I thought using suddenly was the same as becoming root On Sat, Jun 29, 2024, 7:19 PM wrote: > Mike, > > The world is a hostile place. The more precautions you take the better. > I cover the camera on my cellular phone while not in use. I cover the > camera that is built into my laptop while it is not in use. I think > on-line banking is dangerous. At some point I want to turn off WIFI and > go to wired only on my local net. > > We lock our cars and houses for a reason. > > I do not know as much security as I'd like, however it might be > necessary at some point to to become more cyber. > > About 24 years ago the members of the Tucson Free Unix Group (TFUG) > helped me build a server that I ran out of my home. We left the email > relay open and I got exploited. About 10 years ago I became root and I > accidentally overwrote my home directory. yikes... both were painful. > The first example is a reason we must be more aware of what we are > doing. The 2nd is an example why we should use sudo as much as we can > instead of becoming root. > > Keith > > > > On 2024-06-29 08:55, Michael via PLUG-discuss wrote: > > I just realized, while 99% of the people on this list are honest there > > is the diabolical 1%. So I guess I enter my password for the rest of > > my life. Or do you think that it really matters considering this is > > only a mailing list? > > > > On Sat, Jun 29, 2024, 10:22 AM Michael wrote: > > > >> Thanks for saying this. I realized that I only needed to run apt as > >> root. I didn't know how to make it so I could do that..... but > >> chatgt did! > >> > >> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss > >> wrote: > >> > >>> NO WORRIES FROM THIS END RUSTY. > >>> > >>> As a general rule, I use sudo only for very specific tasks > >>> (usually updating my development package tree on OS X) and no > >>> where else will I run anything as root. I have seen what happens > >>> to linux machines that run infected binaries as root and it can > >>> get ugly pretty fast. In one case, I couldn’t take the machine > >>> out of service because of other items I was involved with, so I > >>> simply made part of the dir tree immutable after replacing a few > >>> files in /etc. That would fill up the system logs with an error > >>> message about a specific binary trying to replace a small number > >>> of conf files. Once the offending binary was found, it made things > >>> easier trying to disable it or get rid of it. However, after a > >>> while, I simply pulled the drive and ran it through a Dod secure > >>> erase and installed a newer linux bistro on it. I did use the same > >>> trick with chattr to make /bin, /sbin and /etc immutable. That > >>> last turned out to be handy as I caught someone trying to rootkit > >>> my machine using a known exploit, only they couldn’t get it to > >>> run because the binaries they wanted to replace couldn’t be > >>> written to. :)Yes, this would be a bit excessive, but over the > >>> long run, proved far less inconvenient than having to wipe and > >>> reinstall an OS. > >>> > >>> -Eric > >>> From the central Offices of the Technomage Guild, security > >>> Applications Dept. > >>> > >>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss > >>> wrote: > >>>> > >>>> (Deep breath. Calm...) > >>>> > >>>> I can't figure out how to respond rationally to the below, so > >>> all I'm going to say is - before you call troll, you might want > >>> to research the author, and read a bit more carefully what they > >>> wrote. I don't believe I recommended any of the crazy things you > >>> suggest. And I certainly didn't intend to imply any of that. > >>>> > >>>> On the other hand, it may not have been clear, so I'll just say > >>> "Sorry that what I wrote wasn't clear, but english isn't my first > >>> language. Unfortunately its the only one I know". > >>>> > >>>> And on that note, I'll shut up. > >>>> > >>>> On 6/26/24 15:05, Ryan Petris wrote: > >>>>> I feel like you're trolling so I'm not going to spend very much > >>> time on this. > >>>>> > >>>>> It's been a generally good security practice for at least the > >>> last 25+ years to not regularly run as a privileged user, > >>> requiring some sort of escalation to do administrative-type tasks. > >>> By using passwordless sudo, you're taking away that escalation. > >>> Why not just run as root? Then you don't need sudo at all. In > >>> fact, why even have a password at all? Why encrypt? Why don't you > >>> just put all your data on a publicly accessible FTP server and > >>> just grab stuff when you need it? The NSA has all your data anyway > >>> and you don't have anything to hide so why not just leave it out > >>> there for the world to see? > >>>>> > >>>>> As for something malicious needing to be written to use sudo, > >>> why wouldn't it? sudo is ubiquitous on unix systems; if it didn't > >>> at least try then that seams like a pretty dumb malicious script > >>> to me. > >>>>> > >>>>> You also don't necessarily need to open/run something for it to > >>> run. IIRC there was a recent image vulnerability in Gnome's > >>> tracker-miner application which indexes files in your home > >>> directory. And before you say that wouldn't happen in KDE, it too > >>> has a similar program, I believe called Baloo. > >>>>> > >>>>> There also exists the recent doas program and the systemd > >>> replacement run0 to do the same. > >>>>> > >>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via > >>> PLUG-discuss wrote: > >>>>>> Actually, I'd like to start a bit of a discussion on this. > >>>>>> > >>>>>> > >>>>>> First, I know that for some reason RedHat seems to think that > >>> sudo is > >>>>>> bad/insecure. > >>>>>> > >>>>>> I'd like to know the logic there, as I think the argument FOR > >>> using sudo > >>>>>> is MUCH stronger than any argument I've heard (which, > >>> admittedly, is > >>>>>> pretty close to zero) AGAINST it. Here's my thinking: > >>>>>> > >>>>>> Allowing users to become root via sudo gives you: > >>>>>> > >>>>>> - VERY fine control over what programs a user can use as root > >>>>>> > >>>>>> - The ability to remove admin privs (ability to run as root) > >>> from an > >>>>>> individual WITHOUT having to change root password everywhere. > >>>>>> > >>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a > >>> corporation, > >>>>>> that 2nd feature is well worth the price of admission, PLUS I > >>> can only > >>>>>> allow certain admins to run certain programs? Very nice. > >>>>>> > >>>>>> So, for example, at my last place I allowed the 'tester' user > >>> to run > >>>>>> fdisk as root, because they needed to partition the disk under > >>> test. In > >>>>>> my case, and since the network that we ran on was totally > >>> isolated from > >>>>>> the corporate network, I let fdisk be run without needing a > >>> password. > >>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it > >>> was no big > >>>>>> deal - I could recreate the machine from scratch (minus > >>> whatever data > >>>>>> hadn't been copied off yet - which would only be their most > >>> recent run), > >>>>>> in 10 minutes (which was about 2 minutes of my time, and 8 > >>> minutes of > >>>>>> scripted 'dd' ;-) However, if the test user wanted to become > >>> root using > >>>>>> su, they had to enter the test user password. > >>>>>> > >>>>>> So, back to the original question - setting sudo to not > >>> require a > >>>>>> password. We should have asked, what program do you want to > >>> run as root > >>>>>> without requiring a password? How secure is your system? What > >>> else do > >>>>>> you use it for? Who has access? etc, etc, etc. > >>>>>> > >>>>>> There's one other minor objection I have to the 'zero defense' > >>> statement > >>>>>> below - the malicious thing you downloaded (and, I assume ran) > >>> has to be > >>>>>> written to USE sudo in its attempt to break in, I believe, or > >>> it > >>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su - > >>> myscript' > >>>>>> won't do it). > >>>>>> > >>>>>> And, if you're truly paranoid about stuff you download, you > >>> should: > >>>>>> > >>>>>> 1 - NEVER download something you don't have an excellent > >>> reason to > >>>>>> believe is 'safe', and ALWAYS make sure you actually > >>> downloaded it from > >>>>>> where you thought you did. > >>>>>> > >>>>>> 2 - For the TRULY paranoid, have a machine you use to download > >>> and test > >>>>>> software on, which you can totally disconnect from your > >>> network (not > >>>>>> JUST the internet), and which has NO confidential info, and > >>> which you > >>>>>> can erase and rebuild without caring. Run the downloaded > >>> stuff there, > >>>>>> for a long time, until you're pretty sure it won't bite you. > >>>>>> > >>>>>> 3 - For the REALLY REALLY paranoid, don't download anything > >>> from > >>>>>> anywhere, disconnect from the internet permanently, get > >>> high-tech locks > >>>>>> for your doors, and wrap your house in a faraday cage! > >>>>>> > >>>>>> And probably don't leave the house.... > >>>>>> > >>>>>> The point of number 3 is that there is always a risk, even > >>> with > >>>>>> 'well-known' software, and as someone else said - they're > >>> watching you > >>>>>> anyway. The question is how 'safe' do you want to be? And how > >>> paranoid > >>>>>> are you, really? > >>>>>> > >>>>>> Wow, talk about rabbit hole! ;-) > >>>>>> > >>>>>> 'Let the flames begin!' :-) > >>>>>> > >>>>>> > >>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: > >>>>>>>> wanted sudo not to require a password. > >>>>>>> Please reconsider this... This is VERY BAD security practice. > >>> There's basically zero defense if you happen to download/run > >>> something malicious. > >>>>>>> > >>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss > >>> wrote: > >>>>>>>> then I remember that a PLUG member mentioned ChatGPT being > >>> good at troubleshooting so I figured I'd give it a go. I sprint > >>> about half an hour asking it the wrong question but after that it > >>> took 2 minutes. I wanted sudo not to require a password. it is > >>> wonderful! now I don't have to bug you guys. so it looks like this > >>> is the end of the user group unless you want to talk about OT > >>> stuff. > >>>>>>>> > >>>>>>>> -- > >>>>>>>> :-)~MIKE~(-: > >>>>>>>> --------------------------------------------------- > >>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>>>>>>> To subscribe, unsubscribe, or to change your mail settings: > >>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>>>>>>> > >>>>>>> --------------------------------------------------- > >>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>>>>>> To subscribe, unsubscribe, or to change your mail settings: > >>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>>>>> --------------------------------------------------- > >>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>>>>> To subscribe, unsubscribe, or to change your mail settings: > >>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>>>>> > >>>> --------------------------------------------------- > >>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>>> To subscribe, unsubscribe, or to change your mail settings: > >>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>> > >>> --------------------------------------------------- > >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>> To subscribe, unsubscribe, or to change your mail settings: > >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > > --------------------------------------------------- > > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > > To subscribe, unsubscribe, or to change your mail settings: > > https://lists.phxlinux.org/mailman/listinfo/plug-discuss >