Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
File /etc/machine-id
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Mon Mar 11, 2019 3:06 am    Post subject: File /etc/machine-id Reply with quote

Discussion referenced in the news at Distrowatch:
https://distrowatch.com/weekly.php?issue=20190311#news
references a file /etc/machine-id being discussed by Devuan team.

I have that file, the same one since 18 November 2017, readable by anybody. Isn't this a security risk for snooping software? It's like I've been fingerprinted. I don't want such a file. Is anybody doing anything about this? I don't run systemd.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5593

PostPosted: Mon Mar 11, 2019 3:15 am    Post subject: Reply with quote

You can delete it at shutdown if you want, dbus will recreate it with a different value at the next boot.

If you're worried about snooping software, don't install any.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5802

PostPosted: Mon Mar 11, 2019 3:39 am    Post subject: Reply with quote

zfs uses something similar, /etc/hostid... but it's based off your ip address, and if you're using 192.168.x.x, there's nothing to be worried about there because its really not identifying.

it looks like you can also define them both on the kernel line, so you could always change them up every few weeks as well.
_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Mon Mar 11, 2019 3:41 am    Post subject: Reply with quote

Ant P. wrote:
You can delete it at shutdown if you want, dbus will recreate it with a different value at the next boot.

If you're worried about snooping software, don't install any.

That's not a good answer. We Gentoo users, and many other Linux users, are being fingerprinted with that file. Why isn't there a standard, default, shutdown script that deletes that file automatically? Why should it have permission read by all anyway? This is a bad thing.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Mon Mar 11, 2019 3:44 am    Post subject: Reply with quote

bunder wrote:
it looks like you can also define them both on the kernel line, so you could always change them up every few weeks as well.

It would be great to have a reference for that kernel line. An Internet search for /etc/machine-id does not bring up a lot of help.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5802

PostPosted: Mon Mar 11, 2019 3:46 am    Post subject: Reply with quote

figueroa wrote:
bunder wrote:
it looks like you can also define them both on the kernel line, so you could always change them up every few weeks as well.

It would be great to have a reference for that kernel line. An Internet search for /etc/machine-id does not bring up a lot of help.


it was linked in the article you posted... https://www.freedesktop.org/software/systemd/man/machine-id.html

Quote:
The machine ID may be set, for example when network booting, with the systemd.machine_id= kernel command line parameter or by passing the option --machine-id= to systemd. An ID is specified in this manner has higher priority and will be used instead of the ID stored in /etc/machine-id.

_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Mon Mar 11, 2019 4:02 am    Post subject: Reply with quote

bunder wrote:
it was linked in the article you posted... https://www.freedesktop.org/software/systemd/man/machine-id.html

Quote:
The machine ID may be set, for example when network booting, with the systemd.machine_id= kernel command line parameter or by passing the option --machine-id= to systemd. An ID is specified in this manner has higher priority and will be used instead of the ID stored in /etc/machine-id.


Thank you for that, but I don't network boot or have systemd installed. I've never had systemd installed.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Tue Mar 12, 2019 1:32 am    Post subject: Reply with quote

Rather than deleting it, wouldn't it be better to patch the offending program(s) not to create it? That would be better than assuming you will reboot often enough to clear it routinely. Failing that, patch them to store it somewhere that is automatically cleared, like /run or a directory under management of a tmpreaper.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17771

PostPosted: Tue Mar 12, 2019 3:19 am    Post subject: Reply with quote

Seems dbus really wants it.
Code:
$ grep machine-id /etc/init.d/dbus
        /usr/bin/dbus-uuidgen --ensure=/etc/machine-id
man dbus-uuidgen wrote:
dbus-uuidgen --ensure

This will ensure that /var/lib/dbus/machine-id exists and has the uuid in it. It won't overwrite an existing uuid, since this id should
remain fixed for a single machine until the next reboot at least.

The important properties of the machine UUID are that 1) it remains unchanged until the next reboot and 2) it is different for any two
running instances of the OS kernel. That is, if two processes see the same UUID, they should also see the same shared memory, UNIX
domain sockets, local X displays, localhost.localdomain resolution, process IDs, and so forth.

If you run dbus-uuidgen with no options it just prints a new uuid made up out of thin air.

