Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.os.linux > #68377

Re: system-homed coming at ya suckers

From Eli the Bearded <*@eli.users.panix.com>
Newsgroups alt.os.linux, comp.os.linux.misc
Subject Re: system-homed coming at ya suckers
Date 2020-12-11 23:19 +0000
Organization Some absurd concept
Message-ID <eli$2012111817@qaz.wtf> (permalink)
References <24f0a08cd2d4684a7b101f5019eebb1a@dizum.com> <i3he68F78vvU1@mid.individual.net> <rr0l68$gf8$1@dont-email.me> <op.0vhdnnl6a3w0dxdave@hodgins.homeip.net>

Cross-posted to 2 groups.

Show all headers | View raw

In comp.os.linux.misc, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
> The user still has to be able to login before any attempt to mount their home
> directory happens.
> 
> The system admin still has full control over what mount options are used. With
> untrusted users, simply use nosuid, nodev, noexec for their home directories.

Yeah, nosuid and nodev are vital, otherwise instant "ownership" of the
mounting computer: suid is easy to escalate; dev is harder, but doable,
since a /dev/mem equivilant or filesystem device file would permit
nastiness. 

As for noexec, that's harsh, and does it even work? I've not played with
that mount option, but I suspect it just makes running things a little
harder. Normal "it's an executible" bit is ignored on regular file
systems if you explicitly provide the interpreter. This is well-known
for scripts, "python3 foo.py" type stuff, but works for binaries, too:

    $ cp /bin/cat /tmp                    
    $ chmod 444 /tmp/cat
    $ /lib64/ld-linux-x86-64.so.2 /tmp/cat --help
    Usage: /tmp/cat [OPTION]... [FILE]...
    Concatenate FILE(s) to standard output.

    With no FILE, or when FILE is -, read standard input.

    [...]

I haven't really looked at the homed proposal, so I don't know even what
problem it is supposed to solve. I do know that I've seen _so_ _many_
different (and many hacky) fixes for home directories on large
installations. 

$WORK uses automounted NFS on legacy servers and puppet controlled
minimal home directories on newer stuff. The NFS ones cause the usual
NFS problems, such as accidental file clobbering (of eg .history type
files) when logged into multiple places at once, and delayed login when
NFS has issues. The puppet ones are all separate directories, local to
the particular computers, and only files named in puppet exist until
you create new ones. It's good for syncing aliases, shell scripts, and
SSH keys, but won't scale well to including actual compiled programs,
since they'd have to be included in the git repo.

Previous places I've been have used no syncing at all, directories
created upon first login (subject to failure when that daemon has
issues), no user directories at all (not unreasonable, but vim has
started to ship with ugly configs if you don't have any .vimrc / .exrc),
and only SSH keys handled by system config managment.

I've evolved my personal config so that I can copy a single two kilobyte
.profile over and upon login it creates my other "critical" personal
configuration files if they don't exist.

