Where Angels Fear
17 min readApr 21, 2020

--

Arch Angel

As you, doubtless, a̶r̶e̶ ̶a̶w̶a̶r̶e̶ don’t give a crap about, I have recently been having fun with computers (again <sigh>).

How can you tell a Mac/iPhone user?
They tell you!

They are the scum of the Earth … lower even than Tories; and they’re lower than vermin — subhuman lifeforms, just below tapeworm on the evolutionary scale.

If you’ve ever had any interest in Linux, you’ll possibly be aware of the phenomenon of distrohopping.

If you’ve had more than a passing interest, you’ve probably engaged in the practice yourself.

Not if you’re an Ubuntu user … if you’re an Ubuntu user, you installed it because you’d heard it was the best (i.e. most popular) and it has never crossed your mind to seek an alternative any more than it has crossed the minds of Windows users to look for an alternative OS (that’s ‘Operating System’ to you) … but if you tried any of the others … except, possibly, Mint, because Mint users are worse than Ubuntu users (they’ve never even heard of Ubuntu and the only reason they use Mint is because somebody else installed it for them; even Ubuntu-using grandmothers know more than Mint users) … but if you tried any of the others then you probably went through a phase of trying various distros until you just gave up in disgust and settled for Ubuntu/Mint/Fedora/Debian (don’t lie … nobody uses Red Hat at home … or Suse anywhere), because that’s what everyone does in the end, because fun though all the niche distros might be to try out, it’s easier to find help for the big name ones.

I did it for years, never finding the one that suited my needs; there was just always something I found unsatisfactory or lacking — I thought I’d found it with eLive, but that’s an altogether different story (involving scum of the Earth as well).

How can you tell an Arch Linux user?
They f**king tell you!

Like iPhone/Mac users, they just won’t shut up about it … waxing evangelical in their zeal to convert you to the one true way of Linux.

And I’m one of the bar stewards myself — oh, the irony!

In fairness though, I didn’t really have a choice.

I had made the decision to leave the country I was in and, having done so, promptly did exactly that two days later, as is my wont — I’m nothing if not impetuous.

Of course, when I reached my destination, I was without a computer (a whole other story) and was obliged to borrow a spare laptop from a friend.

I couldn’t install Windows 7 on it, because all I had about my person was a rucksack of clothes, my CDs and headphones (a story I might regale people with some day, but not now) and nobody I knew in my new country of residence had a copy they could give me — this is the problem with non-technical people who buy machines with Windows preinstalled and no physical media / bloody techies who eschew Windows in favour of Linux.

I first sought to install Debian — it suited my prior experience (meaning there was not a chance in dependency Hell of my choosing an RPM based distro) … it wasn’t Ubuntu (or a derivative) … and it satisfied my need for a distro known for security, privacy and stability.

The laptop wasn’t having it though. No matter how many copies I burned, or which version (in case it was the version of isolinux that was the problem), it wouldn’t boot from the DVD.

I tried installing it from a USB-key — which took some messing around on someone else’s machine with Mint installed on it.

Not a hope — the laptop just thumbed its nose at me.

I tried a netinstall.

Nope … not happening — the laptop, passive aggressively, gave me the silent treatment.

I tried other distros (I forget which now, but probably Slackware for example).

No dice. The laptop outright refused to boot from any DVD except for Knoppix. And there was no way I was installing Knoppix — even Klaus Knopper says that, even though you can install it, he wouldn’t, because it isn’t safe!

I eventually stumbled upon Arch and, in sheer desperation, gave that a try — I have no idea what possessed me to imagine a CD would be any more bootable than a DVD (optical media are optical media), but I think I was probably just desperate after a week of failure.

And, to my amazement, it booted and let me install it!

The whole experience was a baptism of fire mind you.

With the exception of Linux From Scratch (and possibly Gentoo) … Arch is notoriously the most difficult distro there is to even install, never mind use … not least because, whilst the wiki is excellently written and superbly detailed, the installation procedure is still not as clear as it should be … and you end up learning a lot of things the hard way as a result — a lot of the time, it just suggests that you go and read about a topic and, when you do, you end up exploring not just the rabbithole but the whole damned warren in your quest for an understanding (if not explanation) of why something (if not everything) isn’t working as it should (or even at all).

For instance, it isn’t made clear during the installation guide that, if you don’t heed the (remarkably anodyne) advice that …

The base package does not include all tools from the live installation, so installing other packages may be necessary for a fully functional base system. In particular, consider installing:

  • userspace utilities for the management of file systems that will be used on the system,
  • utilities for accessing RAID or LVM partitions,
  • specific firmware for other devices not included in linux-firmware,
  • software necessary for networking,
  • a text editor,
  • packages for accessing documentation in man and info pages: man-db, man-pages and texinfo.

