Open-source News

As part of diversifying their supported range of Linux distributions since it was announced CentOS 8 would be going end-of-life, the popular cPanel commercial software package for easing the administration of Linux web server has added support for AlmaLinux and wit cPanel v102 is full support for Ubuntu 20.04 LTS...

Cyber Security Today, March 9, 2022 - Warnings to Linux and HP device administrators, Samsung confirms data theft and more  IT World Canada

Microsoft has laid out a proposal whereby they are hoping to contribute support for DirectX, the HLSL shading language, and Vulkan graphics support to the upstream LLVM/Clang compiler...

AMD Posts Some New Linux Job Openings From Client CPU To Server  Phoronix

AMD continues recruiting more Linux engineers to join the company not only for their EPYC server processors given the dominance of Linux on the server/HPC front but also as part of their growing Linux client ambitions covering custom SoCs using Linux from Valve's Steam Deck to the Tesla in-vehicle infotainment system over to just running AMD Ryzen processors on Linux. This is good to see given AMD's traditionally much smaller Linux pool of talent compared to Intel's massive Linux/open-source engineering headcount...

One of many promising kernel patch series at the moment for enhancing Linux kernel performance is the multi-gen LRU framework (MGLRU) devised by Google engineers. They found the current Linux kernel page reclaim code is too expensive for CPU resources and can make poor eviction choices while MGLRU aims to yield better performance. These results are quite tantalizing and MGLRU is now up to its ninth revision...

MGLRU Continues To Look Very Promising For Linux Kernel Performance  Phoronix

Indirect Branch Tracking (IBT) as part of Intel's Control-flow Enforcement Technology (CET) is set to be supported as part of the upcoming Linux 5.18 kernel. Last night the IBT patch series has queued into TIP's x86/core ahead of the Linux 5.18 merge window...

PanVK as Panfrost's open-source Vulkan driver in Mesa for Arm Mali graphics hardware is seeing progress on handling compute shaders...

How To Install Cacti monitoring Debian 11 Bullseye  Linux Shout

How To Install Cacti monitoring Debian 11 Bullseye  Linux Shout

The entire systemd concept and implementation have introduced many changes since it began to replace the old SystemV startup and init tools. Over time, systemd has been extended into many other segments of the Linux environment.

read more

Manage Linux users' home directories with systemd-homed David Both Wed, 03/09/2022 - 02:00 Up 1 reader likes this

The entire systemd concept and implementation have introduced many changes since it began to replace the old SystemV startup and init tools. Over time, systemd has been extended into many other segments of the Linux environment.

One relatively new service, systemd-homed, extends the reach of systemd into the management of users' home directories. The feature enforces human user access only and restricts system users in the User ID (UID) range between 0 and 999. I support the systemd plan to take over the world, but I wondered if this was a bit excessive. Then I did some research.

More for sysadmins Enable Sysadmin blog The Automated Enterprise: A guide to managing IT with automation eBook: Ansible automation for Sysadmins Tales from the field: A system administrator's guide to IT automation eBook: A guide to Kubernetes for SREs and sysadmins Latest sysadmin articles What is systemd-homed?

The systemd-homed service supports user account portability independent of the underlying computer system. A practical example is to carry around your home directory on a USB thumb drive and plug it into any system which would automatically recognize and mount it. According to Lennart Poettering, lead developer of systemd, access to a user's home directory should not be allowed to anyone unless the user is logged in. The systemd-homed service is designed to enhance security, especially for mobile devices such as laptops. It also seems like a tool that might be useful with containers.

This objective can only be achieved if the home directory contains all user metadata. The ~/.identity file stores user account information, which is only accessible to systemd-homed when the password is entered. This file holds all of the account metadata, including everything Linux needs to know about you, so that the home directory is portable to any Linux host that uses systemd-homed. This approach prevents having an account with a stored password on every system you might need to use.

The home directory can also be encrypted using your password. Under systemd-homed, your home directory stores your password with all of your user metadata. Your encrypted password is not stored anywhere else thus cannot be accessed by anyone. Although the methods used to encrypt and store passwords for modern Linux systems are considered to be unbreakable, the best safeguard is to prevent them from being accessed in the first place. Assumptions about the invulnerability of their security have led many to ruin.

This service is primarily intended for use with portable devices such as laptops. Poettering states, "Homed is intended primarily for client machines, i.e., laptops and thus machines you typically ssh from a lot more than ssh to, if you follow what I mean." It is not intended for use on servers or workstations that are tethered to a single location by cables or locked into a server room.

