<p dir="ltr">Yeah. That happened to me to a LONG time ago, too; now that I think about it.</p>
<br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jun 29, 2024, 9:36 PM <<a href="mailto:techlists@phpcoderusa.com">techlists@phpcoderusa.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have had several situations where I needed to become root because I <br>
was unable to compete the task using sudo. Maybe I do not <br>
understand....<br>
<br>
<br>
<br>
On 2024-06-29 19:05, Michael wrote:<br>
> I thought using suddenly was the same as becoming root<br>
> <br>
> On Sat, Jun 29, 2024, 7:19 PM <<a href="mailto:techlists@phpcoderusa.com" target="_blank" rel="noreferrer">techlists@phpcoderusa.com</a>> wrote:<br>
> <br>
>> Mike,<br>
>> <br>
>> The world is a hostile place. The more precautions you take the<br>
>> better.<br>
>> I cover the camera on my cellular phone while not in use. I cover<br>
>> the<br>
>> camera that is built into my laptop while it is not in use. I think<br>
>> <br>
>> on-line banking is dangerous. At some point I want to turn off WIFI<br>
>> and<br>
>> go to wired only on my local net.<br>
>> <br>
>> We lock our cars and houses for a reason.<br>
>> <br>
>> I do not know as much security as I'd like, however it might be<br>
>> necessary at some point to to become more cyber.<br>
>> <br>
>> About 24 years ago the members of the Tucson Free Unix Group (TFUG)<br>
>> helped me build a server that I ran out of my home. We left the<br>
>> email<br>
>> relay open and I got exploited. About 10 years ago I became root<br>
>> and I<br>
>> accidentally overwrote my home directory. yikes... both were<br>
>> painful.<br>
>> The first example is a reason we must be more aware of what we are<br>
>> doing. The 2nd is an example why we should use sudo as much as we<br>
>> can<br>
>> instead of becoming root.<br>
>> <br>
>> Keith<br>
>> <br>
>> On 2024-06-29 08:55, Michael via PLUG-discuss wrote:<br>
>>> I just realized, while 99% of the people on this list are honest<br>
>> there<br>
>>> is the diabolical 1%. So I guess I enter my password for the rest<br>
>> of<br>
>>> my life. Or do you think that it really matters considering this<br>
>> is<br>
>>> only a mailing list?<br>
>>> <br>
>>> On Sat, Jun 29, 2024, 10:22 AM Michael <<a href="mailto:bmike1@gmail.com" target="_blank" rel="noreferrer">bmike1@gmail.com</a>> wrote:<br>
>>> <br>
>>>> Thanks for saying this. I realized that I only needed to run apt<br>
>> as<br>
>>>> root. I didn't know how to make it so I could do that..... but<br>
>>>> chatgt did!<br>
>>>> <br>
>>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss<br>
>>>> <<a href="mailto:plug-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">plug-discuss@lists.phxlinux.org</a>> wrote:<br>
>>>> <br>
>>>>> NO WORRIES FROM THIS END RUSTY.<br>
>>>>> <br>
>>>>> As a general rule, I use sudo only for very specific tasks<br>
>>>>> (usually updating my development package tree on OS X) and no<br>
>>>>> where else will I run anything as root. I have seen what happens<br>
>>>>> to linux machines that run infected binaries as root and it can<br>
>>>>> get ugly pretty fast. In one case, I couldn’t take the machine<br>
>>>>> out of service because of other items I was involved with, so I<br>
>>>>> simply made part of the dir tree immutable after replacing a few<br>
>>>>> files in /etc. That would fill up the system logs with an error<br>
>>>>> message about a specific binary trying to replace a small number<br>
>>>>> of conf files. Once the offending binary was found, it made<br>
>> things<br>
>>>>> easier trying to disable it or get rid of it. However, after a<br>
>>>>> while, I simply pulled the drive and ran it through a Dod secure<br>
>>>>> erase and installed a newer linux bistro on it. I did use the<br>
>> same<br>
>>>>> trick with chattr to make /bin, /sbin and /etc immutable. That<br>
>>>>> last turned out to be handy as I caught someone trying to<br>
>> rootkit<br>
>>>>> my machine using a known exploit, only they couldn’t get it to<br>
>>>>> run because the binaries they wanted to replace couldn’t be<br>
>>>>> written to. :)Yes, this would be a bit excessive, but over the<br>
>>>>> long run, proved far less inconvenient than having to wipe and<br>
>>>>> reinstall an OS.<br>
>>>>> <br>
>>>>> -Eric<br>
>>>>> From the central Offices of the Technomage Guild, security<br>
>>>>> Applications Dept.<br>
>>>>> <br>
>>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss<br>
>>>>> <<a href="mailto:plug-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">plug-discuss@lists.phxlinux.org</a>> wrote:<br>
>>>>>> <br>
>>>>>> (Deep breath. Calm...)<br>
>>>>>> <br>
>>>>>> I can't figure out how to respond rationally to the below, so<br>
>>>>> all I'm going to say is - before you call troll, you might want<br>
>>>>> to research the author, and read a bit more carefully what they<br>
>>>>> wrote. I don't believe I recommended any of the crazy things<br>
>> you<br>
>>>>> suggest. And I certainly didn't intend to imply any of that.<br>
>>>>>> <br>
>>>>>> On the other hand, it may not have been clear, so I'll just<br>
>> say<br>
>>>>> "Sorry that what I wrote wasn't clear, but english isn't my<br>
>> first<br>
>>>>> language. Unfortunately its the only one I know".<br>
>>>>>> <br>
>>>>>> And on that note, I'll shut up.<br>
>>>>>> <br>
>>>>>> On 6/26/24 15:05, Ryan Petris wrote:<br>
>>>>>>> I feel like you're trolling so I'm not going to spend very<br>
>> much<br>
>>>>> time on this.<br>
>>>>>>> <br>
>>>>>>> It's been a generally good security practice for at least the<br>
>>>>> last 25+ years to not regularly run as a privileged user,<br>
>>>>> requiring some sort of escalation to do administrative-type<br>
>> tasks.<br>
>>>>> By using passwordless sudo, you're taking away that escalation.<br>
>>>>> Why not just run as root? Then you don't need sudo at all. In<br>
>>>>> fact, why even have a password at all? Why encrypt? Why don't<br>
>> you<br>
>>>>> just put all your data on a publicly accessible FTP server and<br>
>>>>> just grab stuff when you need it? The NSA has all your data<br>
>> anyway<br>
>>>>> and you don't have anything to hide so why not just leave it out<br>
>>>>> there for the world to see?<br>
>>>>>>> <br>
>>>>>>> As for something malicious needing to be written to use sudo,<br>
>>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it<br>
>> didn't<br>
>>>>> at least try then that seams like a pretty dumb malicious script<br>
>>>>> to me.<br>
>>>>>>> <br>
>>>>>>> You also don't necessarily need to open/run something for it<br>
>> to<br>
>>>>> run. IIRC there was a recent image vulnerability in Gnome's<br>
>>>>> tracker-miner application which indexes files in your home<br>
>>>>> directory. And before you say that wouldn't happen in KDE, it<br>
>> too<br>
>>>>> has a similar program, I believe called Baloo.<br>
>>>>>>> <br>
>>>>>>> There also exists the recent doas program and the systemd<br>
>>>>> replacement run0 to do the same.<br>
>>>>>>> <br>
>>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via<br>
>>>>> PLUG-discuss wrote:<br>
>>>>>>>> Actually, I'd like to start a bit of a discussion on this.<br>
>>>>>>>> <br>
>>>>>>>> <br>
>>>>>>>> First, I know that for some reason RedHat seems to think that<br>
>>>>> sudo is<br>
>>>>>>>> bad/insecure.<br>
>>>>>>>> <br>
>>>>>>>> I'd like to know the logic there, as I think the argument FOR<br>
>>>>> using sudo<br>
>>>>>>>> is MUCH stronger than any argument I've heard (which,<br>
>>>>> admittedly, is<br>
>>>>>>>> pretty close to zero) AGAINST it. Here's my thinking:<br>
>>>>>>>> <br>
>>>>>>>> Allowing users to become root via sudo gives you:<br>
>>>>>>>> <br>
>>>>>>>> - VERY fine control over what programs a user can use as root<br>
>>>>>>>> <br>
>>>>>>>> - The ability to remove admin privs (ability to run as root)<br>
>>>>> from an<br>
>>>>>>>> individual WITHOUT having to change root password everywhere.<br>
>>>>>>>> <br>
>>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a<br>
>>>>> corporation,<br>
>>>>>>>> that 2nd feature is well worth the price of admission, PLUS I<br>
>>>>> can only<br>
>>>>>>>> allow certain admins to run certain programs? Very nice.<br>
>>>>>>>> <br>
>>>>>>>> So, for example, at my last place I allowed the 'tester' user<br>
>>>>> to run<br>
>>>>>>>> fdisk as root, because they needed to partition the disk<br>
>> under<br>
>>>>> test. In<br>
>>>>>>>> my case, and since the network that we ran on was totally<br>
>>>>> isolated from<br>
>>>>>>>> the corporate network, I let fdisk be run without needing a<br>
>>>>> password.<br>
>>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it<br>
>>>>> was no big<br>
>>>>>>>> deal - I could recreate the machine from scratch (minus<br>
>>>>> whatever data<br>
>>>>>>>> hadn't been copied off yet - which would only be their most<br>
>>>>> recent run),<br>
>>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8<br>
