eg power control:
$ ls -la /usr/bin/ | grep shutdown
lrwxrwxrwx 1 root root shutdown -> systemctl
i guess these nvidia drivers really dont like wayland
got this nice blinking line at the center of screen
some additions
#wayland
- need to figure out how to manage packages. install as root or do some custom thing to install as user
- some clitches when running wayland window withing another wayland:
--> eg. need to adjust power settings. sub wayland window can adjust things like screen brightness, power settings...
--> currently some issues with scrolling behaviour. eg in gedit, mousepad
--> some issues with url bar in firefox
many of these issues may be solved if i can spawn new wayland session in separate tty.
lxc
- when using x2goclient, by default no clipboard isolation
if you run sensitive applications on your os and different security level user accounts, security might not be as good as you would think.
basically, the user that is running graphical ui is the most critical. if its get compromised, all accounts might be compromised. even root.
on linux systems, sudo and su might not be as secure as you think.
for example things to consider:
- if filesystem safe? what accounts have read/or write permissions to what files and directories?
- is user input safe? what permissions are needed to install keylogger? user level or root level?
- is clipboard safe? what permissions are needed to read and/or write to clipboard? (your copy-paste privacy)
- is screen safe? what permissions are needed to record screen / take screenshot?
linux isolation options for these situations in my previous note
keep your login session safe, make untrusted accounts as sub accounts. make sure they dont share insecure systems like x11. wayland may be ok.
reasonable secure #linux app #isolation. here are the options.
#wayland
BEST OPTION for many situations
pros:
- x11 issue(s) fixed
--> input isolation
--> clipboard isolation
- gpu acceleration
- easy setup on wayland
cons:
- not virtual machine level isolation. eg filesystem and network are same
howto:
run wayland session as another user:
sudo runuser -l user2 -c 'mkdir ~/.cache/run; chmod
0700 ~/.cache/run && XDG_RUNTIME_DIR=~/.cache/run DISPLAY=:0
dbus-run-session -- startplasma-wayland'
#lxc
works, ui possible with x2goserver, x2goclient
pros:
- virtual machine level isolation
- linux distro can vary from host. eg install ubuntu on manjaro host
- difficulties. like ubuntu cannot install packages with default configurations because snapd doesnt work as expected
cons:
- gpu passthrough difficult, cannot even play youtube over 480p without dropping frames
#x11, different user
DO NOT USE
cons:
- by default isolation does not work
- can install keylogger (see xinput) with standard user permissions!
do not expect any isolation not su/sudo security
previous
@no_name
id #shadow1