way to reduce passwords

[BG405]

what do most people do, they write them all in a note anyway and put it in their wallet

I sincerely hope not! One of my mates does keep them in a notebook along with instructions for fixing things etc. but doesn't take it anywhere with him. What you said would be like writing the PIN numbers on your cards with a permanent marker & wearing a T-shirt with the words "MUG ME" on the back.

Best to use something like KeePass, or KDE Wallet Service if using KDE etc. & have unique passwords for everything. Using decent "self-encryption" (done in the brain) you can also generate passwords for sites which you can remember without having to write them down anywhere, but you MUST vary the "encryption" across sites to make it at least reasonably secure.

[janneh]

The app browses through pkexec's xml-files and changes them to allow password-free user experience.

You should not do that: the way to override standard polkit policies locally is by creating/editing files in /etc/polkit-1/localauthority/50-local.d/. As an example for the first one from the screenshot, com.linuxmint.mintsources, you'd create a file e.g. /etc/polkit-1/localauthority/50-local.d/com.linuxmint.mintsources.pkla containing

Code: Select all

[com.linuxmint.mintsources]
Identity=unix-user:0;unix-group:sudo;unix-group:admin
Action=com.linuxmint.mintsources
ResultActive=yes

The bit between square brackets is freeform, as is the filename itself save ordering and the .pkla extension; see man pklocalauthority for information. The above "Identity" mimics the standard Ubuntu/Mint AdminIdentities. While rather poorly/obscurely documented, polkit is in fact fairly configurable: the files under /usr/share/polkit-1 should not be touched...

Other than that: do have fun fending off the secuwity-... Crude word removed by a moderator; please mind your language.

Thanks for the correction !
Edit: removed a stupid question..

[rene]

Edit: removed a stupid question..

Unfortunate. I mean, it must have been interesting to see your first post to the forum explode, so I was hoping you'd be back with more: this forum can sometimes use a bit of pepper

[lsemmens]

If you don't want security, install Windwoes. If you want stability AND security, use Linux.

[rene]

If you don't want security, install Windwoes. If you want stability, some extra security due to desktop Linux being a non-interesting target AND endless chasing of incompatibilities both with the world at large and other and previous incarnations of itself, use Linux.

There. Fixed your quote for you...

[BG405]

some extra security due to desktop Linux being a non-interesting target

Whilst this may be true to a degree, I believe it is also the case that Linux (Mint) is generally better protected by it's use of passwords for authentication. This makes it intrinsically harder for malicious scripts (or someone with a remote connection via e.g. Teamviewer*) to take over control of your system, even if, maybe, it doesn't prevent all possible attacks.

Out of interest, would it be possible for malicious scripts to simulate a mouse click? This would be a really easy way to get past UAC in Windows.

*This might not be a good example, haven't explored it yet so don't know if the other party needs your password to use it.

[gm10]

Out of interest, would it be possible for malicious scripts to simulate a mouse click? This would be a really easy way to get past UAC in Windows.

Windows is actually more secure in that regard than Linux, the UAC prompt is not accessible to user mode apps. On Linux any script can enter the password for you.

Desktop Linux is not all that secure really, and what @rene said is very true. If Linux was as relevant as Windows then I have no doubts the malware situation would explode just like it did for Windows. People will run anything as root on Linux just like they will run anything as as admin on Windows. People are people, no matter their OS.

You don't even need to look far. Just look at the convoluted scripts I like to post to help to some users here and that I'm sure only a small number of the users here can even understand. If I was a malicious actor I could easily take over systems that way. Users expect complexity from Linux, they will never suspect.

[Pjotr]

You don't even need to look far. Just look at the convoluted scripts I like to post to help to some users here and that I'm sure only a small number of the users here can even understand. If I was a malicious actor I could easily take over systems that way. Users expect complexity from Linux, they will never suspect.

And horribly convoluted they were indeed.

But that's more a matter of social engineering than of intrinsic OS security.... When one doesn't use shady non-repo software and scripts one doesn't understand enough, Linux is very secure indeed. The repo system is pretty effective in barring malware. Plus let's not forget the permissions system.

Not that there's no incentive to attack Linux. Almost all servers worldwide, run on Linux. That's a pretty valuable target for criminals.

It's maybe not quite fair to compare server security with desktop security, but you get the point. If you treat your OS with basic common sense and basic prudence, desktop Linux is far more secure than desktop Windows.

[Pjotr]

endless chasing of incompatibilities both with the world at large and other and previous incarnations of itself, use Linux

I'm not "endlessly chasing incompatibilities", nor have I ever needed to do so in the last decade. I fail to see what you mean, other than possibly referring to your own incompetence.

[gm10]

You don't even need to look far. Just look at the convoluted scripts I like to post to help to some users here and that I'm sure only a small number of the users here can even understand. If I was a malicious actor I could easily take over systems that way. Users expect complexity from Linux, they will never suspect.

And horribly convoluted they were indeed.

But that's more a matter of social engineering than of intrinsic OS security.... When one doesn't use shady non-repo software and scripts one doesn't understand enough, Linux is very secure indeed. The repo system is pretty effective in barring malware. Plus let's not forget the permissions system.

You are quite right, but that shoe fits Windows just the same. NTFS has a similar permissions system, the OS has the same or even better security layers (these days, let's forget Win95/98 ever existed), but all the social engineering focusses on Windows. You just don't get the equivalent of naked_pics.exe in Linux.

Not that there's no incentive to attack Linux. Almost all servers worldwide, run on Linux. That's a pretty valuable target for criminals.

You'll notice I specifically mentioned Desktop Linux. The Linux eco-system is rather diverse. The core is very secure but also not very accessible. It's the software that builds on top of it that brings it to the masses, and brings the security risks with it.

