[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] /etc/machine-id "must not be exposed in untrusted environments"

On Thu, Aug 08, 2019 at 11:12:37PM +0200, Sven Joachim wrote:
> On 2019-08-08 15:20 -0400, Marvin Renich wrote:
> > The man page for machine-id says:
> >
> >   This ID uniquely identifies the host. It should be considered
> >   "confidential", and must not be exposed in untrusted environments, in
> >   particular on the network.

> > If so, how can it be prevented from being exposed on the network if
> > there is any user access from the network?  Is this really a security
> > concern?
> 
> No, but it is a privacy concern, since exposing the file over the
> network may allow tracking your machine.

For example Chromium does so for Google-specific tracking id (some "cloud
management enrollment token").

But... if this ID must not be exposed on the network, why does it need to be
unique?  There's systemd-networkd leaking it to dhcp servers, but that's a
violation of a "must" requirement of their own standard, and other dhcp
clients don't have that problem.

Are there any other such issues?

Thus, what about just writing "Spartacus" to that file?  To avoid NIH, let's
use "d41d8cd98f00b204e9800998ecf8427e" as proposed by Jamey Fletcher.


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian is one big family.  Including that weird uncle
⢿⡄⠘⠷⠚⠋⠀ and ultra-religious in-laws.
⠈⠳⣄⠀⠀⠀⠀
Reply to: