<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I did say "not naming vendor." Trade secret. We don't discuss our
vendors. Sorry, Mike.<br>
</p>
<pre class="moz-signature" cols="72">Regards,
George Toft</pre>
<div class="moz-cite-prefix">On 7/3/2024 4:37 AM, Michael via
PLUG-discuss wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFRvunJouLuWygN0of-WF8Tq6vy8kR1ChK3ys3ovd27EiOaVeg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">can you share with usw what you use instead of
sudo?</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jul 2, 2024 at
11:42 PM George Toft via PLUG-discuss <<a
href="mailto:plug-discuss@lists.phxlinux.org"
moz-do-not-send="true" class="moz-txt-link-freetext">plug-discuss@lists.phxlinux.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Okay,
I now come begging for more information on why RH thinks sudo
is <br>
bad. But first a little background...<br>
<br>
Where I work, the first thing we do is remove sudo and replace
it with a <br>
shell script that calls our centralized Privileged Access
Management <br>
(PAM) system (not naming vendor). The use of sudo requires and
exception <br>
and review and is not permanent. So I'm very versed on the
principles <br>
and implementation of PAM. Last year our Staff Architect asked
me to <br>
compare and contrast sudo against <unnamed product>.
Side-by-side, <br>
feature-by-feature, I did so, based on our POC's on Red Hat
Identity <br>
Manager (IdM), which uses sudo, and locally engineered
solutions.<br>
<br>
I personally detest sudo because it's like chmod 777 * - makes
<br>
everything work so much better, and software vendors can just
drop in <br>
their own sudo rules in /etc/sudoers.d/ and make magic happen
without <br>
you ever knowing what happened. Several times we've had to
convert some <br>
vendor's sudo rules to our own system's rules, and I ask the
vendor "Why <br>
do you have this rule?" Their answer: "We don't know." OFFS :(<br>
<br>
As far as sudo goes, it is included in the Center for Internet
<br>
Security's (CIS) Benchmarks, which is the embodiment of the
information <br>
security industry's best practices. I did some work for them
for a <br>
couple years, and every change (add/mod/delete) required
consensus <br>
approval from 80 organizations around the world, including
thee letter <br>
agencies in the US and abroad. Many/most auditors expect
financial <br>
institutions to follow this guide, or explain convincingly why
not. So <br>
every six months, we get to say: "We don't use sudo. Instead,
we do <br>
this." And then we get to do live demos of timed privileged
access. <br>
Haven't had a follow-on question in the last 8 years.<br>
<br>
(OT: I cringe at referring to CIS because of their collusion
with the <br>
Arizona Secretary of State and the Department of Homeland
Security to <br>
suppress people's First Amendment Right to Free Speech. Proof
is in the <br>
Elon Musk Twitter Dump. I do not have a copy of the email on
my <br>
computer. I generally don't tell people I did work for them -
it's so <br>
embarrassing. Effing Ratbastards.)<br>
<br>
So... back to the original question, as I was not able to find
anything <br>
saying Red Hat discourages sudo, nor was my favorite AI.
Please toss me <br>
a cookie...<br>
<br>
Regards,<br>
<br>
George Toft<br>
<br>
On 6/26/2024 12:23 PM, Rusty Carruth via PLUG-discuss wrote:<br>
> Actually, I'd like to start a bit of a discussion on
this.<br>
><br>
><br>
> First, I know that for some reason RedHat seems to think
that sudo is <br>
> bad/insecure.<br>
><br>
> I'd like to know the logic there, as I think the argument
FOR using <br>
> sudo is MUCH stronger than any argument I've heard
(which, admittedly, <br>
> is pretty close to zero) AGAINST it. Here's my
thinking:<br>
><br>
> Allowing users to become root via sudo gives you:<br>
><br>
> - VERY fine control over what programs a user can use as
root<br>
><br>
> - The ability to remove admin privs (ability to run as
root) from an <br>
> individual WITHOUT having to change root password
everywhere.<br>
><br>
> Now, remember, RH is supposedly 'corporate friendly'. As
a <br>
> corporation, that 2nd feature is well worth the price of
admission, <br>
> PLUS I can only allow certain admins to run certain
programs? Very nice.<br>
><br>
> So, for example, at my last place I allowed the 'tester'
user to run <br>
> fdisk as root, because they needed to partition the disk
under test. <br>
> In my case, and since the network that we ran on was
totally isolated <br>
> from the corporate network, I let fdisk be run without
needing a <br>
> password. Oh, and if they messed up and fdisk'ed the
boot partition, <br>
> it was no big deal - I could recreate the machine from
scratch (minus <br>
> whatever data hadn't been copied off yet - which would
only be their <br>
> most recent run), in 10 minutes (which was about 2
minutes of my time, <br>
> and 8 minutes of scripted 'dd' ;-) However, if the test
user wanted <br>
> to become root using su, they had to enter the test user
password.<br>
><br>
> So, back to the original question - setting sudo to not
require a <br>
> password. We should have asked, what program do you want
to run as <br>
> root without requiring a password? How secure is your
system? What <br>
> else do you use it for? Who has access? etc, etc, etc.<br>
><br>
> There's one other minor objection I have to the 'zero
defense' <br>
> statement below - the malicious thing you downloaded
(and, I assume <br>
> ran) has to be written to USE sudo in its attempt to
break in, I <br>
> believe, or it wouldn't matter HOW open your sudo was.