… then you’re going to have a pretty hard time following the rest of the guide.

Once you reboot … even assuming you haven’t neglected to pre-install everything necessary, can read the screen and your filesystem and aren’t lacking any necessary firmware modules … unless you’ve specifically installed everything required to enable, configure and manage networking and understood it all (or taken thorough notes), you aren’t getting any further than a text-driven command-line interface (CLI) that does pretty much nothing of any interest.

If you haven’t installed a text editor, you aren’t going to be editing any of your config files very easily. Yeah, you could echo and cat from the CLI, but, really what kind of masochist wants to do that? And when it comes time to edit any of the serious files, you’ll be ready to give up — after all, why waste time on a system designed to be hand-tailored, if you’re just gonna accept the defaults because you can’t face the prospect of editing files like the mirrorlist (it’s not exactly fun, even with a text editor)? And there’s no way I’m entering iptables rules a line at a time and trusting myself not to overlook any logic errors in the chains as I do so.

And the simple iptables.rules / ip6tables.rules supplied … well, I can’t remember any more if, when I first installed Arch, they were any different but now they are, quite literally, a waste of space — both rulesets are configured to allow everything in and everything out. Not that it makes any difference really, because they aren’t enabled by default, so, even if they were better, you’d still be doing everything naked anyway! It’s the little things that make the difference to how well, and how smoothly, it goes — things like … WfF do you mean I’ve been connecting to random mirrors around the World without a firewall for the last … ever because the installation instructions don’t mention this fact, on the grounds that it’s not necessary to have a firewall in order to get Linux up and running, it’s an optional feature!?” I mean, yes, technically, even if they were to enable a simple, stateful ruleset for you, when you’re connecting to the mirrors, there’s no guarantee you won’t get pwned by one of them, because you’ve established a connection and allowed them to transmit data to you … but it’d stop you getting compromised by everybody-f**king-else who happens to come knocking whilst you’re doing it, wouldn’t it?

The wiki, whilst incredibly detailed, is pretty much geared towards people who are already highly technical and know what they need to find out about — working out how to install Arch with full disk encryption, for instance, will see you spend days reading around the wiki to ensure you haven’t missed anything important before you feel confident that you’ve got the steps clear in your head, because you will be referring, backwards and forwards, to multiple sections of multiple pages as you do so: where to source the best random data, whether to use serpent, whirlpool or risk AES being a NSA honeypot, whether you’re going to use LUKS or plain dm-crypt, whether you’re going to use encryption-on-LVM or LVM-on-encryption, what image-file to use as part of the key and where to store it (not in the initramfs, no matter how convenient it might seem to do so) … you get the idea.

But, quite apart from all that, the machine itself was dead set against the idea of my ever using it in any way at all.

It was a truly unique contraption, wouldn’t boot any other distro in the entire Universe from optical media, apart from Knoppix (but only v5.1) … had USB ports in a state of permanent overheat, so no option of installing from there … wouldn’t see an ethernet connection, ruling out a netinstall … had to be tilted backwards at exactly the right angle at a certain stage in the boot sequence in order to progress … would then stall until I literally thumped it with the precise amount of force necessary, at exactly the right point over the HDD … and a number of other quirks I’ve since ‘forgotten’ …

And then I neglected to install the firmware for the outdated Intel graphics and networking subsystems, resulting in more frustration as I sought to figure out why I had no problem with the installation CD but couldn’t see or speak to anything once I finally rebooted.

I’ve occasionally mused upon giving Gentoo more of a go than I have but, really, beyond the initial installation Stages (does anybody really bother with Stages 1 or 2 … or even Stage 3 these days?), Gentoo isn’t compiling your own Linux — you set a few compiler flags, adjust your choices a few times, as you learn what does and doesn’t work and then forget about them, simply recompiling the same things the same way each time.

And I really don’t have the inclination to purchase two of everything, ensuring they’re identical right down to the chipsets used on every component — because, compiling any of the serious apps you’ll want to use (like webbrowsers, office suites, graphics editors, etc.) can take so long that you can find yourself without a computer for a day (or even longer) whilst it does nothing else … so, you need a dedicated machine for doing just that and you then copy the updated files across to the machine you actually use on a daily basis.

Hell, if you go to the Gentoo website, you’ll see that you’re advised not to compile the big packages like webbrowsers, office suites, multimedia editiors, etc. …. all the things that you actually want to use on a daily basis … and download pre-compiled binaries instead — which entirely defeats the whole purpose of Gentoo, when you think about it, because they aren’t optimised for your system … and the only reason you installed Gentoo in the first place was precisely because it allows you to optimise your system!

