FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-15-2011, 11:57 AM
Roberto Ragusa
 
Default concurrent users

On 02/14/2011 03:01 PM, Tim wrote:
> Roberto Ragusa:
>> That is simple. If a program runs as a different user, it simply
>> does not have access to your main user data (e.g. firefox bookmarks
>> or cookies, saved email, and all your documents).
>
> Doesn't equate with the description of the other user having "lower"
> permissions, though. The description (lower permissions, bigger
> security) engenders the notion of different types of users, that Windows
> uses (ordinary lowly users, power users, admins, etc.).
>
> Running as some other user will still have the same ability to do bad
> stuff as yourself could do. So I wouldn't call it an increased
> "security" thing.

You are right. That user has not lower permissions from a system
point of view; it certainly has "lower permissions" to access
personal data, so the "bigger security" is just in relation to personal
data.

--
Roberto Ragusa mail at robertoragusa.it
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-15-2011, 12:50 PM
Tim
 
Default concurrent users

Tim:
>> Running as some other user will still have the same ability to do bad
>> stuff as yourself could do. So I wouldn't call it an increased
>> "security" thing.

Roberto Ragusa:
> You are right. That user has not lower permissions from a system
> point of view; it certainly has "lower permissions" to access
> personal data, so the "bigger security" is just in relation to
> personal data.

But will it even achieve that? Much of what's /lost/ over the net is
through your web browser. So if you always browse as user 2, any breach
is likely to get all the stuff (user 2 did) that you were hoping to keep
safe.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-15-2011, 04:37 PM
Roberto Ragusa
 
Default concurrent users

On 02/15/2011 02:50 PM, Tim wrote:
> Tim:
>>> Running as some other user will still have the same ability to do bad
>>> stuff as yourself could do. So I wouldn't call it an increased
>>> "security" thing.
>
> Roberto Ragusa:
>> You are right. That user has not lower permissions from a system
>> point of view; it certainly has "lower permissions" to access
>> personal data, so the "bigger security" is just in relation to
>> personal data.
>
> But will it even achieve that? Much of what's /lost/ over the net is
> through your web browser. So if you always browse as user 2, any breach
> is likely to get all the stuff (user 2 did) that you were hoping to keep
> safe.

Maybe you are thinking to personal data with the meaning of cookie tracking,
personal information and so on.

I'm referring to personal files.
For example, if my chat program is running as a special user, a
potential remote vulnerability of the "read this file" kind will
not be able to read my inbox or browser cookies or .bash_history or
any other thing I have on the main user.

On the contrary, a special "banking" account means there is a browser
which is only used to connect to the bank. This means that there is never
another window or tab executing dubious javascript while I'm using the bank.
Add that for that account there are no Firefox extensions installed (which I
could consider not entirely trustable), no Flash, Java, or PDF plugins.

I usually create a specific user if I have to run closed source
stuff.

What I'm doing would probably be addressed by containers and sandboxes, but
the Unix user model is well known and tested.
Android is actually pushing this concept to "each app is a user" and things
to be shared are shared by using group permissions. Very clean.

--
Roberto Ragusa mail at robertoragusa.it
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 02:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org