On Mo, 2021-08-02 at 09:44 +0200, Thorsten Kukuk wrote:
On Mon, Aug 02, Giuseppe Fierro wrote:
Hi, encryption is a nice thing to have but not all users are able to do quickly or are not too lazy to do.
A simple situation is the follow:, I'm the only user of my system, desktop or laptop, so I don't care about system permission but one day my syster, wife, mother, girlfriend etc. ask me if he can use my laptop for something what I do is to quickly setup new user account right? But wait... he is by default in the same group and he can see all of my stuff, mail, photos, documents, etc.
I'm the only user of my system, too. I still encrypt everything which nobody else should see. Only look in the press why you can never be sure that you are the only user. Permissions of 0700 will maybe stop your girl friend, but not even script kiddies.
Overcoming the permissions requires local privilege escalation, which many of us are constantly fighting against as part of our day-time jobs. If LPE isn't at least difficult to achieve on an up-to-date (open)SUSE installation, we (as SUSE) are doing something in a fundamentally wrong way, IMO. More generally, I believe that arguments of the type "measure X isn't perfectly safe, thus forget about it", which are a recurring pattern in discussions about security, are examples of relevance fallacy. The fact that X isn't perfect doesn't imply that it's useless. In the concrete case, 0700 at leasts prevent others from accidentally seeing stuff they shouldn't see. It should also keep apprentice script kiddies away (hoping so, at least), and makes things a tiny bit more difficult for other attackers, worsening the relationship of effort vs. potential profit for them. Not to mention that encryption isn't safe either, unless you re-encrypt every other year with the latest algorithms and keep your private key sealed in a block of concrete... Regards Martin