The systemd-homed service is enabled by default on new installations—at least for Fedora, which is the distro that I use. This configuration is by design, and I don't expect that to change. User accounts are not affected or altered in any way on systems with existing filesystems, upgrades or reinstallations that keep the existing partitions, and logical volumes.

Creating controlled users

Traditional tools such as useradd create accounts and home directories that systemd-homed does not manage. Therefore, if you continue to use the conventional user management tools, the home directories on your home directories are not managed by systemd-homed. This is also the case with the non-root user account created during a new installation.

The homectl command

The homectl command creates user accounts that systemd-homed manages. Using the homectl command to create a new account generates the metadata needed to make the home directory portable.

The homectl command man page has a good explanation of the objectives and function of the systemd-homed service. However, reading the homectl man page is quite interesting, especially the Example section. Of the five examples, three show how to create user accounts with specific limits imposed, such as a maximum number of concurrent processes or a maximum amount of disk space.

In a non-homectl setup, the /etc/security/limits.conf file imposes these limits. The only advantage I can see to this is that it adds a user and applies the limits with a single command. With the traditional method, the sysadmin must configure the limits.conf file manually.

Limitations

The only significant limitation I am aware of is that it is not possible to access a user home directory remotely using OpenSSH. This limitation is due to the current inability of PAM to provide access to a home directory managed by homectl. Poettering seems doubtful that this can be overcome. This issue would prevent me from using systemd-homed for my home directory on my primary workstation or even my laptop. I typically log into both computers remotely several times per day using SSH, so this is a showstopper for me.

The other concern I can see is that you still need a Linux computer for use with a USB thumb drive with your home directory on it, and that computer needs to have systemd-homed running.

It is optional

You don't have to use it, however. I plan to continue using the traditional tools for user management to support my workflow. The default for the few distros I have some little knowledge of, including Fedora, is for the systemd-homed service to be enabled and running. You can disable and stop the systemd-homed service without impacting traditional user accounts.

Final thoughts

Sysadmins can use the systemd-homed service for a secure form of management of roaming users' home directories. It is useful on portable devices like laptops and can be especially useful for users who carry a thumb drive containing only their home directories to plug it into any convenient Linux computer.

The primary limitation of using systemd-homed is that it is impossible to log in remotely using SSH. And even though the systemd-homed is enabled by default, it does not affect home directories created with the useradd command. I do need to point out that—like many systemd tools—systemd-homed is optional. So I just stopped and disabled the service.

If I need to take my home directory in a package smaller than my laptop, I can just use a live USB with persistent storage.

Resources

• https://systemd.io/HOME_DIRECTORY/
• https://www.freedesktop.org/software/systemd/man/homectl.html
• https://www.freedesktop.org/software/systemd/man/systemd-homed.service.html
• https://wiki.archlinux.org/title/Systemd-homed

Sysadmins can use the systemd-homed service for a secure form of management of roaming users' home directories.

Image by:

Opensource.com

Sysadmin Linux What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

Good News! Apex Legends Now Officially Works on Steam Deck and Linux  It's FOSS News

The post NordVPN Installation and Review On Linux first appeared on Tecmint: Linux Howtos, Tutorials & Guides .

Downloading and utilizing VPNs (Virtual Private Networks) is theoretically the norm nowadays. If you aren’t with a VPN already, you’re still in the majority but with a gradual increase in privacy and security concerns

The post NordVPN Installation and Review On Linux first appeared on Tecmint: Linux Howtos, Tutorials & Guides.

The post How to Install WordPress on RHEL 8 with Apache first appeared on Tecmint: Linux Howtos, Tutorials & Guides .

WordPress is an immensely popular CMS (Content Management System) that accounts for nearly 43% of all the websites according to W3techs.com. From powering high-traffic sites such as eCommerce, and news websites to simple blogs,

The post How to Install WordPress on RHEL 8 with Apache first appeared on Tecmint: Linux Howtos, Tutorials & Guides.

Godot 4.0 continues marching closer to its much anticipated release with today marking the fourth release candidate already for this open-source game engine...

Valve does what FromSoftware don’t, thanks to Steam Deck’s precaching update  Ars Technica

Dirty Pipeline Is an Awful Linux Mess – The New Stack  thenewstack.io

Lilbits: Archiving Android apps, postmarketOS for the F(x)tec Pro1, and the Dirty Pipe Linux vulnerability  Liliputing