Jump to content

ICC updates


Recommended Posts

@Sidewinder I had the same experience. My ICC folder is in the Pi home folder so I just use the graphical file manager to change access rights to 777. I doubt some cracker is going  get to my Pi from the Internet. Users not familiar with Linux may find it easier although your sudo command sure does not tax the grey matter.

Link to comment
Share on other sites

Aaaah yes, chmod 777, or in layman's terms, I don't care about security I just want it to work :-)

It is true of course that once someone has gained enough access to abuse a file-system permission, you already have bigger things to worry about.

Link to comment
Share on other sites

@plonkster I do care very much about security but since there is only one 24/7 computer running Windows10 in this house, the rest are Ubuntu, I feel fairly safe. Also use the OpenWRT based Gargoyle firmware in my router and only connect with the built in OpenVPN connection over the Internet so things have been safe thus far, at least for the past 20 years or so that I have had an Internet connection, starting with a blindingly fast 2400 baud modem. I firmly believe in "never say never" so will modify ICC permissions to 755. Was just in a hurry when I set it up yesterday. I am a bit more concerned about the Android devices like cell phones, tablets and media players though. Also am seriously considering creating yet another VM running Ubuntu for the sole purpose of accessing bank and investment accounts. There are just too many very clever people with intentions to plunder, more or less like what passes for a government in this country, on the other side of the router.

Link to comment
Share on other sites

6 minutes ago, ebrsa said:

I do care very much about security

Oh, please don't take my comment as being critical of what you've done, it's more of a humorous general comment. As I said, I do grant that by the time someone has local access, you already have bigger things to worry about. Besides, it is not as if there aren't many other places where an attacker can write files, like /tmp, /var/tmp, /run (on modern ubuntus that is a tmpfs for pid files), and so on and so forth. If you are REALLY serious (aka anal) about security you mount all of these with the noexec flag to prevent attackers from launching malicious code from there (btw... can Windows do that? Okay, let's not go there :-) ). Anyway, I don't know anybody who hardens their hosts to that extent.

There is another big flag for "I don't care I just want it to work", perhaps even bigger. When you are on a database host running postgresql and you see  in pg_hba.conf the user said "local all all trust"... that shouts it even louder :-)

Link to comment
Share on other sites

  • 2 weeks later...
On 6/7/2017 at 2:59 PM, plonkster said:

Oh, please don't take my comment as being critical of what you've done, it's more of a humorous general comment. As I said, I do grant that by the time someone has local access, you already have bigger things to worry about. Besides, it is not as if there aren't many other places where an attacker can write files, like /tmp, /var/tmp, /run (on modern ubuntus that is a tmpfs for pid files), and so on and so forth. If you are REALLY serious (aka anal) about security you mount all of these with the noexec flag to prevent attackers from launching malicious code from there (btw... can Windows do that? Okay, let's not go there :-) ). Anyway, I don't know anybody who hardens their hosts to that extent.

There is another big flag for "I don't care I just want it to work", perhaps even bigger. When you are on a database host running postgresql and you see  in pg_hba.conf the user said "local all all trust"... that shouts it even louder :-)

say, what? You and I should have a beer sometime ;)

Running 777 migth be fine for a test site, but rather use 755 if you want to. Apart from the internet / local security issues, in many cases, many scripts simply won't run as root or even with 777 permissions. 

Link to comment
Share on other sites

1 hour ago, SilverNodashi said:

many scripts simply won't run as root or even with 777 permissions.

Oh, it gets so much more interesting. I remember discovering the setuid bit (that allows a program to run as the user that owns the file, not as the person who starts it), and then discovering that didn't work with scripts because of the way the hash-bang is turned into something the kernel can execute (via binfmt-misc, I learned later).

And then later, when I had to admin a cluster of machines with shared space on NFS, and files failed to show up AT ALL... because of root squashing.

And then people tell me windows can do everything unix can. No ways. It can't confuse you nearly as badly as unix can. Trouble is... the confusion is there for good reason, it solves a problem... and that ought to make you think.

Link to comment
Share on other sites

55 minutes ago, plonkster said:

Oh, it gets so much more interesting. I remember discovering the setuid bit (that allows a program to run as the user that owns the file, not as the person who starts it), and then discovering that didn't work with scripts because of the way the hash-bang is turned into something the kernel can execute (via binfmt-misc, I learned later).

And then later, when I had to admin a cluster of machines with shared space on NFS, and files failed to show up AT ALL... because of root squashing.

And then people tell me windows can do everything unix can. No ways. It can't confuse you nearly as badly as unix can. Trouble is... the confusion is there for good reason, it solves a problem... and that ought to make you think.

... and... then you discover selinux ;)

Link to comment
Share on other sites

1 hour ago, SilverNodashi said:

... and... then you discover selinux ;)

Oh, I remember the day I ran into apparmor (which is a like selinux-lite)... that was enough to convince me that there is a limit, a place where you have to stop, where security gets in the way of getting stuff done. I pretty much place the limit at mounting temp spaces with noexec and /home with nosuid.

Link to comment
Share on other sites

  • 7 months later...
8 minutes ago, SilverNodashi said:

Does ICC support SMA, yet?

Ooooh sunspec! Venus (the ccgx firmware) has recently grown sunspec support and SMA and SolarEdge is now detected and shows up on the GUI, and the output is logged to VRM :-)

My own little venture unto sunspec, so far, seems to show that while it is a standard, there are enough differences in implementation that you'll still have a lot of fun. For one, I still don't know why SMA PV inverters publish a storage model when they have no storage... :-)

Link to comment
Share on other sites

Sunspec is of course pronounced "Soen-spek" for those of us who read Afrikaans, seeing as most solar makers and the ones who support this are German. Kissing bacon is in itself something that sounds sort of interesting... :-)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...