It's not how you apply a security policy, it's that you have a security policy.

On Wed, Jul 6, 2022 at 10:29 PM Gary <saclug@garymcglinn.com> wrote:
Permissions can be fun.  I grant execute to the world to the operator home directory files, just for convenience.

But I haven't really played around with extended file attributes, for example.  And I wonder if anyone actually uses SELinux.

And, I'm still trying to figure out how systemd is better than init.d.  It's just different.  I hate things that are just different since I waste energy learning them without gaining any benefit.

-Gary

----- Forwarded message from Linus Sphinx <sphinxtar@gmail.com> -----

Date: Wed, 6 Jul 2022 15:36:00 -0600
From: Linus Sphinx <sphinxtar@gmail.com>
To: Gary <saclug@garymcglinn.com>
Subject: Re: [Lug-nuts] [sphinxtar@gmail.com: Re: [sphinxtar@gmail.com: Re:
        Basic SSH]]

Downside is you always have that caveat of one user to rule them all, you
can hide him, tighten his permissions til he's almost useless but you still
have to have that one shared account for all the admins to use, after all
the goal is to have scripts that run root level stuff everywhere from one
location, sudo helps but for a large enterprise there is no avoiding the
descent into madness that is UNIX permissions itself.

On Wed, Jul 6, 2022 at 8:45 AM Gary <saclug@garymcglinn.com> wrote:

> Yes, I have a script to send a nice melody to my living room computer when
> my coffee is ready that uses at and ssh.
>
> But, I often log in and get up and do things and theoretically someone
> could walk in the front door and sit down.  Not that I'm paranoid, but I
> don't like the session/user to be able to do too much or know too much.  So
> I don't make accessing another box too easy, unless I have a good reason.
> Plus there is the whole layered defense concept and all that.
>
> So, for a lot of scripting with ssh certificates, I use user operator.  It
> was just sitting around with it's teeth in its mouth, so I put it to work.
> Plus the name sounded sort of descriptive.  I wrote a script to do
> clipboard sharing over the network, for example.  And, since I don't log in
> as operator ever, unless I am adding scripts or features, I have less of a
> security concern.
>
> -Gary
>
> ----- Forwarded message from Linus Sphinx <sphinxtar@gmail.com> -----
>
> Date: Wed, 6 Jul 2022 07:54:01 -0600
> From: Linus Sphinx <sphinxtar@gmail.com>
> To: Gary <saclug@garymcglinn.com>
> Subject: Re: [Lug-nuts] [sphinxtar@gmail.com: Re: Basic SSH]
>
> Way we had everything wired at etrade, made for some nice easy scripting.
>
> On Wed, Jul 6, 2022 at 6:37 AM Gary <saclug@garymcglinn.com> wrote:
>
> > I was thining of tyring that just to see if it would work.  You would
> > think there would be an example of it somewhere.  It's not how I'd like
> to
> > use it, but it would be a good way to figure things out.
> >
> > ----- Forwarded message from Linus Sphinx <sphinxtar@gmail.com> -----
> >
> > Date: Wed, 6 Jul 2022 05:01:48 -0600
> > From: Linus Sphinx <sphinxtar@gmail.com>
> > To: Gary <saclug@garymcglinn.com>
> > Subject: Re: [Lug-nuts] Basic SSH
> >
> > Do you own both servers? Maybe generate keys and exchange them? Sorry for
> > the RTFM: https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
> >
> >
> > On Tue, Jul 5, 2022 at 11:35 PM Gary <saclug@garymcglinn.com> wrote:
> >
> > > So, my eyes grow weary of google nonsense.
> > >
> > > But is there ever a way to use anything other than:
> > >
> > > ssh -L xxxx:localhost:yyyy server.com
> > > or
> > > ssh -L xxxx:server.com:yyyy server.com
> > >
> > > for example
> > >
> > > ssh -L xxxx:anotherserver.com:yyyy server.com
> > >
> > > for example when there are firewalls.
> > >
> > > How would it work?  Certificates only?  I'd like to use a password on
> > > anotherserver.com
> > >
> > > I know I could get what I want using a double login and chaining ports.
> > > But, it seems like a real waste if the :localhost: is just to tickle
> the
> > > bind addresses on the server.
> > >
> > > -Gary
> > >
> > > _______________________________________________
> > > Lug-nuts mailing list -- lug-nuts@bigbrie.com
> > > To unsubscribe send an email to lug-nuts-leave@bigbrie.com
> > >
> >
> > ----- End forwarded message -----
> > _______________________________________________
> > Lug-nuts mailing list -- lug-nuts@bigbrie.com
> > To unsubscribe send an email to lug-nuts-leave@bigbrie.com
> >
>
> ----- End forwarded message -----
> _______________________________________________
> Lug-nuts mailing list -- lug-nuts@bigbrie.com
> To unsubscribe send an email to lug-nuts-leave@bigbrie.com
>

----- End forwarded message -----
_______________________________________________
Lug-nuts mailing list -- lug-nuts@bigbrie.com
To unsubscribe send an email to lug-nuts-leave@bigbrie.com