Elijah
------
the minimal vimrc is five lines

Back to alt.os.linux | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

system-homed coming at ya suckers Nomen Nescio <nobody@dizum.com> - 2020-12-10 11:00 +0100
  Re: system-homed coming at ya suckers "J.O. Aho" <user@example.net> - 2020-12-10 13:59 +0100
  Re: system-homed coming at ya suckers John McCue <jmccue@obsd2.mhome.org> - 2020-12-10 21:05 +0000
    Re: system-homed coming at ya suckers "Carlos E.R." <robin_listas@es.invalid> - 2020-12-10 22:34 +0100
      Re: system-homed coming at ya suckers The Natural Philosopher <tnp@invalid.invalid> - 2020-12-11 04:56 +0000
    Re: system-homed coming at ya suckers "J.O. Aho" <user@example.net> - 2020-12-10 22:44 +0100
      Re: system-homed coming at ya suckers Eric Pozharski <whynot@pozharski.name> - 2020-12-11 12:05 +0200
        Re: system-homed coming at ya suckers Rich <rich@example.invalid> - 2020-12-11 13:55 +0000
        Re: system-homed coming at ya suckers Dan Espen <dan1espen@gmail.com> - 2020-12-11 09:03 -0500
          Re: system-homed coming at ya suckers "J.O. Aho" <user@example.net> - 2020-12-11 15:31 +0100
            Re: system-homed coming at ya suckers Dan Espen <dan1espen@gmail.com> - 2020-12-11 10:07 -0500
              Re: system-homed coming at ya suckers Eric Pozharski <whynot@pozharski.name> - 2020-12-12 16:43 +0200
            Re: system-homed coming at ya suckers John McCue <jmccue@obsd2.mhome.org> - 2020-12-11 20:35 +0000
              Re: system-homed coming at ya suckers "Carlos E.R." <robin_listas@es.invalid> - 2020-12-11 22:29 +0100
              Re: system-homed coming at ya suckers "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2020-12-11 16:51 -0500
                Re: system-homed coming at ya suckers Eli the Bearded <*@eli.users.panix.com> - 2020-12-11 23:19 +0000
                Re: system-homed coming at ya suckers The Natural Philosopher <tnp@invalid.invalid> - 2020-12-11 23:23 +0000
                Re: system-homed coming at ya suckers "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2020-12-11 18:41 -0500
                Re: system-homed coming at ya suckers Eli the Bearded <*@eli.users.panix.com> - 2020-12-12 01:42 +0000
                Re: system-homed coming at ya suckers "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2020-12-11 22:00 -0500
                Re: system-homed coming at ya suckers "Carlos E.R." <robin_listas@es.invalid> - 2020-12-12 13:04 +0100
                Re: system-homed coming at ya suckers Aragorn <thorongil@telenet.be> - 2020-12-12 20:05 +0100
                Re: system-homed coming at ya suckers Melzzzzz <Melzzzzz@zzzzz.com> - 2020-12-12 19:24 +0000
                Re: system-homed coming at ya suckers "Carlos E.R." <robin_listas@es.invalid> - 2020-12-12 22:45 +0100
                Re: system-homed coming at ya suckers Rich <rich@example.invalid> - 2020-12-13 02:19 +0000
                Re: system-homed coming at ya suckers Eli the Bearded <*@eli.users.panix.com> - 2020-12-14 22:21 +0000
                Re: system-homed coming at ya suckers Javier <invalid@invalid.invalid> - 2020-12-15 15:34 -0600
                Re: system-homed coming at ya suckers Eli the Bearded <*@eli.users.panix.com> - 2020-12-15 23:48 +0000
                Re: system-homed coming at ya suckers not@telling.you.invalid (Computer Nerd Kev) - 2020-12-15 22:00 +0000
              Re: system-homed coming at ya suckers Henning Hucke <h_hucke+spam.news@newsmail.aeon.icebear.org> - 2020-12-13 12:45 +0000
    Re: system-homed coming at ya suckers Dan Espen <dan1espen@gmail.com> - 2020-12-10 16:50 -0500
      Re: system-homed coming at ya suckers "J.O. Aho" <user@example.net> - 2020-12-11 08:01 +0100
        Re: system-homed coming at ya suckers Michael Bäuerle <michael.baeuerle@stz-e.de> - 2020-12-11 11:43 +0100
          Re: system-homed coming at ya suckers Dan Espen <dan1espen@gmail.com> - 2020-12-11 08:58 -0500
        Re: system-homed coming at ya suckers Dan Espen <dan1espen@gmail.com> - 2020-12-11 08:55 -0500
    Re: system-homed coming at ya suckers Jack Strangio  <jackstrangio@yahoo.com> - 2020-12-15 00:26 +0000
      Re: system-homed coming at ya suckers Dan Espen <dan1espen@gmail.com> - 2020-12-14 21:14 -0500
        Re: system-homed coming at ya suckers not@telling.you.invalid (Computer Nerd Kev) - 2020-12-15 22:19 +0000
          Re: system-homed coming at ya suckers Dan Espen <dan1espen@gmail.com> - 2020-12-15 17:48 -0500
            Re: system-homed coming at ya suckers not@telling.you.invalid (Computer Nerd Kev) - 2020-12-16 22:08 +0000
              Re: system-homed coming at ya suckers not@telling.you.invalid (Computer Nerd Kev) - 2020-12-16 22:13 +0000
      Re: system-homed coming at ya suckers B1ackwater <bw@magikbeanz.net> - 2020-12-14 23:05 -0500
        Re: system-homed coming at ya suckers "Carlos E.R." <robin_listas@es.invalid> - 2020-12-15 13:01 +0100
          Re: system-homed coming at ya suckers B1ackwater <bw@magikbeanz.net> - 2020-12-15 22:52 -0500
            Re: system-homed coming at ya suckers "Carlos E.R." <robin_listas@es.invalid> - 2020-12-16 11:56 +0100
            Re: system-homed coming at ya suckers Eli the Bearded <*@eli.users.panix.com> - 2020-12-16 19:25 +0000
              Re: system-homed coming at ya suckers B1ackwater <bw@magikbeanz.net> - 2020-12-19 01:29 -0500
                Re: system-homed coming at ya suckers doctor@doctor.nl2k.ab.ca (The Doctor) - 2020-12-19 14:54 +0000
          Re: system-homed coming at ya suckers Eric Pozharski <whynot@pozharski.name> - 2020-12-16 12:16 +0200
            Re: system-homed coming at ya suckers "Carlos E.R." <robin_listas@es.invalid> - 2020-12-16 11:58 +0100
              Re: system-homed coming at ya suckers Jasen Betts <usenet@revmaps.no-ip.org> - 2020-12-18 12:15 +0000
  Re: system-homed coming at ya suckers bad sector <forgetski@postit_INVALID_.gov> - 2020-12-10 17:13 -0500
    Re: system-homed coming at ya suckers "J.O. Aho" <user@example.net> - 2020-12-11 08:05 +0100
      Re: system-homed coming at ya suckers bad sector <forgetski@postit_INVALID_.gov> - 2020-12-11 08:33 -0500
      Re: system-homed coming at ya suckers Dan Espen <dan1espen@gmail.com> - 2020-12-11 09:01 -0500
        Re: system-homed coming at ya suckers "J.O. Aho" <user@example.net> - 2020-12-11 16:11 +0100
          Re: system-homed coming at ya suckers Dan Espen <dan1espen@gmail.com> - 2020-12-11 12:46 -0500
            Re: system-homed coming at ya suckers "Carlos E.R." <robin_listas@es.invalid> - 2020-12-11 22:22 +0100
            Re: system-homed coming at ya suckers Jasen Betts <usenet@revmaps.no-ip.org> - 2020-12-11 22:45 +0000
              Re: system-homed coming at ya suckers "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2020-12-11 19:07 -0500
          Re: system-homed coming at ya suckers "Carlos E.R." <robin_listas@es.invalid> - 2020-12-11 22:19 +0100

csiph-web