Jay 2022-08-05 14:57:59
all file withib /home/userd is owned by root ofc, i only whitelisted a few subdirs.
lordV 2022-08-05 14:58:18
just one example
Jay 2022-08-05 14:58:21
lordV 2022-08-05 14:57:55
i think a application should not be able to read your ssh keys.. (if its not required)
i use passwords.
lordV 2022-08-05 14:58:51
your keepassxc db file, your cryptsetup keys, whatever..
lordV 2022-08-05 14:58:59
your personal porn pics
Jay 2022-08-05 14:59:33
if server timed out/aren’t able to accept passwords, it’s their fault and i won’t make a key without one in million years.
lordV 2022-08-05 15:00:09
qontinuum 2022-08-05 14:56:54
Also if you really want to segment so much use sandboxes, containers or VMs
Or even just use QubesOS
Or even just use QubesOS
that would be a very strong approach .. but i think its enough if a application can not access personal files in home.. or better put personal files in another users home
Jay 2022-08-05 15:03:07
lordV 2022-08-05 14:57:55
i think a application should not be able to read your ssh keys.. (if its not required)
default .ssh folder and private key permission is 600 tho’.
it should not concern you.
Jay 2022-08-05 15:03:20
idk about keepass.
lordV 2022-08-05 15:03:46
in my home directory everything is -rw——- except executables
Jay 2022-08-05 15:03:54
even if someone can read your keepass file, it’s encrypted.
so there’s that.
so there’s that.
qontinuum 2022-08-05 15:03:59
lordV 2022-08-05 15:03:46
in my home directory everything is -rw——- except executables
Lier
lordV 2022-08-05 15:04:02
but as I told before.. 600 does not help you if an application runs under the same user
Jay 2022-08-05 15:04:04
lordV 2022-08-05 15:03:46
in my home directory everything is -rw——- except executables
that’s gay.
lordV 2022-08-05 15:04:30
qontinuum 2022-08-05 15:03:59
Lier
sorry .. .cache/.config/.local is als an exception
Jay 2022-08-05 15:04:46
qontinuum 2022-08-05 15:03:59
Lier
fr fr, what about autogenerated .config .cache.
Jay 2022-08-05 15:04:57
too paranoif for your own good.
qontinuum 2022-08-05 15:05:02
lordV 2022-08-05 15:04:30
sorry .. .cache/.config/.local is als an exception
Well, all directories most likely are 700 as well
lordV 2022-08-05 15:05:19
Ah .. you know what i mean
qontinuum 2022-08-05 15:05:23
Jay 2022-08-05 15:04:46
fr fr, what about autogenerated .config .cache.
I guess they are also created by respecting umask
lordV 2022-08-05 15:05:45
qontinuum 2022-08-05 15:05:23
I guess they are also created by respecting umask
not all of them..
lordV 2022-08-05 15:06:15
Jay 2022-08-05 15:04:57
too paranoif for your own good.
a sane security approach has nothing to do with being paranoid
Jay 2022-08-05 15:06:59
qontinuum 2022-08-05 15:05:23
I guess they are also created by respecting umask
that’s silly, unless he only runs everythinh in terminal, it would make his life miserable.
lordV 2022-08-05 15:08:44
Jay 2022-08-05 15:06:59
that’s silly, unless he only runs everythinh in terminal, it would make his life miserable.
why.. ?
lordV 2022-08-05 15:08:56
my X runs as my own user, not root..
Jay 2022-08-05 15:08:58
lordV 2022-08-05 15:06:15
a sane security approach has nothing to do with being paranoid
a good security approach is to compartments everythinh.
everything else is a spook.
android is better at this kind of stuff, if only you could strip the java runtime execution and start another init.
qontinuum 2022-08-05 15:09:15
For fuck sake, each time I reinstall my system I debug DWM for hours before remembering it crashed because of the fonts
Jay 2022-08-05 15:09:23
Jay 2022-08-05 15:08:58
a good security approach is to compartments everythinh.
everything else is a spook.
android is better at this kind of stuff, if only you could strip the java runtime execution and start another init.
everything else is a spook.
android is better at this kind of stuff, if only you could strip the java runtime execution and start another init.
oh wait, you can.
Jay 2022-08-05 15:09:37
qontinuum 2022-08-05 15:09:15
For fuck sake, each time I reinstall my system I debug DWM for hours before remembering it crashed because of the fonts
take notes.
qontinuum 2022-08-05 15:10:13
Jay 2022-08-05 15:08:58
a good security approach is to compartments everythinh.
everything else is a spook.
android is better at this kind of stuff, if only you could strip the java runtime execution and start another init.
everything else is a spook.
android is better at this kind of stuff, if only you could strip the java runtime execution and start another init.
Just use Qubes
lordV 2022-08-05 15:10:25
Qubes does not work on every hardware
Jay 2022-08-05 15:10:34
lordV 2022-08-05 15:10:25
Qubes does not work on every hardware
qubes on vm
qontinuum 2022-08-05 15:10:41
lordV 2022-08-05 15:10:25
Qubes does not work on every hardware
Yeah fair
qontinuum 2022-08-05 15:10:46
Jay 2022-08-05 15:10:34
qubes on vm
Wat
lordV 2022-08-05 15:11:15
beside this.. its a very strong approach.. if you only want to make your personal files inaccessible by applications