Re: concurrent users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/15/2011 02:50 PM, Tim wrote:
> Tim:
>>> Running as some other user will still have the same ability to do bad
>>> stuff as yourself could do.  So I wouldn't call it an increased
>>> "security" thing.
> 
> Roberto Ragusa:
>> You are right. That user has not lower permissions from a system
>> point of view; it certainly has "lower permissions" to access
>> personal data, so the "bigger security" is just in relation to
>> personal data.
> 
> But will it even achieve that?  Much of what's /lost/ over the net is
> through your web browser.  So if you always browse as user 2, any breach
> is likely to get all the stuff (user 2 did) that you were hoping to keep
> safe.

Maybe you are thinking to personal data with the meaning of cookie tracking,
personal information and so on.

I'm referring to personal files.
For example, if my chat program is running as a special user, a
potential remote vulnerability of the "read this file" kind will
not be able to read my inbox or browser cookies or .bash_history or
any other thing I have on the main user.

On the contrary, a special "banking" account means there is a browser
which is only used to connect to the bank. This means that there is never
another window or tab executing dubious javascript while I'm using the bank.
Add that for that account there are no Firefox extensions installed (which I
could consider not entirely trustable), no Flash, Java, or PDF plugins.

I usually create a specific user if I have to run closed source
stuff.

What I'm doing would probably be addressed by containers and sandboxes, but
the Unix user model is well known and tested.
Android is actually pushing this concept to "each app is a user" and things
to be shared are shared by using group permissions. Very clean.

-- 
   Roberto Ragusa    mail at robertoragusa.it
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux