alt Hacker NewsI think this comes primarily from trying to add a separate management tool on top, instead of leveraging the OS structure themself. There is a reason, why most directories are specified to be readonly. Also writable XOR persistent is mostly true. The only things required to be writable are /tmp, /var and /home. /tmp is wiped at least on every boot or is even just a ramdisk. /var can be cached or reset to the predefined settings on boot. /home needs to be managed, that is true. But you wouldn't want every users directory on every host anyway, instead you want to populate them on login. That is typically done by libpam.
/usr is expected to be shared among hosts, host-specific stuff goes into /usr/local for a reason, and as a sysadmin you can decide to simply not have host specific software.
EDR/AV is basically unnecessary, when you only mount things either writable or executable. And you don't want the users to start random software or mount random USB-sticks anyway.
> Back then it was like nobody who had ever actually been a sysadmin had ever taken an honest crack at Linux and all the hype was coming from home users who had no idea what herding boxen was actually like.
Unix has over 50 years of history of being primarily managed by sysadmins instead of home users. While Linux is not Unix, it has inherited a lot. The whole system is basically designed to run a bunch of admin configured software and is actually less suitable for home users. I would say the primary problem was accessing it with a Windows mindset.
Replies
> the primary problem was accessing it with a Windows mindset.
The early Unix systems you're talking about were mainframe based. Modern client-server or p2p apps need an entirely different mindset and a different set of tools that Linux just didnt have the last time I looked.
When they audit the company for SOX , PCI-DSS, etc we can't just shrug and say "Nah, we decided we don't need that stuff." That's actually a good thing though, because if it were optional well meaning folks like you just wouldn't bother and the company would wind up on the evening news.
> And you don't want the users to start random software
python ~/my.py
wget | bash
> EDR/AV is basically unnecessary,
No, its not and never will be.
Even if it were technically unnecessary (in some hypothetical future where privilege escalation became impossible?), legal, compliance, and insurance requirements would still be there.
>EDR/AV is basically unnecessary, when you only mount things either writable or executable
Sounds good, except:
* scripting languages exist. The situation is even worse on Linux than on Windows (because of the sysadmin focus). You need at least /bin/sh installed and runnable on any POSIX system. In practice bash, python, perl and many more are also always available.
* exploits exist. Just opening a pdf file may execute arbitrary code on a machine. There is no way to avoid that by just configuring your system. And it will happen sooner or later, especially if nation states are involved.
The idea that your systems are somehow unhackable because you... mount everything W^X is... not based in reality. Of course it's a great idea, but in practice you need defense in depth, and you need to have a way to Detect and Respond to inevitable Endpoint breaches. I don't love EDR/AVs, but they mitigate real attacks happening in the real world.