Most secure Linux tweak ever?

[Dangerous Thinking]

Given how fast Linux can boot on a laptop with an SSD, I see a potential to further harden Linux via restricting root login to boot time.

Most malware relies on privilege escalation, if you can remove both sudo and su this should logically reduce the attack surface?

 

When I hit the power button I'm presented with an option, boot as user, or boot as root.

If I want to install programs or modify directories other than /home/DangerousThinking I have to reboot, select "Boot as root" enter the root password, make my changes, reboot and select "Boot as user" 

Are there any distros that restrict root access to boot time in this way?

If not why do you think that is?

[Eigenvektor]

32 minutes ago, Dangerous Thinking said:

If not why do you think that is?

Because it would be annoying AF to have to reboot to do things that require root and it wouldn't actually improve security. Even if rebooting is fast, I don't want to have to shut down everything I'm doing to install some missing piece of software or update things.

 

There are also certain parts of an operating system that always run with elevated privileges (e.g. the part of the system that enforces security). If they have a weakness and malware can take them over, malware can still escalate its privileges even if the user is unable to become root.

 

~privilege escalation doesn't mean malware requires the presence of sudo or su. It means hacking into (system) software or services that always run with elevated privileges, then using these privileges to do things the current user shouldn't be able to do.

[RONOTHAN##]

Fedora Silverblue kinda does what you're describing, though not in the same way. It uses something called an immutable file system, meaning that everything but the user's home folder is read only. You can only install programs as flatpaks or use Appimages, but it's incredibly stable and incredibly secure. The main thing it does differently to what you're describing is that you cannot login as root period, so tasks that require it are almost impossible (there is a workaround, I forget what it is since it's been a while since I looked into Silverblue). SteamOS 3.0 is going to do a very similar system, though it will have a developer mode that will basically disable the immutable file system. 

 

As for why distros don't do exactly what you're thinking, first it's still a hassle. Even if your system only takes 7 seconds to boot, that's still having to shutdown and lose all of your work, and spend that 7 seconds waiting to run a somewhat simple command (if you were say trying to install a new web browser or something). Image having to do that every time you have to update the system, it's not that big a deal but it would get annoying pretty quickly. Second, you can already disable sudo and just logout and log back in as root depending on the distro. Even then, a lot of enterprise distros have it setup to log you in as root by default since if you know what you're doing, that's not the way that malware will take over.

[Eigenvektor]

Thinking about it some more, it would actually most likely be detrimental to security. People would simply work as root most of the time to avoid rebooting, just like everyone was using an administrator account in Windows XP. If you make it harder to run as root when needed, people will simply run as root full time.

[SnowyRVulpix]

1 hour ago, Dangerous Thinking said:

if you can remove both sudo and su this should logically reduce the attack surface?

If you replace the doors and windows in your house with cement walls, it'll improve security... but it'd also make life harder for you... and that's what I feel like this would absolutely do.

[Dangerous Thinking]

In response to the most common concerns.

 

1. It will be annoying to reboot all the time.

This would not be suitable for a daily driver system, I agree.
This is for a hardened terminal that will be running SSH, VPN, Tor and basically nothing else on an old chromebook.

 

Ideally I would like to forbid root access altogether and reinstall the OS when a significant update is required, if I can automate the install process down to a single button push I can do this once a week with minimal effort, I just have to wait for the install script to complete, then scp my Keepass database and other important files.

 

2. It will be less secure as it encourages running as root.

See above, this is not a daily driver system. It is intended to be a minimal install optimised for secure web browsing, it will be more locked down and barren than Tails or Whonix.

 

3. Immutable file systems.

I have read about these and so far they seem like the best option for my use case, I need to try Silverblue on my ESXI host sometime, see if I can get along with it.

 

4. is it worth it?

I do not know how much extra security removing sudo and su would provide, probably not a great deal if you have a decent password.

 

It seems Fedora silverblue or hardened Gentoo would be much better options, let's face it either of those will be practically invulnerable if updated regularly and used ONLY for SSH, FTP and web-console administration, it's hard to get a virus when connected via SSL to your own infrastructure, particularly on a LAN.

 

Any suggestions?

 

Edited December 6, 2021 by Dangerous Thinking

[whm1974]

I'm confused. OP which Distro are you using? No Distro I've used has given me the option to boot as Root in Decades. Which is a really bad ideal to do anyway. It has been sudo then command. Installing Software? Asks me for Password before doing.

[SnowyRVulpix]

I believe you can set the system to single user mode using grub, which I believe should boot it to "root mode"... but AFAIK, that's a massive can of security worms you don't want to open.

[linkboy]

On 12/5/2021 at 12:02 AM, RONOTHAN## said:

Fedora Silverblue kinda does what you're describing, though not in the same way. It uses something called an immutable file system, meaning that everything but the user's home folder is read only. You can only install programs as flatpaks or use Appimages, but it's incredibly stable and incredibly secure. The main thing it does differently to what you're describing is that you cannot login as root period, so tasks that require it are almost impossible (there is a workaround, I forget what it is since it's been a while since I looked into Silverblue). SteamOS 3.0 is going to do a very similar system, though it will have a developer mode that will basically disable the immutable file system.

 

This is also how Android works (I'm pretty sure that iOS/iPad OS is setup similar and macOS Catalina is immutable as well). The main OS is separated on a read only partition. As someone who works in the mobile industry (sales rep), I'm so grateful that these devices are setup like this.

 

The amount of stupid shit I've seen people do to their phones just by install crap software blows my mind. Having easy access to root would screw their devices up even more. That's also why I'm not opposed to bootloaders being locked by default. My only issue with that is that I think manufactures and carriers should give people the option to unlock it if they want to.

 

I really do think that distros that are geared more towards beginners should look at an immutable option. It's a great option for people who aren't tech savvy since it makes it harder for them to screw up their system (or prevent things like the Pop Steam bug from nuking a DE).

[RONOTHAN##]

7 minutes ago, linkboy said:

 

This is also how Android works (I'm pretty sure that iOS/iPad OS is setup similar and macOS Catalina is immutable as well). The main OS is separated on a read only partition. As someone who works in the mobile industry (sales rep), I'm so grateful that these devices are setup like this.

 

The amount of stupid shit I've seen people do to their phones just by install crap software blows my mind. Having easy access to root would screw their devices up even more. That's also why I'm not opposed to bootloaders being locked by default. My only issue with that is that I think manufactures and carriers should give people the option to unlock it if they want to.

 

I really do think that distros that are geared more towards beginners should look at an immutable option. It's a great option for people who aren't tech savvy since it makes it harder for them to screw up their system (or prevent things like the Pop Steam bug from nuking a DE).

Fully agree. I'm personally gonna stick to my non-immutable distros since I know what I'm doing and have Timeshift setup, but I know their value. I've broken systems more than once, so making it immutable makes it a lot harder to break. I was very concerned when Valve announced that SteamOS 3.0 will be Arch-based, but all those concerns went away when they announced it would be immutable. Arch stuff just breaks occasionally with updates, and making it so the updates are tested and pushed as an update image makes basically all the disadvantages go away. 

 

The one gripe I'll give to immutable packages is that package management is generally still worse than traditional distros since you're relying on flatpaks and appimages. There are still a lot of things that aren't available as flatpaks or appimages, or that version is missing some features. That said, it's the fault of the flatpak maintainer that they're worse than the traditional applications, so if immutable distros like SteamOS 3.0 take off like I hope they will, flatpaks will get a lot more dev time and will be a lot better overall. 

[noitcelfeR]

Why not use SELinux? I wouldn't mess with something like CoreOS if that's what you're trying to do.

[10leej]

Honestly just disable the root account and setup a hardware key like a yubikey or something that is used for root authorization.

[maplepants]

The suggestions for you to just use an SELinux distro are probably correct. But there is something that comes close to what you're describing here: System Integrity Protection on macOS. With System Integrity Protection the key parts of the operating system cannot be modified by the user, even an admin user. Commands that would break the OS, like:

sudo rm -rf /usr/*

Just cannot be run. You get "Operation not permitted"

 

However, if you decide that there is something you need to do and SIP is blocking you, you can boot into recovery mode and disable it. Then you can do whatever you want, boot into recovery mode again and re-enable it.

 

This feature was, when it launched, often called "rootless" and some people said it was the end of "sudo" on macOS. But it's really a very good feature for end users. And developers who want to hack on the kernel can always disable it and leave it disabled.

 

It's a lot less restrictive that what you've proposed here, but it basically leaves the options something like this:

 

Users can install, run, and modify files & apps that are just for them.

Admin users can install, run, and modify files & apps for all users on the system.

When SIP is enabled, nobody can modify files & apps that belong solely to the OS.

When SIP is disabled, admin users can modify files & apps that belong solely to the OS.

 

It hits many of the points you've got here in that it prevents users from damaging their system unless they do some thing that involves a reboot.