So, if you wanna nerd out and claim your l337 h4x0r credits from other spotty, thirteen-year-old virgins, go ahead and spend your days needlessly compiling ls or rm, if you want … but I’ve got better things to do myself.

I love the idea of LFS — if ever anything were going to appeal to my inner geek with the siren call of ‘total knowledge’, it’s LFS. But security issues require that you be independently wealthy and/or that it be your day job and you have nothing else to do all day but keep an eye on CVE announcements for absolutely every single element of your OS. And there ain’t nobody got time for that — nobody with a life at least.

I wanted to like Slackware … there’s a certain ‘purist’ element about it. But it has an installation interface straight out of the 1990s … like Ubuntu, wants to install the kitchen sink, obliging you to go through every element of that interface, deselecting everything you don’t want (no, really, one text editor is enough, thanks, and it isn’t f**king ed either!) … or else just let it install everything and hope you don’t regret it. Moreover, whilst Arch isn’t impossibly difficult (and it’s decidedly easier to install and manage today than it was even just a handful of years ago), you do still need to be pretty tech savvy to get it fully working and I don’t care what the aficionados claim about how well documented and how logical everything is in Slackware, the networking documentation made no sense whatsoever to me and after a few weeks of net-not-working, I just gave up on it. It might be the closest thing there is in the Linux world to a real Unix clone but, if that’s what you want then why not just go with BSD and have done with it!?

Ah, yes, BSD.

Theoretically, it would be better … more stable, more secure … and free of the Systemd pod/hive that has rapidly assimilated, Borg-like, the Linuxverse.

But it’s so behind on the technologies that online vectors (e.g. web browsers) become a significant weakness — there comes a point after which no amount of mitigation will fix a fundamentally out-of-date technology (like pre-Quantum Firefox, for example).

So Arch is enough for me. It’s sufficiently low level for me to be aware that I’m simply taking it on trust that the binaries I download are all aboveboard but, apart from that, confident that I know my system inside-out, know exactly what’s on there (because, if I didn’t put it there, it isn’t) … exactly how it works (because I had to learn how to configure it myself) … can make it dance to my tune (because, as a result of all the learning, I know how to) … and it cured my distrohopping problem as a result — because I don’t need to find a solution any more … I’ve (more or less) built my own from scratch, tailored to my needs.

Which is why, when people talk to me about Linux, I don’t just tell them what I use, I evangelise Arch like a muthaf*kka 😉

But, oh, my f**king God!

They’ve done away with gksu and gksudo in favour of polkit!

FFS!

Has the Linux world been taken over by f**king Windows developers, who need a GPEdit for Linux before they feel comfortable?

Sudo already is the policy override!

Why introduce another one that can’t override sudo itself!?

Okay, there’s a bit of a backstory here.

For reasons I’m not going to bore everyone with, since 2017, I’ve been without a Linux machine and, really not having the time to rebuild things, reliant upon a laptop with a pre-installed Windows 7.

I do have a full Arch installed on an 8GB USB-key and, boy, did I work hard on tailoring it. Never mind the kitchen sink, it’s got the whole kitchen, the bathroom, the garden shed and the garage on it! System tools, system recovery tools, system auditing tools, intrusion detection/prevention/recovery tools, anti-malware tools, penetration testing tools, audio and video players, audio editing tools, a DAW, the complete multilingual version of LibreOffice Fresh, a WYSIWYG HTML editor, a software development IDE, the GIMP graphics editor, you name it it’s on there. By carefully selecting only those elements of each that were absolutely necessary for them to function adequately, I managed to cram everything except a full video-editing suite into 8GB, with room left over for a few zipped up copies of a handful of webpages and PDFs for reference purposes.

It’s a work-anywhere, recover/fix anything, make music/graphics/presentations/documents/websites/everything-except-videos toolkit in my pocket.

The problem is though that, with time, it ran out of space to update the OS anymore and, as I said, I haven’t had time to do anything about that. Every time I start my desktop environment, even though I’ve rotated all the logs and deleted all the backups of the installed packages, I get a warning that there’s less than 100 MB free on the system and, periodically, when it gets to the desktop, all the applets on the panel have been reset to the defaults and I have to waste time fixing them again. At one stage, it even spontaneously deleted all my web browser extensions! They’re completely gone … and there’s still no more space on it!