(simply saying <br>
> 'su - myscript' won't do it).<br>
><br>
> And, if you're truly paranoid about stuff you download,
you should:<br>
><br>
> 1 - NEVER download something you don't have an excellent
reason to <br>
> believe is 'safe', and ALWAYS make sure you actually
downloaded it <br>
> from where you thought you did.<br>
><br>
> 2 - For the TRULY paranoid, have a machine you use to
download and <br>
> test software on, which you can totally disconnect from
your network <br>
> (not JUST the internet), and which has NO confidential
info, and which <br>
> you can erase and rebuild without caring. Run the
downloaded stuff <br>
> there, for a long time, until you're pretty sure it won't
bite you.<br>
><br>
> 3 - For the REALLY REALLY paranoid, don't download
anything from <br>
> anywhere, disconnect from the internet permanently, get
high-tech <br>
> locks for your doors, and wrap your house in a faraday
cage!<br>
><br>
> And probably don't leave the house....<br>
><br>
> The point of number 3 is that there is always a risk,
even with <br>
> 'well-known' software, and as someone else said - they're
watching you <br>
> anyway. The question is how 'safe' do you want to be?
And how <br>
> paranoid are you, really?<br>
><br>
> Wow, talk about rabbit hole! ;-)<br>
><br>
> 'Let the flames begin!' :-)<br>
><br>
><br>
> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:<br>
>>> wanted sudo not to require a password.<br>
>> Please reconsider this... This is VERY BAD security
practice. There's <br>
>> basically zero defense if you happen to download/run
something <br>
>> malicious.<br>
>><br>
>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via
PLUG-discuss wrote:<br>
>>> then I remember that a PLUG member mentioned
ChatGPT being good at <br>
>>> troubleshooting so I figured I'd give it a go. I
sprint about half <br>
>>> an hour asking it the wrong question but after
that it took 2 <br>
>>> minutes. I wanted sudo not to require a password.
it is wonderful! <br>
>>> now I don't have to bug you guys. so it looks
like this is the end <br>
>>> of the user group unless you want to talk about
OT stuff.<br>
>>><br>
>>> -- <br>
>>> :-)~MIKE~(-:<br>
>>>
---------------------------------------------------<br>
>>> PLUG-discuss mailing list: <a
href="mailto:PLUG-discuss@lists.phxlinux.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">PLUG-discuss@lists.phxlinux.org</a><br>
>>> To subscribe, unsubscribe, or to change your mail
settings:<br>
>>> <a
href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>>><br>
>><br>
>> ---------------------------------------------------<br>
>> PLUG-discuss mailing list: <a
href="mailto:PLUG-discuss@lists.phxlinux.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">PLUG-discuss@lists.phxlinux.org</a><br>
>> To subscribe, unsubscribe, or to change your mail
settings:<br>
>> <a
href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
> ---------------------------------------------------<br>
> PLUG-discuss mailing list: <a
href="mailto:PLUG-discuss@lists.phxlinux.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">PLUG-discuss@lists.phxlinux.org</a><br>
> To subscribe, unsubscribe, or to change your mail
settings:<br>
> <a
href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
---------------------------------------------------<br>
PLUG-discuss mailing list: <a
href="mailto:PLUG-discuss@lists.phxlinux.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a
href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
<span class="gmail_signature_prefix">-- </span><br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div><span style="font-size:12.8px">:-)~MIKE~(-:</span><br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">---------------------------------------------------
PLUG-discuss mailing list: <a class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="moz-txt-link-freetext" href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a>
</pre>
</blockquote>
</body>
</html>