Servers run a restricted selection of software that receives much more scrutiny than other software, but even that software can and does have critical bugs, sometimes undetected for many years. Has happened and will keep happening.

Desktops, however, run a wide selection of software and users install an even wider selection of software to them, and often have certain security restrictions weakened for the sake of convenience. That comes at a cost to security.

It's maybe not quite fair to compare server security with desktop security, but you get the point. If you treat your OS with basic common sense and basic prudence, desktop Linux is far more secure than desktop Windows.

I never had malware on my Windows, either. Common sense gets you a long way. But stuff like naked_pics.exe doesn't get developed and emailed to people with common sense. And it would find its target demographic in the Linux world as well, I'm sure of that.

[janneh]

Hello,
there has been debate about modular security and is it a good thing or not. I try to list here scenarios so it can be seen where it is a good idea.

• single-user scenario. A single person uses the machine, performing admin-tasks and so on.

• true multiuser scenario. Many people use the machine, logging in and out in doing so.

• faux-multiuser scenario. One user stays logged in, but many people use the machine.

As far as I can see modular security only makes sense in the faux-multiuser scenario, where it is useful to protect some parts of the system from the inexperienced users. Maybe you have kids or a lazy spouse, whatever. In single-user or true multiuser scenarios it can be a hindrance though.

There are different people in different situations. I hope there can solutions for each and every one.

[catweazel]

Hello,

You may want to take the hint from the administrator and stop creating new threads on the same subject.

[rene]

There are different people in different situations. I hope there can solutions for each and every one.

Quite. One should note however that "faux-multiuser" is the by far most common situation. Not even just in family-type situations ("familiy" being a relatively common social construct among humanity, I am told) but really in any non-singular situation: people locking or logging out when they go get a cup of coffee don't do so other than to protect against faux-multiuser shenanigans; would in an essential sense not need to if no such shenanigans were possible in the first place.

In the context of a distribution such as Mint which primarily targets the inexperienced and/or tired, the defaults being as they are makes fair sense. As does leaving adjusting said defaults actually to the individual, potentially more experienced user and not so much to just anyone clicking a pre-made script found on the official support forum. So, just keep it individual

[sdibaja]

Hello,
there has been debate about modular security and is it a good thing or not. I try to list here scenarios so it can be seen where it is a good idea.

• single-user scenario. A single person uses the machine, performing admin-tasks and so on.

• true multiuser scenario. Many people use the machine, logging in and out in doing so.

• faux-multiuser scenario. One user stays logged in, but many people use the machine.

As far as I can see modular security only makes sense in the faux-multiuser scenario, where it is useful to protect some parts of the system from the inexperienced users. Maybe you have kids or a lazy spouse, whatever. In single-user or true multiuser scenarios it can be a hindrance though.

There are different people in different situations. I hope there can solutions for each and every one.

I see your points, but inherent security is not being addressed.

Think of the multi OS situation... either Home or Office/Business
default boot is set to the Office/Business OS. limited access...
personal OS to play around in their dead time

IF a personal OS has access to the OTHER partitions then all security is lost!

in my case at home grandkids and friends borrow my computers... they can do no harm. I am fine with that, I encourage it. all Data is backed up, in partitions/drives that they can not access. Period.
same at the office... when it is time to do business functions a quick reboot makes those files and apps available.
They need to have root permissions to mount any partition outside of that OS. Period.

If I could change that one thing (partition access) with Linux Mint then perhaps I would begin using it again.

[gm10]

If I could change that one thing (partition access) with Linux Mint then perhaps I would begin using it again.

I'm not sure what exactly you are asking but if you want to detail it in a new thread I'd be happy to tell you how to do it. Whatever you want to do is certainly possible.

[sdibaja]

If I could change that one thing (partition access) with Linux Mint then perhaps I would begin using it again.

I'm not sure what exactly you are asking but if you want to detail it in a new thread I'd be happy to tell you how to do it. Whatever you want to do is certainly possible.

[solved]

[janneh]

In the context of a distribution such as Mint which primarily targets the inexperienced and/or tired, the defaults being as they are makes fair sense. As does leaving adjusting said defaults actually to the individual, potentially more experienced user and not so much to just anyone clicking a pre-made script found on the official support forum. So, just keep it individual

For the installation and configuration phases, the defaults could be overridden though. It's pretty annoying when the system prompts for password repeatedly in those stages. In everyday use it doesn't bother so often, only a little.

[rene]

Not wanting to disagree with you in a fundamental sense, a practical issue for me at least does seem to be that the subset of system-configuration available from the GUI is tiny enough anyway that I really would not advise anyone to mistake a Linux GUI for anything other than pretty-pixels overlaying a terminal-based operating system in the first place. That is, after sudo -s the amount of bother shrinks dramatically...

No, not positing that as an excuse, but it may still play a role, in that same system of experienced users not in fact being bothered and inexperienced ones being sensible to bother. Or disputably sensible to bother -- but that and similar dispute has already given us https://en.wikipedia.org/wiki/List_of_L ... tributions. What could one ask for additionally...

[Moem]

For the installation and configuration phases, the defaults could be overridden though. It's pretty annoying when the system prompts for password repeatedly in those stages.

This is clearly subjective, proven by the fact that it's never bothered me. I regard it as a tiny price to pay for the security that Linux offers and so it makes me happy to do so.

[gm10]

For the installation and configuration phases, the defaults could be overridden though. It's pretty annoying when the system prompts for password repeatedly in those stages. In everyday use it doesn't bother so often, only a little.

As someone who opposes your original suggestion I don't have a problem with this one here, on the other hand. But do you have any examples of repeated prompts? Because I'm coming up with a blank. A single installation should never request more than a single authentication. Your credentials ever remain cached for a few minutes afterwards, so even subsequent installations during that time frame don't require additional authentication.