I just realized, while 99% of the people on this list are honest there is the diabolical 1%. So I guess I enter my password for the rest of my life. Or do you think that it really matters considering this is only a mailing list? On Sat, Jun 29, 2024, 10:22 AM Michael wrote: > Thanks for saying this. I realized that I only needed to run apt as root. > I didn't know how to make it so I could do that..... but chatgt did! > > On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss < > plug-discuss@lists.phxlinux.org> wrote: > >> NO WORRIES FROM THIS END RUSTY. >> >> As a general rule, I use sudo only for very specific tasks (usually >> updating my development package tree on OS X) and no where else will I run >> anything as root. I have seen what happens to linux machines that run >> infected binaries as root and it can get ugly pretty fast. In one case, I >> couldn’t take the machine out of service because of other items I was >> involved with, so I simply made part of the dir tree immutable after >> replacing a few files in /etc. That would fill up the system logs with an >> error message about a specific binary trying to replace a small number of >> conf files. Once the offending binary was found, it made things easier >> trying to disable it or get rid of it. However, after a while, I simply >> pulled the drive and ran it through a Dod secure erase and installed a >> newer linux bistro on it. I did use the same trick with chattr to make >> /bin, /sbin and /etc immutable. That last turned out to be handy as I >> caught someone trying to rootkit my machine using a known exploit, only >> they couldn’t get it to run because the binaries they wanted to replace >> couldn’t be written to. :)Yes, this would be a bit excessive, but over the >> long run, proved far less inconvenient than having to wipe and reinstall an >> OS. >> >> -Eric >> From the central Offices of the Technomage Guild, security Applications >> Dept. >> >> >> > On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss < >> plug-discuss@lists.phxlinux.org> wrote: >> > >> > (Deep breath. Calm...) >> > >> > I can't figure out how to respond rationally to the below, so all I'm >> going to say is - before you call troll, you might want to research the >> author, and read a bit more carefully what they wrote. I don't believe I >> recommended any of the crazy things you suggest. And I certainly didn't >> intend to imply any of that. >> > >> > On the other hand, it may not have been clear, so I'll just say "Sorry >> that what I wrote wasn't clear, but english isn't my first language. >> Unfortunately its the only one I know". >> > >> > And on that note, I'll shut up. >> > >> > On 6/26/24 15:05, Ryan Petris wrote: >> >> I feel like you're trolling so I'm not going to spend very much time >> on this. >> >> >> >> It's been a generally good security practice for at least the last 25+ >> years to not regularly run as a privileged user, requiring some sort of >> escalation to do administrative-type tasks. By using passwordless sudo, >> you're taking away that escalation. Why not just run as root? Then you >> don't need sudo at all. In fact, why even have a password at all? Why >> encrypt? Why don't you just put all your data on a publicly accessible FTP >> server and just grab stuff when you need it? The NSA has all your data >> anyway and you don't have anything to hide so why not just leave it out >> there for the world to see? >> >> >> >> As for something malicious needing to be written to use sudo, why >> wouldn't it? sudo is ubiquitous on unix systems; if it didn't at least try >> then that seams like a pretty dumb malicious script to me. >> >> >> >> You also don't necessarily need to open/run something for it to run. >> IIRC there was a recent image vulnerability in Gnome's tracker-miner >> application which indexes files in your home directory. And before you say >> that wouldn't happen in KDE, it too has a similar program, I believe called >> Baloo. >> >> >> >> There also exists the recent doas program and the systemd replacement >> run0 to do the same. >> >> >> >> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via PLUG-discuss >> wrote: >> >>> Actually, I'd like to start a bit of a discussion on this. >> >>> >> >>> >> >>> First, I know that for some reason RedHat seems to think that sudo is >> >>> bad/insecure. >> >>> >> >>> I'd like to know the logic there, as I think the argument FOR using >> sudo >> >>> is MUCH stronger than any argument I've heard (which, admittedly, is >> >>> pretty close to zero) AGAINST it. Here's my thinking: >> >>> >> >>> Allowing users to become root via sudo gives you: >> >>> >> >>> - VERY fine control over what programs a user can use as root >> >>> >> >>> - The ability to remove admin privs (ability to run as root) from an >> >>> individual WITHOUT having to change