-- Leo's gemini proxy
-- Connecting to gemini.tuxmachines.org:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en-GB
Tux Machines
Posted by Roy Schestowitz on Sep 14, 2022
> This article will go through the best Linux books for all the different target groups and use cases.
> This guide will walk you through installing Oracle Linux 9, a high-performance, secure, and enterprise-ready RHEL fork.
> Oracle Linux has a history dating back more than 15 years of consistent stability and reliability, being a popular choice among the large enterprise segment.
> The distro is fully 1:1 binaries compatible with Red Hat Enterprise Linux (RHEL) and is entirely free (available under the GNU General Public License) to download and use.
> In the operation of a normal Linux system there are many secrets stored on behalf of a user. Wifi passwords, passwords from web sites, etc. Ideally you want them to be quickly and conveniently accessible to the rightful user but also be as difficult as possible for hostile parties to access.
> The solution in GNOME and KDE is to have a wallet that is encrypted to store such passwords, the idea is that if a hostile party gets access to a PC that doesn’t use full disk encryption then the secrets will be protected. This is an OK feature. In early versions it required entering a password every time you logged in. The current default mode of operation is to have the login password used to decrypt the wallet which is very convenient.
> The problem is the case where the user login password has a scope larger than the local PC, EG a domain login password for Active Directory, Kerberos, or similar systems. In such a case if an attacker gets the encrypted wallet that could facilitate a brute force attack on the password used for domain logins.
> I think that a better option for this would be to store wallets in a directory that the user can’t access directly, EG a mode 1770 directory with group “wallet”. Then when logging in a PAM process running as root could open the wallet and pass a file handle to a process running in the context of the user. For access apart from login there could be SETGID programs to manage it which could require authenticating the user’s password before any operation that exports the data so that a vulnerability in a web browser or other Internet facing program can’t just grab the file contents.
> In this post, you will learn how to install WebTorrent Desktop on Ubuntu 22.04
-- Response ended
-- Page fetched on Sat Jun 1 08:42:17 2024