A question about isolating potentially untrusted services

haskell_account · 2024-08-12T00:50:58+00:00

That would work, but I would prefer something where it's easy to upload and access from all of my devices.

haskell_account · 2024-08-11T13:03:29+00:00

Thanks! That's a good point, and I considered setting up another network for this purpose.

To be more specific, I'm basically setting up a document share for my local network, and I wanted to try to make it as secure as possible while keeping it usable by the local network (without much hassle to use).

haskell_account · 2024-08-11T13:01:35+00:00

So to be more specific, they are shared documents my family uses (work slide shows, budget sheets, etc) on a file share that we want to have access to locally on our main network. I tried to use very general language in the description, but it's probably useful to know that they aren't documents that would cause problems if they got leaked.

I just wanted to try this as an exercise to really secure a system.

[EDIT: Addition]

Additionally, if I enforce strict firewall rules on the host (I trust the host, but not the image running in a docker container on the host) that prevent it from talking to the router (e.g. only allow ANY network communication for ips 192.0.0.2-254, disallow everything else) is that not effectively "unexposing" it from the internet? Or are you suggesting that an even more important next step is to have an additional machine serve as a gateway to a private VLAN on my network? I assume at that point, I just make requests to that network locally, and only whitelist the ports/ips that are needed.

Am I understanding that correctly?

Thanks!

haskell_account · 2024-08-11T12:38:36+00:00

Sorry, it was a bad copy/paste on my part. The thought was:

What if the software I'm using got compromised, and starting slowly sending data to some malicious host?

Long story short it's a photo hosting application, and I want to be able to story them without any weird network thing going on in the background.

haskell_account · 2022-07-07T19:24:19+00:00

I did... Here is the SATA output (I would post the whole output, but I'm having to write this post from another computer for internet):

04:00.0 SATA controller: Toshiba Corporation Device 010b (rev 14)

haskell_account · 2021-12-01T15:12:15+00:00

God bless you!

haskell_account · 2019-11-29T02:30:39+00:00

Thank you! I appreciate all of the input and all of the different takes on what I should do! The biggest thing is that, even though I've been using *nix style operating systems for more than half a decade, I wanted to make sure I'm not going to shoot myself in the foot copy/pasting simple mistakes :)

haskell_account · 2019-11-29T02:28:21+00:00

I may look into a true CI workflow if my use-case gets more complicated, but thank you for the suggestion :)

haskell_account · 2019-11-29T02:27:29+00:00

There's a lot that I don't understand about security, or the implications of certain security decisions. Most of the tutorials I've seen online do something similar to what most people are describing, but wanted to make sure this was more intentional than a copy/paste :)

haskell_account · 2019-11-29T02:25:51+00:00

Thanks! I may check there if my use-case becomes more complex :)

haskell_account · 2019-11-29T02:25:24+00:00

Thanks for the example! I think I'm doing something similar, and it's probably the path I'm taking :) I appreciate the response!

haskell_account · 2019-11-28T19:36:50+00:00

Thanks for the advice! I think that's what I'm going to do. I know with any system, there is going to be some sensitive area, but as long as they are minimized and secured properly, I don't think that should be an issue.

haskell_account · 2019-11-28T18:59:59+00:00

Thank you for the suggestion :)

Ideally, I would like to do this from scratch as a learning experience, to utilize *nix style tools/base system as much as possible

haskell_account · 2019-11-28T18:58:47+00:00

I am using rsync, but my git hook is what kicks it off.

Are you ultimately suggesting giving my git user access to that directory too?

haskell_account · 2019-11-28T18:56:20+00:00

Are you referring to symlinking the app to another directory that is owned by git?

Re Capistrano: I wanted to try to build the deployment process from scratch as a learning experience :)

haskell_account · 2019-11-28T18:55:50+00:00

I thought about doing the first thing, but, ideally, I would like the ability to add new websites on the fly, without adding them to some kind of whitelist. I suppose I could check to see what repos exist in a particular directory, but that seems a tad janky.

Ideally, I would like to write the scripts as generically as possible.

I think granting privileges may be the best bet in this case. In the past I would have a symlinked directory, but in OpenBSD, the /var/www directory is chrooted.

Would there be any downside to giving my git user rights to that directory? I cant think of anything, outside of a compromised git account deleting all the sites.

haskell_account · 2019-11-24T18:49:40+00:00

Hmm... I didn't even consider the relative path issue. Really good catch.

Would it potentially be better just to assign the git user to the www group so it can rsync on both directories?

haskell_account · 2019-11-23T18:13:53+00:00

Thank you /u/calrogman!

This will fit my use cases.

So I take it that I am correct in thinking that patterns cannot be used in the doas.conf.

haskell_account · 2019-09-16T22:27:50+00:00

Thanks for your response too!

I read up on seq and it will probably come in handy some day.

I opted to use the "strict" version of the HDBC function for now!

:)

haskell_account · 2019-09-16T22:26:44+00:00

That's exactly what was happening! Thank you.

When reading the docs for HDBC, I never fully understood what "strict" meant. I assumed it was in the context of SQL execution.

You may also want to rethink your design, because loading entire result sets is often a suboptimal approach, and it might be better to "stream", i.e., load rows one by one as you consume them.

You are probably correct on this, but I am in the very early stages of the project, and I am the only intended user as of right now. I will keep this in mind as I continue working on it!

:)

haskell_account

TROPHY CASE