root password everywhere. >> >>> >> >>> Now, remember, RH is supposedly 'corporate friendly'. As a >> corporation, >> >>> that 2nd feature is well worth the price of admission, PLUS I can only >> >>> allow certain admins to run certain programs? Very nice. >> >>> >> >>> So, for example, at my last place I allowed the 'tester' user to run >> >>> fdisk as root, because they needed to partition the disk under test. >> In >> >>> my case, and since the network that we ran on was totally isolated >> from >> >>> the corporate network, I let fdisk be run without needing a password. >> >>> Oh, and if they messed up and fdisk'ed the boot partition, it was no >> big >> >>> deal - I could recreate the machine from scratch (minus whatever data >> >>> hadn't been copied off yet - which would only be their most recent >> run), >> >>> in 10 minutes (which was about 2 minutes of my time, and 8 minutes of >> >>> scripted 'dd' ;-) However, if the test user wanted to become root >> using >> >>> su, they had to enter the test user password. >> >>> >> >>> So, back to the original question - setting sudo to not require a >> >>> password. We should have asked, what program do you want to run as >> root >> >>> without requiring a password? How secure is your system? What else do >> >>> you use it for? Who has access? etc, etc, etc. >> >>> >> >>> There's one other minor objection I have to the 'zero defense' >> statement >> >>> below - the malicious thing you downloaded (and, I assume ran) has to >> be >> >>> written to USE sudo in its attempt to break in, I believe, or it >> >>> wouldn't matter HOW open your sudo was. (simply saying 'su - myscript' >> >>> won't do it). >> >>> >> >>> And, if you're truly paranoid about stuff you download, you should: >> >>> >> >>> 1 - NEVER download something you don't have an excellent reason to >> >>> believe is 'safe', and ALWAYS make sure you actually downloaded it >> from >> >>> where you thought you did. >> >>> >> >>> 2 - For the TRULY paranoid, have a machine you use to download and >> test >> >>> software on, which you can totally disconnect from your network (not >> >>> JUST the internet), and which has NO confidential info, and which you >> >>> can erase and rebuild without caring. Run the downloaded stuff there, >> >>> for a long time, until you're pretty sure it won't bite you. >> >>> >> >>> 3 - For the REALLY REALLY paranoid, don't download anything from >> >>> anywhere, disconnect from the internet permanently, get high-tech >> locks >> >>> for your doors, and wrap your house in a faraday cage! >> >>> >> >>> And probably don't leave the house.... >> >>> >> >>> The point of number 3 is that there is always a risk, even with >> >>> 'well-known' software, and as someone else said - they're watching you >> >>> anyway. The question is how 'safe' do you want to be? And how >> paranoid >> >>> are you, really? >> >>> >> >>> Wow, talk about rabbit hole! ;-) >> >>> >> >>> 'Let the flames begin!' :-) >> >>> >> >>> >> >>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: >> >>>>> wanted sudo not to require a password. >> >>>> Please reconsider this... This is VERY BAD security practice. >> There's basically zero defense if you happen to download/run something >> malicious. >> >>>> >> >>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote: >> >>>>> then I remember that a PLUG member mentioned ChatGPT being good >> at troubleshooting so I figured I'd give it a go. I sprint about half an >> hour asking it the wrong question but after that it took 2 minutes. I >> wanted sudo not to require a password. it is wonderful! now I don't have to >> bug you guys. so it looks like this is the end of the user group unless you >> want to talk about OT stuff. >> >>>>> >> >>>>> -- >> >>>>> :-)~MIKE~(-: >> >>>>> --------------------------------------------------- >> >>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> >>>>> To subscribe, unsubscribe, or to change your mail settings: >> >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >>>>> >> >>>> --------------------------------------------------- >> >>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> >>>> To subscribe, unsubscribe, or to change your mail settings: >> >>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >>> --------------------------------------------------- >> >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> >>> To subscribe, unsubscribe, or to change your mail settings: >> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >>> >> > --------------------------------------------------- >> > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> > To subscribe, unsubscribe, or to change your mail settings: >> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >> --------------------------------------------------- >> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >