Would randomizing machine-id each boot cause issues?

Crawfish · April 20, 2024, 2:23am

Is there any reasons as to not randomize the machine-id?
Would it break systemd and or tirdad for example?

I see that Whonix and Kicksecure both set the machine-id as:

b08dfa6083e7567a1921a715000001fb

Could something like dbus-uuidgen --ensure=/etc/machine-id or systemd-machine-id-setup be used on startup to create new machine each boot without issue?

Patrick · April 20, 2024, 7:37am

In context of Whonix:

Identifiers Design Goals
forum discussion: Anonymize /etc/machine-id

In context of Kicksecure:

Could be similar but much less importance. Could argue machine-id should be unique per system (Debian default). Can be considered once someone runs into an issue which requires this.

Tirdad, unlikely.

Otherwise: Unknown. Unspecific to Kicksecure. → Potential Solutions Beyond Kicksecure!

Crawfish · May 4, 2024, 1:01am

I haven’t had any issues that I can tell with this generating each boot on Kicksecure:

github.com

RightToPrivacy/wipri/blob/4b0d86b72339a2f67dad5e548a1e0b603f6049ec/wipri#L438


      
          #######################################################################
          	# M - machine-id randomization (regenerated) each wipri run
          	# machine-id is a unique identifer that can (unnecessarily) be used for tracking
          	# machine-id privacy concerns: https://lists.dyne.org/lurker/message/20190308.134955.e06f4b9c.en.html#dng
               M)
          	echo -e "${RED}Removing Old machine-id To Prevent Tracking...${ENDCOLOR}"
          	rm -f /var/lib/dbus/machine-id /etc/machine-id || {
          		echo -e "${RED}ERR! DOES MACHINE-ID FILE EXIST?${ENDCOLOR}\n" 
          	}
          	echo -e "${BLUE}Generating New Unique machine-id...${ENDCOLOR}"
          	dbus-uuidgen --ensure=/etc/machine-id && dbus-uuidgen --ensure && {
          		machineid=$(cat /etc/machine-id)
          		echo -e "${GREEN}New machine-id generated:${ENDCOLOR} ${RED}$machineid${ENDCOLOR}"
          		systemd-machine-id-setup
          	}
          	;;
          
          ######################################################################
          	# b - rfkill block bluetooth (to prevent accidental leakage)
               b)
          	rfkill block bluetooth && {

So does machine-id ever get sent over the network?

Also does the current AppArmor profiles for Kicksecure/Whonix block access to this file for default applications?

And also on the topic of sandbox does the AppArmor profiles block access to /sys/class/net/*/address where the real MAC Adress is listed?

Otherwise: Unknown. Unspecific to Kicksecure. → Potential Solutions Beyond Kicksecure!

Yeah I get that is more about this maybe as a feature exlusive to Kicksecure is what was getting at…I see was discussed in the Whonix forum, my only opinion is I feel that most identifiers should be randomized if possible.

Patrick · May 4, 2024, 11:19am

Not by any application that I know but better use search engines, AI to confirm.

You would need to check each AppArmor profile. Search the Source Code

With apparmor.d things might change too.

Unlikely to happen unless contributed.

Not clear if that is a good idea as per:

And also unlikely that this is even feasible. If there was a virtualizer project that cares about these issues, maybe, but there isn’t.