I think the root cause might be the recoll indexing — it seemed like a good idea at the time, but it’s probably been slowly eating up space as the indexes grow. I just can’t be bothered to investigate that any more. Whatever the cause though, there’s no chance of updating any of it any more because there’s no room to do so. And that’s not a good place to be security-wise, so I haven’t used it for three years.

But, having had to bite the bullet and install Windows 10 recently (it’s just not safe to use Win7 any more), I figured I might as well bite another one and rebuild my Linux system from scratch whilst I was at it.

It’s been a while, however, since I looked at the state of play vis-à-vis Arch and … like Samantha Fu said … things have changed.

And, oh, my f**king God … they’ve done away with gksu and gksudo in favour of polkit!

Policy Kit is for granting users elevated access to files and apps.

But it can’t prevent someone from launching a terminal and using sudo there.

Which kinda begs the questions of:

1. what it’s for — if someone has entries in the sudoers file, what do you achieve with PolKit that you haven’t already done?

2. how useful it is as a security measure, if the only way to prevent people circumventing it is to block them from using a terminal until they pass a security check first — people who, if they are in a position to do so, thanks to being allowed to in the sudoers file, don’t need to be blocked In the first f**king place (see point 1).

It’s a solution looking for a problem nobody had, but everyone has now thanks to the f**king solution!

It’s just a pisspoor reinvention of sudo with a gksudo style GUI by people who have clearly come from (or been influenced by) Windows (with its Group Policy Objects).

TBH though, the basic Owner/Group/Others RWX restrictions of Linux isn’t sufficient. Hence ACLs (access control lists), SELinux, AppArmor, etc.

In order to facilitate a more flexible, yet more secure model, it would be better to allow objects to be owned by groups as well as users — thus reducing the number of necessary UIDs and, thereby, reducing the attack surface.

But that’s not possible without some sort of ACL extension to the default security model.

Which means having to manage two separate security spaces — ironically, thereby introducing a greater potential for error … and thus a larger attack surface.

Yeah, you can mask, but the same issue of multiple security approaches needing to be maintained arises — move a file to a different location and you have to make sure any changes in masking policy don’t grant permissions you don’t want. The same goes for RBACs, sticky bits, setuid/setgid.

And even if you use ACLs/masks/RBAC/whatever else, at the end of the day they’re all just workarounds for the fundamental flaw in the core security model — one which is precisely what sudo itself was designed to overcome.

But PolKit is a seriously shitty attempt to overcome it.

It will only be a final solution when all the others are first eliminated — begging the very question “What’s it for?”

e.g.

Go to https://wiki.archlinux.org/index.php/Polkit

(if you wanna understand something in Linux, it doesn’t matter which distro you use, you invariably end up on the Arch wiki sooner or later).

Read the three paragraphs at the top (before the table of contents).

Makes sense, right … and you can see how it would be better than using sudo — I never liked sudo anyway … it’s a security disaster waiting to happen.

Skip past the installation blah-blah to Configuration — now we’re getting into it properly.

Actions/Authorisation rules … okay, yeah, a bit clunky keeping authorisation rules in two places … after all, if you can keep the actions rules together … but whatever …

The next para, yeah, we got that at the start already but, again, whatever … I’ve still no objection in principle to Polkit — it seems a sound idea.

Now the blue note …

“This does not preclude running GParted by means which do not respect polkit”

So, let me get this straight … it’s a security measure that can’t guarantee to secure things against processes that don’t respect its authority?

Ah, hang on, right … it’s not meant to secure the system just to provide an extra privilege elevation mechanism that means you don’t have to elevate privilege too high — erm … isn’t that precisely a method of securing the system? A bit like reinventing sudo in fact.

Except … wait … I’m sure there’s already a mechanism to allow users to do things with others’ credentials without having to grant them entries in the sudoers file.

In fact, yes, that ‘run as’ mechanism is precisely why I have an administrative account on my box, with no home folder, which I never log into … so that I can sudo/gksu/gksudo certain actions with the UID of that account, enter its password and perform actions as it rather than as root, because, since it’s in the wheel group, it’s allowed to.

But, okay, whatever … maybe, I’m missing something … let’s keep reading.

“For security purposes, sudoers is still the way to go.”

Wait … f**king WHAT!?

Seriously … it’s getting as bad as f**king Windows!

<sigh>

I don’t know what’s worse … the ‘Cluster B’ personality disorder afflicted running the political/economic World, or the Autistic Spectrum Disorder afflicted designing the technological one — neither of them has any concern about how their personal goals affect other people or whether they, in fact, make any sense at all in the wider context of “Other people have to live with the effects of your actions, you know.”

--

--

Where Angels Fear

There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live and too rare to die.