systemd-homed ???

[Anon-E-moose]

I peruse slashdot in the morning (have for years, yeah, I know, bad habit ) and ran across this

[NeddySeagoon]

Now ransomware only has to change your LUKS keys, not process every file. :)

There is no danger of any of this

[krinn]

[Anon-E-moose]

And the march towards being like windows continues ....

Neddy, yep, very bad idea

krinn, ssshhh, lets not give him any more ideas
_________________
UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland

[Naib]

I saw this the other day and wanted to post here, but well a systemd+1 thread will be met with the same scorn, even tho the facepalm keeps coming.

I just don't know where to start... Their motives are to enable easy migration between OS's (I guess an image being loaded in different vm/ve and justWork(tm) )... however, that is already possible and the present problems are that which will plague this... different OS's will be at different versions of different userland software and might not even have it installed.

This just stinks of a registry that isn't a registry "but its JSON..." GNOME tried that using xml...
_________________

[steve_v]

[depontius]

Is anyone else waiting for systemd to replace the entire /etc tree with "systemd.registry"?
_________________
.sigs waste space and bandwidth

[steve_v]

[Anon-E-moose]

A couple of links

https://www.phoronix.com/scan.php?page=news_item&px=systemd-homed
and the link to the pdf slide deck from above link https://cfp.all-systems-go.io/media/homed-asg2019.pdf

And LP's git tree (for anyone interested ... or bored enough ... to check it out) https://github.com/poettering/systemd/tree/homed


/. link (comment area) https://linux.slashdot.org/story/19/09/21/0110240/systemd-homed-systemd-now-working-to-improve-home-directory-handling

Edit to add: give it a year or so and systemd-kerneld should be out and available.
_________________
UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland

[Hu]

[steve_v]

[Anon-E-moose]

I'm not sure how useful this (homed) will be in practice, at least for the larger userbase.

I think it was designed with 2 types of users in mind, those with laptops that also have a server/desktop login and container users, both cases seem to be more geared toward business use than home users.

It really doesn't need to be part of systemd, and other than being part of the systemd umbrella, I'm not sure how much of the systemd codebase it will share, well other than I'm sure it'll somehow use dbus as it's process communication.
_________________
UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland

[Ant P.]

A Slashdot post about a Phoronix post about a systemd autofs clone. Sounds about the most irrelevant and inconsequential thing imaginable.

[NeddySeagoon]

Anon-E-moose,

It will be like udev ... inseparable. Its a part of the One True Way.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[depontius]

[389292]

I'm genuinely surprised that so many things on the list are not part of systemd already, I thought they are.

[Anon-E-moose]

[Naib]

[tld]

[tld]

[tholin]

The video of the talk is up at https://streaming.media.ccc.de/asg2019/relive/164

One of the ideas of the new reinvented home directories is to give each user a LUKS encrypted loopback file like /home/foobar.home that is unlocked when the user logs in and gets mounted as /home/foobar. That will break a whole bunch of stuff that depends on user directories existing even when the user is logged out but let's ignore that.

One of the the main motivations for having encrypted loopback files is "the decryption key needs to be removed from memory so that I know for sure that if someone steals my laptop [...] they should not be capable of getting any access to my harddisk". "This is something people might not find important but I think it's one of the most important things in this entire approach".

So before suspending a laptop luksSuspend will be run on the encrypted home. I considered using that approach when I setup disk encryption on my laptop but I concluded that it's infeasible to do that securely. LuksSuspend will only wipe the encryption key used for accessing the disk. It will not remove any of the already decrypted data in pagecache. Maybe there isn't anything sensitive in pagecache, or maybe there is. Just suspending and hoping for the best is not a good idea.

To suspend securely with encrypted disks the pagecache of the disk must be wiped (overwritten). All programs with read permission to the encrypted fs must be killed and their memory wiped. All free ram must be wiped in case some program held sensitive data and then quit. That is still not enough. If the unlock passwords was read from an usb keyboard the usb subsystem might have old buffers where the key presses could still be stored. All kernel subsystems which could be used to handle key material must be wiped.

The threat model he mention is "I if go though customs to a country that I don't trust" but there is no way this approach is secure against that. You simply don't know what sensitive data remains in ram. Don't he realize that? Or if he is realizing it why is he claiming this is secure?

During the Q&A (46:00) someone points out the problem and Lennart responds that perhaps sensitive data could be forced out to encrypted swap (hint: no, not security). Just use hibernation instead of suspending to be sure nothing is left in ram.

[depontius]

OK, so for various reasons I kept the Windows installation on my laptop, though I almost always boot Linux. In fact, most of what I do on Windows is Windows Update, which I did today. I think it was five reboots worth, or at least I rebooted it five times - and that was from the last update in late Spring / early Summer. one of the steps said that my laptop might reboot multiple times, but I didn't hang around to watch it.

And this relates to this thread how???

Because I imagine L.P. saying, "I didn't really get this inode stuff, and didn't really like it anyway. So I've written systemd-fs for our next-generation filesystem with xxx advanced features." But inodes wouldn't be one of them. Welcome Linux to multiple-reboot software updates.
_________________
.sigs waste space and bandwidth

[erm67]

Actually the idea of a "home-on-a-stick" (maybe ro) that doesn't break stuff and is automatically handled is not bad .....

Just to mention etcd is now in redhat hands
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net

[steve_v]

[erm67]

The world is full of people that could do stuff but doesn't because they don't bother, most of them are just delusional losers.

pics or it didn't happen
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net