[PLUG] Such a thing as a "single user" Linux?
Richard Owlett
rowlett at cloud85.net
Sun Sep 28 13:02:16 UTC 2014
Rich Shepard wrote:
> On Sat, 27 Sep 2014, Richard Owlett wrote:
>
>> I have read Debian security info suggesting that all unnecessary
>> daemons/etc be deleted.
>
> In every distribution you can _disable_ services. Unlike the Microsoft
> world you don't need to delete them. Just change the mode to remove the
> executable permissions (chmod a-x <filename>) and it will no longer be
> running when you next turn on your system.
Its more a philosophical than strictly technical requirement.
Debian developers are *POWER* users and presume everyone has
terabyte storage, multi GHz multi-processors, and massive
bandwidth. I take "small is ultimate elegance" in the other
extreme. That my motivation for investigating debootstrap and
multistrap.
>
>> I have at least three distinct use cases:
>> 0. for all cases - no known need for any "server" re internet
>> (poorly phrased)
>
> So, don't run any. If you are not providing services (httpd, ftpd, smtpd,
> etc) to other parties you just do not bring up the daemons when the system
> boots.
My major problem there is where to I find a list.
>
>> 1. my personal system - sub-cases
>> a. Maintenance mode - cf Runlevel=1
>
> What sort of maintenance? You can do everything you need (other than a
> distribution upgrade) in runlevel 3/4 (multiuser).
>
>> b. Internet - no unsolicited incoming connection
>> as yet unspecified supervision of out going connections
>> (cf COMODO on Windows)
>
> Turn off the execute bits on sshd; no one can access your network. Your
> outgoing connections should be limited to your web browser and whatever you
> use to get and send e-mail via your ISP.
>
>> c. Computer used to compute - *NO* networking _whatsoever_
>> (ME, strange? ;/ )
>
> Ya know, if there are no other hosts connected to your working desktop
> machine via wireless or Ethernet then you are not on a network. Consider the
> folks you see working on portable computers at the local Fourbucks. They're
> not networked unless they're accessing some web site via their browser. Now,
> if you are "computing" and don't want any networking, shut down your web
> browser.
Its probably not as much of a problem in Linux, but I've had
Windows programs "helpfully" call home for updates etc.
>
>> 2. system for a friend 1000 miles away
>> a. he has BSEE but no interest in computers except as a tool
>> b. his wife with a MS Education (minor in piano/organ IIRC)
>> probable use - browser, email, home office apps
>
> Have someone closer to them work with them on hardware and OS/software
> with which they feel comfortable.
In an ideal world. I've known them for ~40 years and know how
hard not to push. He is in an area of Upstate New York with a
selection of user groups and SIGs. I was going to send him a
selection of live CDs to play with. But yesterday I got an email
telling me to expect his spare laptop with implied instruction of
"fill 'er up".
>
>> 3. Church has received some computers to be used for instructional
>> purposes. We have an outreach to an inner city school across the street
>> and another outreach to adults with various needs. There is no networking
>> infrastructure. It would be wise to actively prevent internet access if
>> someone brought in a USB dongle etc. As I will likely be the one doing
>> upkeep I would prefer disabling "su" and "sudo" *COMPLETELY". Required
>> maintenance would be running from a "modified rescue cd".
>
> If you completely disable su and sudo you cannot do any system maintenance
> unless you log in as root.
>
> To disable 'Net access do not install a wireless or other modem. Each
> machine is a stand-alone unit. It does not matter what someone plugs into
> the computer if there's no hardware connecting it to the outside world.
I'm not quite being paranoid. I'm thinking in terms of preventing
someone from using a USB Bluetooth or WiFi adapter they have
brought in.
>
>> Am I just clueless
>
> No, just beginning to learn. You might consider finding one of Carla
> Schroeder's fine books at your local library or book store. She has several
> that are great for those learning to run and use linux.
>
> Rich
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list