Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://queer.hacktivis.me/objects/381f8099-ed8d-4812-ac9a-07cae28b8cae">Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 30-Aug-2024 04:33:27 JST</a><a href="https://queer.hacktivis.me/users/lanodan" title="lanodan@queer.hacktivis.me"><img src="https://gnusocial.jp/avatar/792-48-20230912093141.webp" width="48" height="48" alt="Haelwenn /элвэн/ :triskell:" style="position: absolute; left: 0; top: 0;">Haelwenn /элвэн/ :triskell:</a><div><a href="https://udongein.xyz/objects/dd6d7b24-8c7b-4e0a-9af6-4c0e4a4b5273" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/158739" title="phnt@fluffytail.org">Phantasm</a></li><li><a href="https://gnusocial.jp/user/209694" title="lispi314@udongein.xyz">LisPi</a></li></ul></div></section><article><a href="https://udongein.xyz/users/lispi314">@lispi314</a> <a href="https://fluffytail.org/users/phnt">@phnt</a> <a href="https://movsw.0x0.st/@mia">@mia</a> <br>&gt; If your setup requires you not to trust the user, you shouldn't give the user access to things to start with.<br><br>Which is exactly what least privilege is about, you give specific permissions to system users (part of those being via groups, firewalls can also make use of user-separation).<br>Also I think you're thinking about human users, very different kind of concern, personally only very few people could ever get shell access to my machines, even a "restricted" kind.<br><br>&gt; Programs should be limited by capabilities<br><br>Linux doesn't have proper capabilities, well except the ones that nearly made it into POSIX and are so deeply flawed it's not even funny as like half of them trivially allow to gain root privileges.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3585649#notice-7035991">In conversation</a><time datetime="2024-08-30T04:33:27+09:00" title="Friday, 30-Aug-2024 04:33:27 JST">about 3 months ago</time> <span>from <span><a href="https://queer.hacktivis.me/objects/381f8099-ed8d-4812-ac9a-07cae28b8cae" rel="external" title="Sent from queer.hacktivis.me via ActivityPub">queer.hacktivis.me</a></span></span><a href="https://queer.hacktivis.me/objects/381f8099-ed8d-4812-ac9a-07cae28b8cae">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 30-Aug-2024 04:33:27 JSTHaelwenn /элвэн/ :triskell:
in reply to
@lispi314 @phnt @mia
> If your setup requires you not to trust the user, you shouldn't give the user access to things to start with.

Which is exactly what least privilege is about, you give specific permissions to system users (part of those being via groups, firewalls can also make use of user-separation).
Also I think you're thinking about human users, very different kind of concern, personally only very few people could ever get shell access to my machines, even a "restricted" kind.

> Programs should be limited by capabilities

Linux doesn't have proper capabilities, well except the ones that nearly made it into POSIX and are so deeply flawed it's not even funny as like half of them trivially allow to gain root privileges.
In conversationabout 3 months ago from queer.hacktivis.mepermalink

Public

Embed Notice

HTML Code

Corresponding Notice