| View previous topic :: View next topic |
| Author |
Message |
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
 Posted: Mon Mar 11, 2019 3:06 am Post subject: File /etc/machine-id |
 |
|
Discussion referenced in the news at Distrowatch:
https://distrowatch.com/weekly.php?issue=20190311#news
references a file /etc/machine-id being discussed by Devuan team.
I have that file, the same one since 18 November 2017, readable by anybody. Isn't this a security risk for snooping software? It's like I've been fingerprinted. I don't want such a file. Is anybody doing anything about this? I don't run systemd.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
 |
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Mar 11, 2019 3:15 am Post subject: |
|
|
You can delete it at shutdown if you want, dbus will recreate it with a different value at the next boot.
If you're worried about snooping software, don't install any. |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5934
|
| Posted: Mon Mar 11, 2019 3:39 am Post subject: |
|
|
zfs uses something similar, /etc/hostid... but it's based off your ip address, and if you're using 192.168.x.x, there's nothing to be worried about there because its really not identifying.
it looks like you can also define them both on the kernel line, so you could always change them up every few weeks as well.
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
| Posted: Mon Mar 11, 2019 3:41 am Post subject: |
|
|
| Ant P. wrote: | You can delete it at shutdown if you want, dbus will recreate it with a different value at the next boot.
If you're worried about snooping software, don't install any. |
That's not a good answer. We Gentoo users, and many other Linux users, are being fingerprinted with that file. Why isn't there a standard, default, shutdown script that deletes that file automatically? Why should it have permission read by all anyway? This is a bad thing.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
| Posted: Mon Mar 11, 2019 3:44 am Post subject: |
|
|
| bunder wrote: | | it looks like you can also define them both on the kernel line, so you could always change them up every few weeks as well. |
It would be great to have a reference for that kernel line. An Internet search for /etc/machine-id does not bring up a lot of help.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5934
|
| Posted: Mon Mar 11, 2019 3:46 am Post subject: |
|
|
| figueroa wrote: | | bunder wrote: | | it looks like you can also define them both on the kernel line, so you could always change them up every few weeks as well. |
It would be great to have a reference for that kernel line. An Internet search for /etc/machine-id does not bring up a lot of help. |
it was linked in the article you posted... https://www.freedesktop.org/software/systemd/man/machine-id.html
| Quote: | | The machine ID may be set, for example when network booting, with the systemd.machine_id= kernel command line parameter or by passing the option --machine-id= to systemd. An ID is specified in this manner has higher priority and will be used instead of the ID stored in /etc/machine-id. |
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
| Posted: Mon Mar 11, 2019 4:02 am Post subject: |
|
|
| bunder wrote: | it was linked in the article you posted... https://www.freedesktop.org/software/systemd/man/machine-id.html
| Quote: | | The machine ID may be set, for example when network booting, with the systemd.machine_id= kernel command line parameter or by passing the option --machine-id= to systemd. An ID is specified in this manner has higher priority and will be used instead of the ID stored in /etc/machine-id. |
|
Thank you for that, but I don't network boot or have systemd installed. I've never had systemd installed.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21607
|
| Posted: Tue Mar 12, 2019 1:32 am Post subject: |
|
|
| Rather than deleting it, wouldn't it be better to patch the offending program(s) not to create it? That would be better than assuming you will reboot often enough to clear it routinely. Failing that, patch them to store it somewhere that is automatically cleared, like /run or a directory under management of a tmpreaper. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Tue Mar 12, 2019 3:19 am Post subject: |
|
|
Seems dbus really wants it. | Code: | $ grep machine-id /etc/init.d/dbus
/usr/bin/dbus-uuidgen --ensure=/etc/machine-id |
| man dbus-uuidgen wrote: | dbus-uuidgen --ensure
This will ensure that /var/lib/dbus/machine-id exists and has the uuid in it. It won't overwrite an existing uuid, since this id should
remain fixed for a single machine until the next reboot at least.
The important properties of the machine UUID are that 1) it remains unchanged until the next reboot and 2) it is different for any two
running instances of the OS kernel. That is, if two processes see the same UUID, they should also see the same shared memory, UNIX
domain sockets, local X displays, localhost.localdomain resolution, process IDs, and so forth.
If you run dbus-uuidgen with no options it just prints a new uuid made up out of thin air.
If you run it with --get, it prints the machine UUID by default, or the UUID in the specified file if you specify a file.
If you try to change an existing machine-id on a running system, it will probably result in bad things happening. Don't try to change
this file. Also, don't make it the same on two different systems; it needs to be different anytime there are two different kernels
running. |
Also, /etc/lvm/lvm.conf may reference /etc/machine-id to use as lvm's system-id.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9677
Location: almost Mile High in the USA
|
| Posted: Tue Mar 12, 2019 3:43 am Post subject: |
|
|
If you're running systemd/journald, the machine id is used to select which directory the logs go to.
There's a lot more things you can get from the machine that uniquely identifies it (ifconfig doesn't need root and can get your MAC address for one), though one more is not good. Any one tried making this file unreadable to the world?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Tue Mar 12, 2019 3:49 am Post subject: |
|
|
| figueroa wrote: | | Ant P. wrote: | You can delete it at shutdown if you want, dbus will recreate it with a different value at the next boot.
If you're worried about snooping software, don't install any. |
That's not a good answer. We Gentoo users, and many other Linux users, are being fingerprinted with that file. Why isn't there a standard, default, shutdown script that deletes that file automatically? Why should it have permission read by all anyway? This is a bad thing. |
Fingerprinted by whom? You have all the tools you need to produce a satisfactory answer to that question, show some initiative. Which malware did you install, so that the rest of us know to avoid it?
If you're that paranoid about fingerprinting, then you'd better make sure you close all the other avenues of attack:
- remove networking (you probably haven't secured net.ipv6.conf.all.use_tempaddr, have you?)
- don't have world-readable /dev/ (ls -l /dev/*/by-*/ looks juicy, doesn't it?)
- ditto for /proc/ (have you anonymised your /proc/version yet?)
- remove /sys/ (what does your DMI data say about you? Have you shuffled your PCI cards lately?)
- shred /etc/ (your make.conf is probably unique!)
- remove $HOME (if apps can access this, it's already game over)
And why even use Linux at all if you're going to blindly assume bad faith in the developers of all the software you're using?
Do the most basic level of research before you fly into histrionics like this. |
|
| Back to top |
|
|
arnvidr
l33t
Joined: 19 Aug 2004
Posts: 629
Location: Oslo, Norway
|
| Posted: Tue Mar 12, 2019 3:24 pm Post subject: |
|
|
Perfect is the enemy of good, so that's a whole lot of irrelevant points you're making.
And fingerprinted by dbus, obviously. Still not adequately explained why this id is necessary.
I added a rm to the dbus init script shutdown routine, since it is responsible for re-creating it at boot-time anyway. I found some references to others having the file on a tmpfs, which would accomplish the same thing. It's a reasonable compromise until an explanation is found for *why* it is bad to change it while the system is running.
_________________
|
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9677
Location: almost Mile High in the USA
|
| Posted: Tue Mar 12, 2019 4:21 pm Post subject: |
|
|
| machine-id on freedesktop wrote: | | This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key. That way the ID will be properly unique, and derived in a constant way from the machine ID but there will be no way to retrieve the original machine ID from the application-specific one. The sd_id128_get_machine_app_specific(3) API provides an implementation of such an algorithm. |
Chrome is the untrusted application here, according to the attached thread. Anyone know what chromium is doing with the machine id?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Tue Mar 12, 2019 4:47 pm Post subject: |
|
|
oh so that ultra secure machineid is protect and to use it i must do
sd_id1000000010101000243000_get_machine_app_specific_ultra_secure_cryptic() {
cat /etc/machine-id
}
that's their vision of security? |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
| Posted: Tue Mar 12, 2019 5:32 pm Post subject: |
|
|
| pjp wrote: | Seems dbus really wants it. | Code: | $ grep machine-id /etc/init.d/dbus
/usr/bin/dbus-uuidgen --ensure=/etc/machine-id |
|
Thanks, I hadn't quite gotten that far. That's how it gets created if it doesn't exist. It would seem to be a good thing to add "rm /etc/machine-id" to a .stop file in /etc/local.d/. Then, at least, I get a fresh number each time I reboot, which isn't often, but it plugs one more privacy hole, since the use of this file is not living up to its documentation.
I don't want to edit the dbus init file because that will just get changed when updating.
Sure, there are lots of ways to be fingerprinted over the network but one less would be good.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
| Posted: Tue Mar 12, 2019 5:45 pm Post subject: |
|
|
| Ant P. wrote: | | Do the most basic level of research before you fly into histrionics like this. |
I'm just an overdeveloped user and appreciate your contribution, even though you were not encouraging. I found something I thought was worth sharing, so I did, and I thought I might get a little help here, which I have.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Tue Mar 12, 2019 6:38 pm Post subject: |
|
|
| Quote: | This ID uniquely identifies the host. It should be considered "confidential"
|
The machine-id doesn't seem to be very "confidential". On every machine I looked at, everyone can read it:
| Code: | -rw-r--r-- 1 root root 33 Oct 26 2011 /etc/machine-id
|
Stranger still, the file has the same 'last modification date' on most machines I looked at: Oct 26 2011 - even if the machine was installed only a few weeks ago... |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
| Posted: Tue Mar 12, 2019 6:47 pm Post subject: |
|
|
| mike155 wrote: | | Stranger still, the file has the same 'last modification date' on most machines I looked at: Oct 26 2011 - even if the machine was installed only a few weeks ago... |
I do have an Oct 26, 2011, but my newer x86_64 machine, /etc/machine-id date matches the installation date Nov 18, 2017.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9677
Location: almost Mile High in the USA
|
| Posted: Tue Mar 12, 2019 7:21 pm Post subject: |
|
|
I think I'm going to chmod it and see what breaks in userland, they should not be using it, IMHO.
-edit-
Hmm. The data appears to be available in dbus anyway (so it seems anything that talks to dbus has the potential to use it). So we have to trust the applications that we run... surprise surprise...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
| Posted: Fri Mar 15, 2019 7:21 pm Post subject: |
|
|
| eccerr0r wrote: | I think I'm going to chmod it and see what breaks in userland, they should not be using it, IMHO.
Hmm. The data appears to be available in dbus anyway (so it seems anything that talks to dbus has the potential to use it). So we have to trust the applications that we run... surprise surprise... |
Making machine-id root read-only causes log errors in lightdm in MX Linux (Debian based). But lightdm still works as expected. I didn't bother trying this in Gentoo, my main system.
Deleting the file /etc/machine-id at shutdown via /etc/local.d/ *.stop file works as expected and a new one is created upon reboot by the dbus init file. That works without error. I've done it, and I like it, even though I don't reboot very often (months).
It seems strange to me that since Gentoo, being a non-systemd-centric distribution, that the dbus init file creates or re-creates /etc/machine-id (a systemd thing) rather than /var/lib/dbus/machine-id (which is a dbus thing) and that /var/lib/dbus/machine-id is by default a symlink to /etc/machine-id. That strikes me as totally backwards systemd thinking. How did that happen?
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Fri Mar 15, 2019 7:57 pm Post subject: |
|
|
| Where do you get that systemd owns this file from? |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
| Posted: Fri Mar 15, 2019 8:30 pm Post subject: |
|
|
| Ant P. wrote: | | Where do you get that systemd owns this file from? |
For the /etc/machine-id here: https://www.freedesktop.org/software/systemd/man/machine-id.html
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Fri Mar 15, 2019 8:48 pm Post subject: |
|
|
which comes from dbus
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2961
Location: Edge of marsh USA
|
| Posted: Fri Mar 15, 2019 8:59 pm Post subject: |
|
|
| Naib wrote: | | which comes from dbus |
No, best I can tell, /var/lib/dbus/machine-id comes from dbus. If not, show me.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Fri Mar 15, 2019 9:15 pm Post subject: |
|
|
| /etc/init.d/dbus |
|
| Back to top |
|
|
|
Networking & Security
