And that it's only a home computer. On Sat, Jun 29, 2024, 10:55 AM Michael wrote: > I just realized, while 99% of the people on this list are honest there is > the diabolical 1%. So I guess I enter my password for the rest of my life. > Or do you think that it really matters considering this is only a mailing > list? > > On Sat, Jun 29, 2024, 10:22 AM Michael wrote: > >> Thanks for saying this. I realized that I only needed to run apt as root. >> I didn't know how to make it so I could do that..... but chatgt did! >> >> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss < >> plug-discuss@lists.phxlinux.org> wrote: >> >>> NO WORRIES FROM THIS END RUSTY. >>> >>> As a general rule, I use sudo only for very specific tasks (usually >>> updating my development package tree on OS X) and no where else will I run >>> anything as root. I have seen what happens to linux machines that run >>> infected binaries as root and it can get ugly pretty fast. In one case, I >>> couldn’t take the machine out of service because of other items I was >>> involved with, so I simply made part of the dir tree immutable after >>> replacing a few files in /etc. That would fill up the system logs with an >>> error message about a specific binary trying to replace a small number of >>> conf files. Once the offending binary was found, it made things easier >>> trying to disable it or get rid of it. However, after a while, I simply >>> pulled the drive and ran it through a Dod secure erase and installed a >>> newer linux bistro on it. I did use the same trick with chattr to make >>> /bin, /sbin and /etc immutable. That last turned out to be handy as I >>> caught someone trying to rootkit my machine using a known exploit, only >>> they couldn’t get it to run because the binaries they wanted to replace >>> couldn’t be written to. :)Yes, this would be a bit excessive, but over the >>> long run, proved far less inconvenient than having to wipe and reinstall an >>> OS. >>> >>> -Eric >>> From the central Offices of the Technomage Guild, security Applications >>> Dept. >>> >>> >>> > On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss < >>> plug-discuss@lists.phxlinux.org> wrote: >>> > >>> > (Deep breath. Calm...) >>> > >>> > I can't figure out how to respond rationally to the below, so all I'm >>> going to say is - before you call troll, you might want to research the >>> author, and read a bit more carefully what they wrote. I don't believe I >>> recommended any of the crazy things you suggest. And I certainly didn't >>> intend to imply any of that. >>> > >>> > On the other hand, it may not have been clear, so I'll just say >>> "Sorry that what I wrote wasn't clear, but english isn't my first >>> language. Unfortunately its the only one I know". >>> > >>> > And on that note, I'll shut up. >>> > >>> > On 6/26/24 15:05, Ryan Petris wrote: >>> >> I feel like you're trolling so I'm not going to spend very much time >>> on this. >>> >> >>> >> It's been a generally good security practice for at least the last >>> 25+ years to not regularly run as a privileged user, requiring some sort of >>> escalation to do administrative-type tasks. By using passwordless sudo, >>> you're taking away that escalation. Why not just run as root? Then you >>> don't need sudo at all. In fact, why even have a password at all? Why >>> encrypt? Why don't you just put all your data on a publicly accessible FTP >>> server and just grab stuff when you need it? The NSA has all your data >>> anyway and you don't have anything to hide so why not just leave it out >>> there for the world to see? >>> >> >>> >> As for something malicious needing to be written to use sudo, why >>> wouldn't it? sudo is ubiquitous on unix systems; if it didn't at least try >>> then that seams like a pretty dumb malicious script to me. >>> >> >>> >> You also don't necessarily need to open/run something for it to run. >>> IIRC there was a recent image vulnerability in Gnome's tracker-miner >>> application which indexes files in your home directory. And before you say >>> that wouldn't happen in KDE, it too has a similar program, I believe called >>> Baloo. >>> >> >>> >> There also exists the recent doas program and the systemd replacement >>> run0 to do the same. >>> >> >>> >> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via PLUG-discuss >>> wrote: >>> >>> Actually, I'd like to start a bit of a discussion on this. >>> >>> >>> >>> >>> >>> First, I know that for some reason RedHat seems to think that sudo is >>> >>> bad/insecure. >>> >>> >>> >>> I'd like to know the logic there, as I think the argument FOR using >>> sudo >>> >>> is MUCH stronger than any argument I've heard (which, admittedly, is >>> >>> pretty close to zero) AGAINST it. Here's my thinking: >>> >>> >>> >>> Allowing users to become root via sudo gives you: >>> >>> >>> >>> - VERY fine control over what programs a user can use as root >>> >>> >>> >>> - The ability to remove