<p dir="ltr">I thought using suddenly was the same as becoming root</p>
<br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jun 29, 2024, 7:19 PM <<a href="mailto:techlists@phpcoderusa.com">techlists@phpcoderusa.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Mike,<br>
<br>
The world is a hostile place. The more precautions you take the better. <br>
I cover the camera on my cellular phone while not in use. I cover the <br>
camera that is built into my laptop while it is not in use. I think <br>
on-line banking is dangerous. At some point I want to turn off WIFI and <br>
go to wired only on my local net.<br>
<br>
We lock our cars and houses for a reason.<br>
<br>
I do not know as much security as I'd like, however it might be <br>
necessary at some point to to become more cyber.<br>
<br>
About 24 years ago the members of the Tucson Free Unix Group (TFUG) <br>
helped me build a server that I ran out of my home. We left the email <br>
relay open and I got exploited. About 10 years ago I became root and I <br>
accidentally overwrote my home directory. yikes... both were painful. <br>
The first example is a reason we must be more aware of what we are <br>
doing. The 2nd is an example why we should use sudo as much as we can <br>
instead of becoming root.<br>
<br>
Keith<br>
<br>
<br>
<br>
On 2024-06-29 08:55, Michael via PLUG-discuss wrote:<br>
> I just realized, while 99% of the people on this list are honest there<br>
> is the diabolical 1%. So I guess I enter my password for the rest of<br>
> my life. Or do you think that it really matters considering this is<br>
> only a mailing list?<br>
> <br>
> On Sat, Jun 29, 2024, 10:22 AM Michael <<a href="mailto:bmike1@gmail.com" target="_blank" rel="noreferrer">bmike1@gmail.com</a>> wrote:<br>
> <br>
>> Thanks for saying this. I realized that I only needed to run apt as<br>
>> root. I didn't know how to make it so I could do that..... but<br>
>> chatgt did!<br>
>> <br>
>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss<br>
>> <<a href="mailto:plug-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">plug-discuss@lists.phxlinux.org</a>> wrote:<br>
>> <br>
>>> NO WORRIES FROM THIS END RUSTY.<br>
>>> <br>
>>> As a general rule, I use sudo only for very specific tasks<br>
>>> (usually updating my development package tree on OS X) and no<br>
>>> where else will I run anything as root. I have seen what happens<br>
>>> to linux machines that run infected binaries as root and it can<br>
>>> get ugly pretty fast. In one case, I couldn’t take the machine<br>
>>> out of service because of other items I was involved with, so I<br>
>>> simply made part of the dir tree immutable after replacing a few<br>
>>> files in /etc. That would fill up the system logs with an error<br>
>>> message about a specific binary trying to replace a small number<br>
>>> of conf files. Once the offending binary was found, it made things<br>
>>> easier trying to disable it or get rid of it. However, after a<br>
>>> while, I simply pulled the drive and ran it through a Dod secure<br>
>>> erase and installed a newer linux bistro on it. I did use the same<br>
>>> trick with chattr to make /bin, /sbin and /etc immutable. That<br>
>>> last turned out to be handy as I caught someone trying to rootkit<br>
>>> my machine using a known exploit, only they couldn’t get it to<br>
>>> run because the binaries they wanted to replace couldn’t be<br>
>>> written to. :)Yes, this would be a bit excessive, but over the<br>
>>> long run, proved far less inconvenient than having to wipe and<br>
>>> reinstall an OS.<br>
>>> <br>
>>> -Eric<br>
>>> From the central Offices of the Technomage Guild, security<br>
>>> Applications Dept.<br>
>>> <br>
>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss<br>
>>> <<a href="mailto:plug-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">plug-discuss@lists.phxlinux.org</a>> wrote:<br>
>>>> <br>
>>>> (Deep breath. Calm...)<br>
>>>> <br>
>>>> I can't figure out how to respond rationally to the below, so<br>
>>> all I'm going to say is - before you call troll, you might want<br>