If you run it with --get, it prints the machine UUID by default, or the UUID in the specified file if you specify a file.

If you try to change an existing machine-id on a running system, it will probably result in bad things happening. Don't try to change
this file. Also, don't make it the same on two different systems; it needs to be different anytime there are two different kernels
running.
Also, /etc/lvm/lvm.conf may reference /etc/machine-id to use as lvm's system-id.
_________________
I honestly think you ought to sit down calmly, take a stress pill, and think things over.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Tue Mar 12, 2019 3:43 am    Post subject: Reply with quote

If you're running systemd/journald, the machine id is used to select which directory the logs go to.
There's a lot more things you can get from the machine that uniquely identifies it (ifconfig doesn't need root and can get your MAC address for one), though one more is not good. Any one tried making this file unreadable to the world?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5593

PostPosted: Tue Mar 12, 2019 3:49 am    Post subject: Reply with quote

figueroa wrote:
Ant P. wrote:
You can delete it at shutdown if you want, dbus will recreate it with a different value at the next boot.

If you're worried about snooping software, don't install any.

That's not a good answer. We Gentoo users, and many other Linux users, are being fingerprinted with that file. Why isn't there a standard, default, shutdown script that deletes that file automatically? Why should it have permission read by all anyway? This is a bad thing.

Fingerprinted by whom? You have all the tools you need to produce a satisfactory answer to that question, show some initiative. Which malware did you install, so that the rest of us know to avoid it?

If you're that paranoid about fingerprinting, then you'd better make sure you close all the other avenues of attack:
  • remove networking (you probably haven't secured net.ipv6.conf.all.use_tempaddr, have you?)
  • don't have world-readable /dev/ (ls -l /dev/*/by-*/ looks juicy, doesn't it?)
  • ditto for /proc/ (have you anonymised your /proc/version yet?)
  • remove /sys/ (what does your DMI data say about you? Have you shuffled your PCI cards lately?)
  • shred /etc/ (your make.conf is probably unique!)
  • remove $HOME (if apps can access this, it's already game over)

And why even use Linux at all if you're going to blindly assume bad faith in the developers of all the software you're using?

Do the most basic level of research before you fly into histrionics like this.
Back to top
View user's profile Send private message
arnvidr
Guru
Guru


Joined: 19 Aug 2004
Posts: 589
Location: Oslo, Norway

PostPosted: Tue Mar 12, 2019 3:24 pm    Post subject: Reply with quote

Perfect is the enemy of good, so that's a whole lot of irrelevant points you're making.

And fingerprinted by dbus, obviously. Still not adequately explained why this id is necessary.

I added a rm to the dbus init script shutdown routine, since it is responsible for re-creating it at boot-time anyway. I found some references to others having the file on a tmpfs, which would accomplish the same thing. It's a reasonable compromise until an explanation is found for *why* it is bad to change it while the system is running.
_________________
Noone wrote:
anything
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Tue Mar 12, 2019 4:21 pm    Post subject: Reply with quote

machine-id on freedesktop wrote:
This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key. That way the ID will be properly unique, and derived in a constant way from the machine ID but there will be no way to retrieve the original machine ID from the application-specific one. The sd_id128_get_machine_app_specific(3) API provides an implementation of such an algorithm.

Chrome is the untrusted application here, according to the attached thread. Anyone know what chromium is doing with the machine id?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Tue Mar 12, 2019 4:47 pm    Post subject: Reply with quote

oh so that ultra secure machineid is protect and to use it i must do
sd_id1000000010101000243000_get_machine_app_specific_ultra_secure_cryptic() {
cat /etc/machine-id
}

that's their vision of security?
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Tue Mar 12, 2019 5:32 pm    Post subject: Reply with quote

pjp wrote:
Seems dbus really wants it.
Code:
$ grep machine-id /etc/init.d/dbus
        /usr/bin/dbus-uuidgen --ensure=/etc/machine-id

Thanks, I hadn't quite gotten that far. That's how it gets created if it doesn't exist. It would seem to be a good thing to add "rm /etc/machine-id" to a .stop file in /etc/local.d/. Then, at least, I get a fresh number each time I reboot, which isn't often, but it plugs one more privacy hole, since the use of this file is not living up to its documentation.

