this post was submitted on 30 Nov 2024
27 points (90.9% liked)

Linux

48668 readers
499 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

When I started linux, I heard creating seperate user accounts for specific uses only is a good step to security in linux. I haven't tried it but after seeing concerns regarding some game launchers snooping around the os, I am trying to see how hard will it be to not let them. I only know the basics of user creation through GUI.

I wont be running games by the way, but I want to have this knowledge of user accounts in linux as a linux security enthusiast. I just want to create a user account where only apps or packages will run with no root access or access to outside its home folder. Even installing apps or packages should not require root to install and must be installed in that home folder and not /usr/bin or /lib. Should be like sandbox environment. I have complete control of permisions and processes of the app. Dont say about flatpak or virtual machines, not talking about that here, just plain old linux.

Note that I am not doing this out of paronoia but as a security enthusiast. I have heard about firejail, SE linux, and WhonixOS but just scratched the surface of it.

How should I do this? I need some sources to read all about linux user accounts.

you are viewing a single comment's thread
view the rest of the comments
[–] jbloggs777@discuss.tchncs.de 8 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

I have two apparmor profiles targeting shell scripts, which can run other programs. One is "audit" (permissive with logging) and the other is "safe" (enforcing).

The safe profile still has a lot of read access, but not to any directories or files with secrets or private data. Write access is only to the paths and files it needs, and I regularly extend it.

For a specific program that should have very restricted network access, I have some iptables (& ip6tables) rules that only apply to a particular gid, and I have a setgid wrapper script.

Note: This is all better than nothing, but proper segregation would be better. Running things on separate PCs, VMs or even unpriviliged containers.

[–] LifeLemons@lemmy.ml 1 points 3 weeks ago (1 children)

I have heard a lot of this apparmor but don't know anything about it. I know the name explains it, but what is it exactly? What does it do?

Also you say as if creating profiles and users are different? Isn't creating user accounts same as creating a new profile in linux, or am I confusing with profiles which are in apparmor?

Would appreciate some articles and tutorials regarding apparmor

[–] jbloggs777@discuss.tchncs.de 2 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

An apparmor profile is associated with an executable, based on its filesystem path. I think distributions tend to support either SELinux or Apparmor, but some (like Arch) support both.

Apparmor profiles are easier to reason about than SELinux, I find.

[–] nanook@friendica.eskimo.com 3 points 3 weeks ago

@jbloggs777 @LifeLemons While it's true distributions tend to choose apparmor or selinux by default (apparmor in the case of debian derived OS's and selinux in the case of Redhat derived OS's), all four are actually supported by the kernel and most distros include all in their repositories it's just that those come installed by default.