>>> to research the author, and read a bit more carefully what they<br>
>>> wrote. I don't believe I recommended any of the crazy things you<br>
>>> suggest. And I certainly didn't intend to imply any of that.<br>
>>>> <br>
>>>> On the other hand, it may not have been clear, so I'll just say<br>
>>> "Sorry that what I wrote wasn't clear, but english isn't my first<br>
>>> language. Unfortunately its the only one I know".<br>
>>>> <br>
>>>> And on that note, I'll shut up.<br>
>>>> <br>
>>>> On 6/26/24 15:05, Ryan Petris wrote:<br>
>>>>> I feel like you're trolling so I'm not going to spend very much<br>
>>> time on this.<br>
>>>>> <br>
>>>>> It's been a generally good security practice for at least the<br>
>>> last 25+ years to not regularly run as a privileged user,<br>
>>> requiring some sort of escalation to do administrative-type tasks.<br>
>>> By using passwordless sudo, you're taking away that escalation.<br>
>>> Why not just run as root? Then you don't need sudo at all. In<br>
>>> fact, why even have a password at all? Why encrypt? Why don't you<br>
>>> just put all your data on a publicly accessible FTP server and<br>
>>> just grab stuff when you need it? The NSA has all your data anyway<br>
>>> and you don't have anything to hide so why not just leave it out<br>
>>> there for the world to see?<br>
>>>>> <br>
>>>>> As for something malicious needing to be written to use sudo,<br>
>>> why wouldn't it? sudo is ubiquitous on unix systems; if it didn't<br>
>>> at least try then that seams like a pretty dumb malicious script<br>
>>> to me.<br>
>>>>> <br>
>>>>> You also don't necessarily need to open/run something for it to<br>
>>> run. IIRC there was a recent image vulnerability in Gnome's<br>
>>> tracker-miner application which indexes files in your home<br>
>>> directory. And before you say that wouldn't happen in KDE, it too<br>
>>> has a similar program, I believe called Baloo.<br>
>>>>> <br>
>>>>> There also exists the recent doas program and the systemd<br>
>>> replacement run0 to do the same.<br>
>>>>> <br>
>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via<br>
>>> PLUG-discuss wrote:<br>
>>>>>> Actually, I'd like to start a bit of a discussion on this.<br>
>>>>>> <br>
>>>>>> <br>
>>>>>> First, I know that for some reason RedHat seems to think that<br>
>>> sudo is<br>
>>>>>> bad/insecure.<br>
>>>>>> <br>
>>>>>> I'd like to know the logic there, as I think the argument FOR<br>
>>> using sudo<br>
>>>>>> is MUCH stronger than any argument I've heard (which,<br>
>>> admittedly, is<br>
>>>>>> pretty close to zero) AGAINST it. Here's my thinking:<br>
>>>>>> <br>
>>>>>> Allowing users to become root via sudo gives you:<br>
>>>>>> <br>
>>>>>> - VERY fine control over what programs a user can use as root<br>
>>>>>> <br>
>>>>>> - The ability to remove admin privs (ability to run as root)<br>
>>> from an<br>
>>>>>> individual WITHOUT having to change root password everywhere.<br>
>>>>>> <br>
>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a<br>
>>> corporation,<br>
>>>>>> that 2nd feature is well worth the price of admission, PLUS I<br>
>>> can only<br>
>>>>>> allow certain admins to run certain programs? Very nice.<br>
>>>>>> <br>
>>>>>> So, for example, at my last place I allowed the 'tester' user<br>
>>> to run<br>
>>>>>> fdisk as root, because they needed to partition the disk under<br>
>>> test. In<br>
>>>>>> my case, and since the network that we ran on was totally<br>
>>> isolated from<br>
>>>>>> the corporate network, I let fdisk be run without needing a<br>
>>> password.<br>
>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it<br>
>>> was no big<br>
>>>>>> deal - I could recreate the machine from scratch (minus<br>
>>> whatever data<br>
>>>>>> hadn't been copied off yet - which would only be their most<br>
>>> recent run),<br>
>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8<br>
>>> minutes of<br>
>>>>>> scripted 'dd' ;-) However, if the test user wanted to become<br>
>>> root using<br>
>>>>>> su, they had to enter the test user password.<br>
>>>>>> <br>