I don't want to edit the dbus init file because that will just get changed when updating.

Sure, there are lots of ways to be fingerprinted over the network but one less would be good.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Tue Mar 12, 2019 5:45 pm    Post subject: Reply with quote

Ant P. wrote:
Do the most basic level of research before you fly into histrionics like this.

I'm just an overdeveloped user and appreciate your contribution, even though you were not encouraging. I found something I thought was worth sharing, so I did, and I thought I might get a little help here, which I have.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
mike155
l33t
l33t


Joined: 17 Sep 2010
Posts: 998
Location: Frankfurt, Germany

PostPosted: Tue Mar 12, 2019 6:38 pm    Post subject: Reply with quote

Quote:
This ID uniquely identifies the host. It should be considered "confidential"

The machine-id doesn't seem to be very "confidential". On every machine I looked at, everyone can read it:
Code:
-rw-r--r-- 1 root root 33  Oct 26 2011  /etc/machine-id

Stranger still, the file has the same 'last modification date' on most machines I looked at: Oct 26 2011 - even if the machine was installed only a few weeks ago...
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Tue Mar 12, 2019 6:47 pm    Post subject: Reply with quote

mike155 wrote:
Stranger still, the file has the same 'last modification date' on most machines I looked at: Oct 26 2011 - even if the machine was installed only a few weeks ago...


I do have an Oct 26, 2011, but my newer x86_64 machine, /etc/machine-id date matches the installation date Nov 18, 2017.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Tue Mar 12, 2019 7:21 pm    Post subject: Reply with quote

I think I'm going to chmod it and see what breaks in userland, they should not be using it, IMHO.

-edit-

Hmm. The data appears to be available in dbus anyway (so it seems anything that talks to dbus has the potential to use it). So we have to trust the applications that we run... surprise surprise...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Fri Mar 15, 2019 7:21 pm    Post subject: Reply with quote

eccerr0r wrote:
I think I'm going to chmod it and see what breaks in userland, they should not be using it, IMHO.
Hmm. The data appears to be available in dbus anyway (so it seems anything that talks to dbus has the potential to use it). So we have to trust the applications that we run... surprise surprise...

Making machine-id root read-only causes log errors in lightdm in MX Linux (Debian based). But lightdm still works as expected. I didn't bother trying this in Gentoo, my main system.

Deleting the file /etc/machine-id at shutdown via /etc/local.d/ *.stop file works as expected and a new one is created upon reboot by the dbus init file. That works without error. I've done it, and I like it, even though I don't reboot very often (months).

It seems strange to me that since Gentoo, being a non-systemd-centric distribution, that the dbus init file creates or re-creates /etc/machine-id (a systemd thing) rather than /var/lib/dbus/machine-id (which is a dbus thing) and that /var/lib/dbus/machine-id is by default a symlink to /etc/machine-id. That strikes me as totally backwards systemd thinking. How did that happen?
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5593

PostPosted: Fri Mar 15, 2019 7:57 pm    Post subject: Reply with quote

Where do you get that systemd owns this file from?
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Fri Mar 15, 2019 8:30 pm    Post subject: Reply with quote

Ant P. wrote:
Where do you get that systemd owns this file from?

For the /etc/machine-id here: https://www.freedesktop.org/software/systemd/man/machine-id.html
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5588
Location: Removed by Neddy

PostPosted: Fri Mar 15, 2019 8:48 pm    Post subject: Reply with quote

figueroa wrote:
Ant P. wrote:
Where do you get that systemd owns this file from?

For the /etc/machine-id here: https://www.freedesktop.org/software/systemd/man/machine-id.html
which comes from dbus
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Fri Mar 15, 2019 8:59 pm    Post subject: Reply with quote

Naib wrote:
figueroa wrote:
Ant P. wrote:
Where do you get that systemd owns this file from?

For the /etc/machine-id here: https://www.freedesktop.org/software/systemd/man/machine-id.html
which comes from dbus
No, best I can tell, /var/lib/dbus/machine-id comes from dbus. If not, show me.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5593

PostPosted: Fri Mar 15, 2019 9:15 pm    Post subject: Reply with quote

/etc/init.d/dbus
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum