Register
It is currently Mon May 21, 2018 10:36 am

Can I remove ACL?


All times are UTC


Post new topic Reply to topic  [ 5 posts ] 
Author Message
 PostPosted: Wed Aug 24, 2016 12:55 pm   
. . . .
User avatar

Joined: Mon Apr 21, 2003 3:56 pm
Posts: 8309
Something tells me that if ACL is installed, the development team which configured ACL has most likely skimmed over the (almost archaic) non-ACL file system access configuration.

In other words, if I uninstall ACL (which effort may ultimately allow me to write files to my own removable media), will the resultant installed system be left in a default configuration which will damage itself when used without ACL?

This is why I want a full distribution, properly installed on an external hard disk - If I kill that external distro, I just rebuild it, my daily desktop remains unaffected.

No, emulated environments such as Virtualbox most likely won't work very well for my efforts, since I need to configure REAL chipsets for mainboard (I've suffered poor mainboard chipset support), graphics card (you know, nVidia and ATI stuff seems to affect every user), wifi card (don't go here) and so forth.

If you know for sure or can point me somewhere, thanks.

_________________
eMachines T5246 AMD 64 X2 w/Ubuntu Mate 16.04.4
EeePC 900A w/Antix 16.2 32 bit
Dell Inspiron 1545 w/Neptune 5.1


Top
 Profile  
 PostPosted: Thu Aug 25, 2016 3:47 pm   
Linux Guru
User avatar

Joined: Sat Apr 03, 2004 12:39 am
Posts: 12380
Location: Clinton Township, Michigan
In this context, I doubt that you are referring to the common sports injury, "... The anterior cruciate ligament (ACL) is one of a pair of cruciate ligaments (the other being the posterior cruciate ligament) in the human knee. ..."
(Wikipedia - https://en.wikipedia.org/wiki/Anterior_cruciate_ligament )

Instead, ACL, in software terms, refers to " ... An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.[1] Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it. ..." (Wikipedia - Wikipedia ACL reference )

In this context, if you're running what attempts to be "a secure" operating system, such as Fedora, Red Hat, or CentOS, which do quite a bit with ACL and more than likely use it in a dependent manner, you may run into significant issues.

On the other hand, if you are cobbling something together from scratch, you can add or remove whatever you wish. I seldom create or update an Access Control List directly, but some processes that I'm utilizing may, at times, utilize the services without my direct knowledge. You may want to study what you're doing before coming to a final conclusion one way or the other on this. My gut response is that an ACL is likely to be a pretty important core service for any system having any pretense of real security.

_________________
Brian Masinick
Distros: MX-17, antiX, Debian


Top
 Profile WWW YIM  
 PostPosted: Wed Aug 31, 2016 10:56 pm   
. . . .
User avatar

Joined: Mon Apr 21, 2003 3:56 pm
Posts: 8309
masinick wrote:
On the other hand, if you are cobbling something together from scratch, you can add or remove whatever you wish. I seldom create or update an Access Control List directly, but some processes that I'm utilizing may, at times, utilize the services without my direct knowledge. You may want to study what you're doing before coming to a final conclusion one way or the other on this. My gut response is that an ACL is likely to be a pretty important core service for any system having any pretense of real security.

I'm somewhere in between the extremes you've raised. I'm not using a Linux distro for it's server capabilities, and I probably will never serve files. I'm more like PCLinuxOS, Kubuntu and OpenSuse.

I ask this because I despise situations where I cannot access my own flash devices in the same manner as I can access a file in ~. I've even posted that after what I believe was an ACL operation, it fudged a file; copying it BACK to ~ left a file which remained as broken as after I put it onto the flash drive. Specifically, from what I saw, ACL killed a binary executable when I put it onto a flash drive. I can't, not even as root, recover the executable permissions of the file after copying the file back to ~.

ACL is reputed by outside parties to be the cause of such issues, I'm going with the assumption the referenced discussions are relevant. This is where I have elected to decide 'this amount of security is more than I wish to bear'.

I suppose I could take down my internet connection while I'm mounting flash drives... that would be FAR easier (I dare say, easier for everyone) than setfacl/getfacl.

Further, I verify that https is in use for necessary protection online (banking, email, cloud services). If I need to, I can boot Knoppix, and the most damage any security violation could cause would be limited to ram. If they wait for me to reboot (for example for to clear a first breach), and I see the same issues a second time, good for them, but the active internet gets shutdown for that session. This is also part of why I feel that served apps are ultimately senseless: keep applications local, disconnect while using the applications. Can't compromise what isn't available.

From there, I'm feeling like someone wants to blur the lines between adequate security and taking unreasonable amounts of contrived steps based on convoluted perceived paranoia.

_________________
eMachines T5246 AMD 64 X2 w/Ubuntu Mate 16.04.4
EeePC 900A w/Antix 16.2 32 bit
Dell Inspiron 1545 w/Neptune 5.1


Top
 Profile  
 PostPosted: Thu Sep 01, 2016 1:51 pm   
Linux Guru
User avatar

Joined: Sat Apr 03, 2004 12:39 am
Posts: 12380
Location: Clinton Township, Michigan
Given that situation, you still have a couple of options:

1. The most extreme is to completely remove anything and everything remotely connected with ACL. That will certainly rid you of ACL. What's less clear (and much more risky) is what it will break on the system that you're using, so I wouldn't recommend going that way. You're better off reinstalling a system than doing that.

2. Try to isolate what specific routines are causing failure. It may be possible to disable their capabilities without completely destroying or eliminating them from the system.

3. Though not convenient, I like a third option, one you mentioned, best - IF you cannot accomplish what you're trying to do without either removing or disabling software: temporarily disable the network connection, use your devices as needed, then re-enable the network. If networking is dicey and you're concerned about intrusions, keep your network turned off most of the time, and enable it to download whatever you need, and operate mostly in an "offline" mode. That's not always the most convenient way to work, but nobody can access your system (other that physically taking it) when it is off the network. IT may provide the safest option until either the defects associated with ACL are fixed or a safer, more secure solution becomes available and known to you.

_________________
Brian Masinick
Distros: MX-17, antiX, Debian


Top
 Profile WWW YIM  
 PostPosted: Fri Sep 02, 2016 2:23 pm   
. . . .
User avatar

Joined: Mon Apr 21, 2003 3:56 pm
Posts: 8309
masinick wrote:
Given that situation, you still have a couple of options:

1. The most extreme is to completely remove anything and everything remotely connected with ACL. That will certainly rid you of ACL. What's less clear (and much more risky) is what it will break on the system that you're using, so I wouldn't recommend going that way. You're better off reinstalling a system than doing that.
Essentially restating what I already posted:
mmmna wrote:
In other words, if I uninstall ACL ..... will the resultant installed system be left in a default configuration which will damage itself when used without ACL?


masinick wrote:
2. Try to isolate what specific routines are causing failure. It may be possible to disable their capabilities without completely destroying or eliminating them from the system.
Yep. Once more, as in getting Broadcom chips to work, I have to sift the internet for answers. I've already seen discussions of ACL which are easily located but are either undated (is this discussing version 0.2 of ACL or was this posted this morning?), or is the post actually dated (whoa....) way back? ACL like any software, could get its syntax revamped, I'll not likely get a changelog that tells me old_command_syntax_from_undated_post=new_command_syntax_in_my_version and thus the older syntax could compromise my data. There should be a correct answer out on the web, but determining how well that web information matches my needs is pretty unlikely unless I wish to risk an optional installation, maybe on an external hard disk.... HEY! Great Idea!

So, yeah, that is why I'm in bizarre situations.

People in general could be helpful if they force a date into their post, for those instances where the hosting software fails to incorporate a date into a posted message. Wordpress users are a high percentage of sites where the dates seem to be internal, not external. We'd benefit from knowing a posted discussion is already 5 years old, but then again, bloggers want users to post in ALL segments of the blog, because a blog is a popularity contest of sorts. I digress.

masinick wrote:
3. Though not convenient, I like a third option, one you mentioned, best - IF you cannot accomplish what you're trying to do without either removing or disabling software: temporarily disable the network connection, use your devices as needed, then re-enable the network. If networking is dicey and you're concerned about intrusions, keep your network turned off most of the time, and enable it to download whatever you need, and operate mostly in an "offline" mode. That's not always the most convenient way to work, but nobody can access your system (other that physically taking it) when it is off the network. IT may provide the safest option until either the defects associated with ACL are fixed or a safer, more secure solution becomes available and known to you.
Been doing that for years, mas. The concept of 'always on' internet is what I call a 'Microsoft' lesson: people aren't taught up front that there is another way to perform Windows tasks ('I only use Word, what is Open Office... is that from Microsoft? Isn't Linux criminal and illegal?'), so I have to think outside the box with almost zero examples to follow. When people want to test methodologies for defeating unwanted intrusion, I think I'll have an easier time than most ex-Windows users at 'getting through the storm', as it were. Hence why I am staunchly against removing apps from local systems: so I can continue being productive when the internet has been switched off. Hence why I dislike Chormebooks. More, configuring ACL, firewalls, sandboxing, virtualization for security are all intriguing, but so far, I won't need a college degree worth of education to be reasonably protected. Yes, there are instances where I'm at risk, but I'm not about to post a list of my weaknesses, right?

ACL irritates me for what amounts to permanent execution removal, while it is being touted as a security tool. I downloaded and used that executable binary (mini-Vmac) in PCLinuxOS, I then transported it via a 'sneakernet' flash drive to a different distro (forget which), copied the executable to an archive flash drive, copied the archived version into Kubuntu and the extracted binary never executed again, not even on the PCLinuxOS machine. I tried root for permissions corrections to the binary executable, tried on 2 distros, I can change permissions from 777 to 111 to 333 to 755, but coming back to 755 it is still not executable. Changing using +x made no differences in execution, re-extracting the binary from the tar.gz repeats the key problems.

ACL is the nearest likely candidate because it can define access controls on devices, not just on files. If I'm wrong, I'll post what I learn.

But first, I need that external hard disk drive to become functional.


Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron


Powered by phpBB © 2012 phpBB Group
© 2003 - 2012 USA LINUX USERS GROUP