>>>>>> So, back to the original question - setting sudo to not<br>
>>> require a<br>
>>>>>> password. We should have asked, what program do you want to<br>
>>> run as root<br>
>>>>>> without requiring a password? How secure is your system? What<br>
>>> else do<br>
>>>>>> you use it for? Who has access? etc, etc, etc.<br>
>>>>>> <br>
>>>>>> There's one other minor objection I have to the 'zero defense'<br>
>>> statement<br>
>>>>>> below - the malicious thing you downloaded (and, I assume ran)<br>
>>> has to be<br>
>>>>>> written to USE sudo in its attempt to break in, I believe, or<br>
>>> it<br>
>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -<br>
>>> myscript'<br>
>>>>>> won't do it).<br>
>>>>>> <br>
>>>>>> And, if you're truly paranoid about stuff you download, you<br>
>>> should:<br>
>>>>>> <br>
>>>>>> 1 - NEVER download something you don't have an excellent<br>
>>> reason to<br>
>>>>>> believe is 'safe', and ALWAYS make sure you actually<br>
>>> downloaded it from<br>
>>>>>> where you thought you did.<br>
>>>>>> <br>
>>>>>> 2 - For the TRULY paranoid, have a machine you use to download<br>
>>> and test<br>
>>>>>> software on, which you can totally disconnect from your<br>
>>> network (not<br>
>>>>>> JUST the internet), and which has NO confidential info, and<br>
>>> which you<br>
>>>>>> can erase and rebuild without caring. Run the downloaded<br>
>>> stuff there,<br>
>>>>>> for a long time, until you're pretty sure it won't bite you.<br>
>>>>>> <br>
>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything<br>
>>> from<br>
>>>>>> anywhere, disconnect from the internet permanently, get<br>
>>> high-tech locks<br>
>>>>>> for your doors, and wrap your house in a faraday cage!<br>
>>>>>> <br>
>>>>>> And probably don't leave the house....<br>
>>>>>> <br>
>>>>>> The point of number 3 is that there is always a risk, even<br>
>>> with<br>
>>>>>> 'well-known' software, and as someone else said - they're<br>
>>> watching you<br>
>>>>>> anyway. The question is how 'safe' do you want to be? And how<br>
>>> paranoid<br>
>>>>>> are you, really?<br>
>>>>>> <br>
>>>>>> Wow, talk about rabbit hole! ;-)<br>
>>>>>> <br>
>>>>>> 'Let the flames begin!' :-)<br>
>>>>>> <br>
>>>>>> <br>
>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:<br>
>>>>>>>> wanted sudo not to require a password.<br>
>>>>>>> Please reconsider this... This is VERY BAD security practice.<br>
>>> There's basically zero defense if you happen to download/run<br>
>>> something malicious.<br>
>>>>>>> <br>
>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss<br>
>>> wrote:<br>
>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being<br>
>>> good at troubleshooting so I figured I'd give it a go. I sprint<br>
>>> about half an hour asking it the wrong question but after that it<br>
>>> took 2 minutes. I wanted sudo not to require a password. it is<br>
>>> wonderful! now I don't have to bug you guys. so it looks like this<br>
>>> is the end of the user group unless you want to talk about OT<br>
>>> stuff.<br>
>>>>>>>> <br>
>>>>>>>> --<br>
>>>>>>>> :-)~MIKE~(-:<br>
>>>>>>>> ---------------------------------------------------<br>
>>>>>>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>>>>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>>>>>>> <br>
>>>>>>> ---------------------------------------------------<br>
>>>>>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>>>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>>>>> ---------------------------------------------------<br>
>>>>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>>>>> <br>
>>>> ---------------------------------------------------<br>
>>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>> <br>
>>> ---------------------------------------------------<br>
>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
> ---------------------------------------------------<br>
> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
> To subscribe, unsubscribe, or to change your mail settings:<br>
> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</blockquote></div>