admin privs (ability to run as root) from an >>> >>> individual WITHOUT having to change root password everywhere. >>> >>> >>> >>> Now, remember, RH is supposedly 'corporate friendly'. As a >>> corporation, >>> >>> that 2nd feature is well worth the price of admission, PLUS I can >>> only >>> >>> allow certain admins to run certain programs? Very nice. >>> >>> >>> >>> So, for example, at my last place I allowed the 'tester' user to run >>> >>> fdisk as root, because they needed to partition the disk under >>> test. In >>> >>> my case, and since the network that we ran on was totally isolated >>> from >>> >>> the corporate network, I let fdisk be run without needing a password. >>> >>> Oh, and if they messed up and fdisk'ed the boot partition, it was no >>> big >>> >>> deal - I could recreate the machine from scratch (minus whatever data >>> >>> hadn't been copied off yet - which would only be their most recent >>> run), >>> >>> in 10 minutes (which was about 2 minutes of my time, and 8 minutes of >>> >>> scripted 'dd' ;-) However, if the test user wanted to become root >>> using >>> >>> su, they had to enter the test user password. >>> >>> >>> >>> So, back to the original question - setting sudo to not require a >>> >>> password. We should have asked, what program do you want to run as >>> root >>> >>> without requiring a password? How secure is your system? What else >>> do >>> >>> you use it for? Who has access? etc, etc, etc. >>> >>> >>> >>> There's one other minor objection I have to the 'zero defense' >>> statement >>> >>> below - the malicious thing you downloaded (and, I assume ran) has >>> to be >>> >>> written to USE sudo in its attempt to break in, I believe, or it >>> >>> wouldn't matter HOW open your sudo was. (simply saying 'su - >>> myscript' >>> >>> won't do it). >>> >>> >>> >>> And, if you're truly paranoid about stuff you download, you should: >>> >>> >>> >>> 1 - NEVER download something you don't have an excellent reason to >>> >>> believe is 'safe', and ALWAYS make sure you actually downloaded it >>> from >>> >>> where you thought you did. >>> >>> >>> >>> 2 - For the TRULY paranoid, have a machine you use to download and >>> test >>> >>> software on, which you can totally disconnect from your network (not >>> >>> JUST the internet), and which has NO confidential info, and which you >>> >>> can erase and rebuild without caring. Run the downloaded stuff >>> there, >>> >>> for a long time, until you're pretty sure it won't bite you. >>> >>> >>> >>> 3 - For the REALLY REALLY paranoid, don't download anything from >>> >>> anywhere, disconnect from the internet permanently, get high-tech >>> locks >>> >>> for your doors, and wrap your house in a faraday cage! >>> >>> >>> >>> And probably don't leave the house.... >>> >>> >>> >>> The point of number 3 is that there is always a risk, even with >>> >>> 'well-known' software, and as someone else said - they're watching >>> you >>> >>> anyway. The question is how 'safe' do you want to be? And how >>> paranoid >>> >>> are you, really? >>> >>> >>> >>> Wow, talk about rabbit hole! ;-) >>> >>> >>> >>> 'Let the flames begin!' :-) >>> >>> >>> >>> >>> >>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: >>> >>>>> wanted sudo not to require a password. >>> >>>> Please reconsider this... This is VERY BAD security practice. >>> There's basically zero defense if you happen to download/run something >>> malicious. >>> >>>> >>> >>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote: >>> >>>>> then I remember that a PLUG member mentioned ChatGPT being good >>> at troubleshooting so I figured I'd give it a go. I sprint about half an >>> hour asking it the wrong question but after that it took 2 minutes. I >>> wanted sudo not to require a password. it is wonderful! now I don't have to >>> bug you guys. so it looks like this is the end of the user group unless you >>> want to talk about OT stuff. >>> >>>>> >>> >>>>> -- >>> >>>>> :-)~MIKE~(-: >>> >>>>> --------------------------------------------------- >>> >>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>> >>>>> To subscribe, unsubscribe, or to change your mail settings: >>> >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >>>>> >>> >>>> --------------------------------------------------- >>> >>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>> >>>> To subscribe, unsubscribe, or to change your mail settings: >>> >>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >>> --------------------------------------------------- >>> >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>> >>> To subscribe, unsubscribe, or to change your mail settings: >>> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >>> >>> > --------------------------------------------------- >>> > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>> > To subscribe, unsubscribe, or to change your mail settings: >>> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >>