You are not logged in.

#1 2020-09-13 05:41:52

solskog
Member
Registered: 2020-09-05
Posts: 407

[SOLVED] Single user vs multi user approache?

I am the only human user on a arch system, But, still I prefer to run each
application with a dedicated user name space that share a common .Xauthority file.

$ pstree -pT
systemd─┬─dbus-daemon(dbus)
        ├─login(user1)──startx───xinit─┬─twm
        │                              └─Xorg
        ├─ntpd(ntp)───ntpd
        ├─polkitd(polkitd)
        ├─rtkit-daemon(rtkit)
        ├─systemd(user1)─┬─(sd-pam)
        │              ├─at-spi-bus-laun
        │              └─pulseaudio───gsettings-helpe
        ├─urxvt(user1)───bash───pstree
        ├─urxvt(user2)───bash
        ├─firefox-bin(user3)─┬─Web Content

As you can see user{1,2,3} controls its own process branch. my questions: Is this
way really safer then using a single user approache ? What if I am on a multi
user system where other human user share the same system? will this approache be safer then?

Last edited by solskog (2020-09-15 13:39:48)

Offline

#2 2020-09-13 06:32:55

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: [SOLVED] Single user vs multi user approache?

It's safer in that it allows you to prevent processes (malware) run by user1 access the data (and memory, but see https://wiki.archlinux.org/index.php/Se … race_scope which /is/ restricted by default) of processes belonging to user2,3,… ie. on the bottom line your mail program cannot access all the porn in your browser cache.
This is somehwhat weakened by the shared X11 server, because one X11 client can take a lot of control over other X11 clients on the same server, eg. your WM is really just another X11 client - nothing special about it, but it manipulates other windows. Try xdotool to see how you can take control over the input and of course you also have access to the seleciton buffers (clipboard)

There's no benefit in a multi-user environment, your brother should™ be locked away from your user1 just as much and not any less as from user2,3,…

On the flipside, this is very cumbersome and awkward so you might be inclined to make it a bit more comfortable by automizing user switches, avoiding to have to enter passwords, share a $HOME with loose permissions,  etcetc… this is typically the step where you open your system to the world.

=> What is the attack vector you seek to close by this measure?
Are you willing to accept the additional discomfort for this precaution?

If you want to isolate potential malware, a virtual environment is going to offer you much more protection, since it will typically aim to exploit bugs to elevate its access to the system.

Offline

#3 2020-09-13 07:44:24

solskog
Member
Registered: 2020-09-05
Posts: 407

Re: [SOLVED] Single user vs multi user approache?

 
on the bottom line your mail program cannot access all the porn in your browser cache.

This is not exact my mitigation purpose, but it's good to known though. smile
Here is my purpose:
I am running KVM host with Xorg not wayland yet. From there I spawn several VM to run some services like NFS, ntpd etc. I am fell pretty secure with all the VM been isolated in this minner. But, the KVM host is the weak point due to Xorg. Just as you stated in your answer. I could run KVM host as headless, but I counldn't manage to pass through my Nvidia graphic card to a VM guest with the full power of it's proprietary drivers hardware decoding. The current Nouveau don't support it so far as I could manage.

Hence the isolation idea comes up, I could manage to type password once only and rest of login session through gnupg agent, sudo -u and setsid --fork with different tty still using same login session, but without switching user accounts. The only concern I have is X11 clients like firefox could "phoning home" by a remote user there by have access to my filesystem.

Yes, I am willing to accept for additiional mitigation effort.

Last edited by solskog (2020-09-14 04:07:23)

Offline

#4 2020-09-13 14:10:05

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: [SOLVED] Single user vs multi user approache?

I spawn several VM to run some services like NFS, ntpd etc

Why? Do you expose those services to the WAN (or another hostile context)?

due to Xorg

Any vulnerability related to X11 will not be mitigated by different UIDs that share the same X11 server.

X11 clients like firefox could "phoning home" by a remote user there by have access to my filesystem

FF running on the host?
Since you're (presumingly) opening only the VMs to the WAN the attacker would have to escape the VM and at that moment would have access to the user that runs the VM (which you want to isolate and restrict)
If your ipfilter is broken and the traffic remains in the host, but no service is listening on the relevant port, nothing will happen.

If your only concern is actually unrelated to the above and just that a malicious (cross site) script could gain access to ~/not/porn/for/later through your browser, that would oc. be a massive browser bug (exposing the local FS), but yes: running FF as a UID different from your main user would provide further mitigation (because there would have to be a massive bug in FF and the filesystem/kernel at the same time)
(It's actually exactly the mail ./. porn cache thing ;-)

Offline

#5 2020-09-13 15:59:36

solskog
Member
Registered: 2020-09-05
Posts: 407

Re: [SOLVED] Single user vs multi user approache?

Why? Do you expose those services to the WAN (or another hostile context)?

Yes a camera and video streaming content (hobby projects) can be accessed via WAN https service with password protection of course. Only IPv4 for now, what do you think about opening https port on IPV6? Other services like NFS only towards LAN.

FF running on the host?

Yes, that's the compromise I hade to make due to unable passing through GPU, I could setup a squid proxy inside a VM and forward traffic to host FF instead, would this be safer? I don't play games, so there is no need passing through GPU to a windows VM. but, I do some hobby HEVC transcoding
which require full power of GPU/CPU.

Since you're (presumingly) opening only the VMs to the WAN the attacker would have to escape the VM and at that moment would have access to the user that runs the VM (which you want to isolate and restrict)

Yes, I use a unprivileged user control the VM. But here is another concern, Since I use virtiofsd service that pass through a portion of host filesystem to VM for file sharing, I don't known if a malware could do any harm on the filesystem which panic fuse user/kernel space.

If your ipfilter is broken and the traffic remains in the host, but no service is listening on the relevant port, nothing will happen.

The host has no services open towards LAN/WAN.

running FF as a UID different from your main user would provide further mitigation

Hence the purpose of my isolation idea. Do you think apparmor/selinux is a preferred way to protect KVM host?

Last edited by solskog (2020-09-13 16:00:49)

Offline

#6 2020-09-13 20:09:24

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: [SOLVED] Single user vs multi user approache?

Do you think apparmor/selinux is a preferred way to protect KVM host?

You're probably looking for https://wiki.archlinux.org/index.php/Firejail - the advantage of those solutions over user seperation are more finegrained control and better scalability - maintaining a dozen UIDs for a dozen programs is probably quite a PITA. Also you get more eyes on pre-configured black/whitelists.

Offline

#7 2020-09-14 01:43:04

solskog
Member
Registered: 2020-09-05
Posts: 407

Re: [SOLVED] Single user vs multi user approache?

Before looking into firejail+apparmor solution I just wanted to share my lite experience about managing a multi user approache. The key is you don't have to! For each application you create a one-time UID/GID and give it the least privilege to run the application and die with it. You can even do this with password locked and nologin replacing the Shell. In the end of the day, only two user UIDs remain. One is the unprivileged login UID that control your login session, Xorg and WM. and another one that has administrative privilege, which can create new one-time UIDs and spawn new processes on behalf of these new UIDs. All these steps can be automated using scripts within single login session.

Last edited by solskog (2020-09-14 09:08:51)

Offline

#8 2020-09-14 06:30:28

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: [SOLVED] Single user vs multi user approache?

That sounds more akin to (multiple) guest logins with a tmpfs $HOME for traceless usage, rather than "just" shielding environments per program, and will likely require the "regular" UID have to serve as a hub to transfer data between isolated clients.
Also next to the shared X11 server, you'll probably want(?) to share the session DBUS, which would require you to loosen the sockets permissions…

The question is: do you want to isolate processes or users (ie. in the latter case you appear to the system as many different users that quasi-remotely interact with each other)

Offline

#9 2020-09-14 08:43:09

solskog
Member
Registered: 2020-09-05
Posts: 407

Re: [SOLVED] Single user vs multi user approache?

That sounds more akin to (multiple) guest logins with a tmpfs $HOME for traceless usage, rather than "just" shielding environments per program

This is what I do: (the real runas.sh is more complex then this example)

unprivileged_login_user$ su --pty --login privileged_user

privileged_user$ cat runas.sh
#!/bin/bash
DISPLAY=:0 XAUTHORITY=SHARED_XAUTHORITY exec /bin/firefox &

privileged_user$ sudo -u unprivileged_user runas.sh

When I do this, firefox starts and detaches from privileged_user:

systemd─┬─dbus-daemon(dbus)
        ├─login(unprivileged_login_user)───startx───xinit─┬─twm
        │                                    └─Xorg
        │─urxvt(privileged_user)───bash
        ├─firefox-bin(unprivileged_user)─┬─Web Content

And I think FF is independent of privileged_user, because after I kill the privileged_user, FF still alive. On the otherhand FF is dependent on unprivileged_login_user who in charge of Xorg. But on the user name space  level, there is no denpendencis, pls point out if i am wrong.

The question is: do you want to isolate processes or users?

If I did was correct, I have isolated users and I'll keep it that way. There is no need to let users communicate with each other.
As for the isolation of processes, it's harder. I'll look into firejail+apparmor. Mybe Wayland will solve this longstanding X11 issue one beautiful day?

Last edited by solskog (2020-09-14 15:46:35)

Offline

#10 2022-03-23 10:13:35

pptp
Member
Registered: 2020-04-15
Posts: 22

Re: [SOLVED] Single user vs multi user approache?

Interesting. Wayland is of course better, not so sure about firejail.

Offline

#11 2022-03-23 12:12:53

2ManyDogs
Forum Moderator
Registered: 2012-01-15
Posts: 4,645

Re: [SOLVED] Single user vs multi user approache?

Closing this old solved topic.


How to post. A sincere effort to use modest and proper language and grammar is a sign of respect toward the community.

Offline

Board footer

Powered by FluxBB