Amusing point of note, My company has a large investment in RHEL and they use sudo, I think part of RH choice is about not choosing to enforce their decisions on their userbase, wich I can appreciate. On Wed, Jun 26, 2024 at 3:31 PM Rusty Carruth via PLUG-discuss < plug-discuss@lists.phxlinux.org> wrote: > Actually, I'd like to start a bit of a discussion on this. > > > First, I know that for some reason RedHat seems to think that sudo is > bad/insecure. > > I'd like to know the logic there, as I think the argument FOR using sudo > is MUCH stronger than any argument I've heard (which, admittedly, is > pretty close to zero) AGAINST it. Here's my thinking: > > Allowing users to become root via sudo gives you: > > - VERY fine control over what programs a user can use as root > > - The ability to remove admin privs (ability to run as root) from an > individual WITHOUT having to change root password everywhere. > > Now, remember, RH is supposedly 'corporate friendly'. As a corporation, > that 2nd feature is well worth the price of admission, PLUS I can only > allow certain admins to run certain programs? Very nice. > > So, for example, at my last place I allowed the 'tester' user to run > fdisk as root, because they needed to partition the disk under test. In > my case, and since the network that we ran on was totally isolated from > the corporate network, I let fdisk be run without needing a password. > Oh, and if they messed up and fdisk'ed the boot partition, it was no big > deal - I could recreate the machine from scratch (minus whatever data > hadn't been copied off yet - which would only be their most recent run), > in 10 minutes (which was about 2 minutes of my time, and 8 minutes of > scripted 'dd' ;-) However, if the test user wanted to become root using > su, they had to enter the test user password. > > So, back to the original question - setting sudo to not require a > password. We should have asked, what program do you want to run as root > without requiring a password? How secure is your system? What else do > you use it for? Who has access? etc, etc, etc. > > There's one other minor objection I have to the 'zero defense' statement > below - the malicious thing you downloaded (and, I assume ran) has to be > written to USE sudo in its attempt to break in, I believe, or it > wouldn't matter HOW open your sudo was. (simply saying 'su - myscript' > won't do it). > > And, if you're truly paranoid about stuff you download, you should: > > 1 - NEVER download something you don't have an excellent reason to > believe is 'safe', and ALWAYS make sure you actually downloaded it from > where you thought you did. > > 2 - For the TRULY paranoid, have a machine you use to download and test > software on, which you can totally disconnect from your network (not > JUST the internet), and which has NO confidential info, and which you > can erase and rebuild without caring. Run the downloaded stuff there, > for a long time, until you're pretty sure it won't bite you. > > 3 - For the REALLY REALLY paranoid, don't download anything from > anywhere, disconnect from the internet permanently, get high-tech locks > for your doors, and wrap your house in a faraday cage! > > And probably don't leave the house.... > > The point of number 3 is that there is always a risk, even with > 'well-known' software, and as someone else said - they're watching you > anyway. The question is how 'safe' do you want to be? And how paranoid > are you, really? > > Wow, talk about rabbit hole! ;-) > > 'Let the flames begin!' :-) > > > On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: > >> wanted sudo not to require a password. > > Please reconsider this... This is VERY BAD security practice. There's > basically zero defense if you happen to download/run something malicious. > > > > On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote: > >> then I remember that a PLUG member mentioned ChatGPT being good at > troubleshooting so I figured I'd give it a go. I sprint about half an hour > asking it the wrong question but after that it took 2 minutes. I wanted > sudo not to require a password. it is wonderful! now I don't have to bug > you guys. so it looks like this is the end of the user group unless you > want to talk about OT stuff. > >> > >> -- > >> :-)~MIKE~(-: > >> --------------------------------------------------- > >> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >> To subscribe, unsubscribe, or to change your mail settings: > >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >> > > > > --------------------------------------------------- > > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > > To subscribe, unsubscribe, or to change your mail settings: > > https://lists.phxlinux.org/mailman/listinfo/plug-discuss > --------------------------------------------------- > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > https://lists.phxlinux.org/mailman/listinfo/plug-discuss > -- A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button. Stephen