<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Amusing point of note, My company has a large investment in RHEL and they use sudo, I think part of RH choice is about not choosing to enforce their decisions on their userbase, wich I can appreciate.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 26, 2024 at 3:31 PM Rusty Carruth via PLUG-discuss <<a href="mailto:plug-discuss@lists.phxlinux.org">plug-discuss@lists.phxlinux.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Actually, I'd like to start a bit of a discussion on this.<br>
<br>
<br>
First, I know that for some reason RedHat seems to think that sudo is <br>
bad/insecure.<br>
<br>
I'd like to know the logic there, as I think the argument FOR using sudo <br>
is MUCH stronger than any argument I've heard (which, admittedly, is <br>
pretty close to zero) AGAINST it. Here's my thinking:<br>
<br>
Allowing users to become root via sudo gives you:<br>
<br>
- VERY fine control over what programs a user can use as root<br>
<br>
- The ability to remove admin privs (ability to run as root) from an <br>
individual WITHOUT having to change root password everywhere.<br>
<br>
Now, remember, RH is supposedly 'corporate friendly'. As a corporation, <br>
that 2nd feature is well worth the price of admission, PLUS I can only <br>
allow certain admins to run certain programs? Very nice.<br>
<br>
So, for example, at my last place I allowed the 'tester' user to run <br>
fdisk as root, because they needed to partition the disk under test. In <br>
my case, and since the network that we ran on was totally isolated from <br>
the corporate network, I let fdisk be run without needing a password. <br>
Oh, and if they messed up and fdisk'ed the boot partition, it was no big <br>
deal - I could recreate the machine from scratch (minus whatever data <br>
hadn't been copied off yet - which would only be their most recent run), <br>
in 10 minutes (which was about 2 minutes of my time, and 8 minutes of <br>
scripted 'dd' ;-) However, if the test user wanted to become root using <br>
su, they had to enter the test user password.<br>
<br>
So, back to the original question - setting sudo to not require a <br>
password. We should have asked, what program do you want to run as root <br>
without requiring a password? How secure is your system? What else do <br>
you use it for? Who has access? etc, etc, etc.<br>
<br>
There's one other minor objection I have to the 'zero defense' statement <br>
below - the malicious thing you downloaded (and, I assume ran) has to be <br>
written to USE sudo in its attempt to break in, I believe, or it <br>
wouldn't matter HOW open your sudo was. (simply saying 'su - myscript' <br>
won't do it).<br>
<br>
And, if you're truly paranoid about stuff you download, you should:<br>
<br>
1 - NEVER download something you don't have an excellent reason to <br>
believe is 'safe', and ALWAYS make sure you actually downloaded it from <br>
where you thought you did.<br>
<br>
2 - For the TRULY paranoid, have a machine you use to download and test <br>
software on, which you can totally disconnect from your network (not <br>
JUST the internet), and which has NO confidential info, and which you <br>
can erase and rebuild without caring. Run the downloaded stuff there, <br>
for a long time, until you're pretty sure it won't bite you.<br>
<br>
3 - For the REALLY REALLY paranoid, don't download anything from <br>
anywhere, disconnect from the internet permanently, get high-tech locks <br>
for your doors, and wrap your house in a faraday cage!<br>
<br>
And probably don't leave the house....<br>
<br>
The point of number 3 is that there is always a risk, even with <br>
'well-known' software, and as someone else said - they're watching you <br>
anyway. The question is how 'safe' do you want to be? And how paranoid <br>
are you, really?<br>
<br>
Wow, talk about rabbit hole! ;-)<br>
<br>
'Let the flames begin!' :-)<br>
<br>
<br>
On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:<br>
>> wanted sudo not to require a password.<br>
> Please reconsider this... This is VERY BAD security practice. There's basically zero defense if you happen to download/run something malicious.<br>
><br>
> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:<br>
>> then I remember that a PLUG member mentioned ChatGPT being good at troubleshooting so I figured I'd give it a go. I sprint about half an hour asking it the wrong question but after that it took 2 minutes. I wanted sudo not to require a password. it is wonderful! now I don't have to bug you guys. so it looks like this is the end of the user group unless you want to talk about OT stuff.<br>
>><br>
>> --<br>
>> :-)~MIKE~(-:<br>
>> ---------------------------------------------------<br>
>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
>> To subscribe, unsubscribe, or to change your mail settings:<br>
>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>><br>
><br>
> ---------------------------------------------------<br>
> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
> To subscribe, unsubscribe, or to change your mail settings:<br>
> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
---------------------------------------------------<br>
PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button.<br><br>Stephen<br><br></div>