[systemd-devel] Antw: [EXT] Re: Proposal to extend os-release/machine-info with field PREFER_HARDENED_CONFIG

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Thu Feb 17 09:37:36 UTC 2022


>>> Stefan Schröder <stefan at tokonoma.de> schrieb am 16.02.2022 um 18:11 in
Nachricht <1487454823.169440.1645031460496 at webmail.strato.com>:

...
> There are reasons why the (...) decide not to ship 
> with 'hardened' defaults.
...

As said before, in most cases "comfortable" and "secure" contradict.
For example: It's hard to tell a former Windows user that he/she/it cannot
read syslog as normal user, so many "easy" configurations allow that.
OTOH, when using SSH-login and you enter your password where you should have
entered your user name, your password will be logged in syslog.
For a multi-user system you don't want other users see your password, then
(well if aware the user would change the password after that anyhow).

This is just one example:
Other examples:
Require root (or other privileged user) to:
* configure a network (use WLAN)
* shutdown the system
* mount a CD/DVD/USB disk
* use graphics acceleration
* use the clipboard (yes, seriously)
* use the webcam
* use a specific printer
...

Some people really don't want that type of "security". Most people don't even
want to authenticate, but just turn off the computer (or wake it up).

Regards,
Ulrich



More information about the systemd-devel mailing list