>>>>> minutes of<br>
>>>>>>>> scripted 'dd' ;-) However, if the test user wanted to become<br>
>>>>> root using<br>
>>>>>>>> su, they had to enter the test user password.<br>
>>>>>>>> <br>
>>>>>>>> So, back to the original question - setting sudo to not<br>
>>>>> require a<br>
>>>>>>>> password. We should have asked, what program do you want to<br>
>>>>> run as root<br>
>>>>>>>> without requiring a password? How secure is your system?<br>
>> What<br>
>>>>> else do<br>
>>>>>>>> you use it for? Who has access? etc, etc, etc.<br>
>>>>>>>> <br>
>>>>>>>> There's one other minor objection I have to the 'zero<br>
>> defense'<br>
>>>>> statement<br>
>>>>>>>> below - the malicious thing you downloaded (and, I assume<br>
>> ran)<br>
>>>>> has to be<br>
>>>>>>>> written to USE sudo in its attempt to break in, I believe, or<br>
>>>>> it<br>
>>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -<br>
>>>>> myscript'<br>
>>>>>>>> won't do it).<br>
>>>>>>>> <br>
>>>>>>>> And, if you're truly paranoid about stuff you download, you<br>
>>>>> should:<br>
>>>>>>>> <br>
>>>>>>>> 1 - NEVER download something you don't have an excellent<br>
>>>>> reason to<br>
>>>>>>>> believe is 'safe', and ALWAYS make sure you actually<br>
>>>>> downloaded it from<br>
>>>>>>>> where you thought you did.<br>
>>>>>>>> <br>
>>>>>>>> 2 - For the TRULY paranoid, have a machine you use to<br>
>> download<br>
>>>>> and test<br>
>>>>>>>> software on, which you can totally disconnect from your<br>
>>>>> network (not<br>
>>>>>>>> JUST the internet), and which has NO confidential info, and<br>
>>>>> which you<br>
>>>>>>>> can erase and rebuild without caring. Run the downloaded<br>
>>>>> stuff there,<br>
>>>>>>>> for a long time, until you're pretty sure it won't bite you.<br>
>>>>>>>> <br>
>>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything<br>
>>>>> from<br>
>>>>>>>> anywhere, disconnect from the internet permanently, get<br>
>>>>> high-tech locks<br>
>>>>>>>> for your doors, and wrap your house in a faraday cage!<br>
>>>>>>>> <br>
>>>>>>>> And probably don't leave the house....<br>
>>>>>>>> <br>
>>>>>>>> The point of number 3 is that there is always a risk, even<br>
>>>>> with<br>
>>>>>>>> 'well-known' software, and as someone else said - they're<br>
>>>>> watching you<br>
>>>>>>>> anyway. The question is how 'safe' do you want to be? And<br>
>> how<br>
>>>>> paranoid<br>
>>>>>>>> are you, really?<br>
>>>>>>>> <br>
>>>>>>>> Wow, talk about rabbit hole! ;-)<br>
>>>>>>>> <br>
>>>>>>>> 'Let the flames begin!' :-)<br>
>>>>>>>> <br>
>>>>>>>> <br>
>>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:<br>
>>>>>>>>>> wanted sudo not to require a password.<br>
>>>>>>>>> Please reconsider this... This is VERY BAD security<br>
>> practice.<br>
>>>>> There's basically zero defense if you happen to download/run<br>
>>>>> something malicious.<br>
>>>>>>>>> <br>
>>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss<br>
>>>>> wrote:<br>
>>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being<br>
>>>>> good at troubleshooting so I figured I'd give it a go. I sprint<br>
>>>>> about half an hour asking it the wrong question but after that<br>
>> it<br>
>>>>> took 2 minutes. I wanted sudo not to require a password. it is<br>
>>>>> wonderful! now I don't have to bug you guys. so it looks like<br>
>> this<br>
>>>>> is the end of the user group unless you want to talk about OT<br>
>>>>> stuff.<br>
>>>>>>>>>> <br>
>>>>>>>>>> --<br>
>>>>>>>>>> :-)~MIKE~(-:<br>
>>>>>>>>>> ---------------------------------------------------<br>
>>>>>>>>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>>>>>>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>>>>>>>>> <br>
>>>>>>>>> ---------------------------------------------------<br>
>>>>>>>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>>>>>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>>>>>>> ---------------------------------------------------<br>
>>>>>>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>>>>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>>>>>>> <br>
>>>>>> ---------------------------------------------------<br>
>>>>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>>>> <br>
>>>>> ---------------------------------------------------<br>
>>>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>> ---------------------------------------------------<br>
>>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</blockquote></div>