Yeah. That happened to me to a LONG time ago, too; now that I think about it. On Sat, Jun 29, 2024, 9:36 PM wrote: > I have had several situations where I needed to become root because I > was unable to compete the task using sudo. Maybe I do not > understand.... > > > > On 2024-06-29 19:05, Michael wrote: > > I thought using suddenly was the same as becoming root > > > > On Sat, Jun 29, 2024, 7:19 PM wrote: > > > >> Mike, > >> > >> The world is a hostile place. The more precautions you take the > >> better. > >> I cover the camera on my cellular phone while not in use. I cover > >> the > >> camera that is built into my laptop while it is not in use. I think > >> > >> on-line banking is dangerous. At some point I want to turn off WIFI > >> and > >> go to wired only on my local net. > >> > >> We lock our cars and houses for a reason. > >> > >> I do not know as much security as I'd like, however it might be > >> necessary at some point to to become more cyber. > >> > >> About 24 years ago the members of the Tucson Free Unix Group (TFUG) > >> helped me build a server that I ran out of my home. We left the > >> email > >> relay open and I got exploited. About 10 years ago I became root > >> and I > >> accidentally overwrote my home directory. yikes... both were > >> painful. > >> The first example is a reason we must be more aware of what we are > >> doing. The 2nd is an example why we should use sudo as much as we > >> can > >> instead of becoming root. > >> > >> Keith > >> > >> On 2024-06-29 08:55, Michael via PLUG-discuss wrote: > >>> I just realized, while 99% of the people on this list are honest > >> there > >>> is the diabolical 1%. So I guess I enter my password for the rest > >> of > >>> my life. Or do you think that it really matters considering this > >> is > >>> only a mailing list? > >>> > >>> On Sat, Jun 29, 2024, 10:22 AM Michael wrote: > >>> > >>>> Thanks for saying this. I realized that I only needed to run apt > >> as > >>>> root. I didn't know how to make it so I could do that..... but > >>>> chatgt did! > >>>> > >>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss > >>>> wrote: > >>>> > >>>>> NO WORRIES FROM THIS END RUSTY. > >>>>> > >>>>> As a general rule, I use sudo only for very specific tasks > >>>>> (usually updating my development package tree on OS X) and no > >>>>> where else will I run anything as root. I have seen what happens > >>>>> to linux machines that run infected binaries as root and it can > >>>>> get ugly pretty fast. In one case, I couldn’t take the machine > >>>>> out of service because of other items I was involved with, so I > >>>>> simply made part of the dir tree immutable after replacing a few > >>>>> files in /etc. That would fill up the system logs with an error > >>>>> message about a specific binary trying to replace a small number > >>>>> of conf files. Once the offending binary was found, it made > >> things > >>>>> easier trying to disable it or get rid of it. However, after a > >>>>> while, I simply pulled the drive and ran it through a Dod secure > >>>>> erase and installed a newer linux bistro on it. I did use the > >> same > >>>>> trick with chattr to make /bin, /sbin and /etc immutable. That > >>>>> last turned out to be handy as I caught someone trying to > >> rootkit > >>>>> my machine using a known exploit, only they couldn’t get it to > >>>>> run because the binaries they wanted to replace couldn’t be > >>>>> written to. :)Yes, this would be a bit excessive, but over the > >>>>> long run, proved far less inconvenient than having to wipe and > >>>>> reinstall an OS. > >>>>> > >>>>> -Eric > >>>>> From the central Offices of the Technomage Guild, security > >>>>> Applications Dept. > >>>>> > >>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss > >>>>> wrote: > >>>>>> > >>>>>> (Deep breath. Calm...) > >>>>>> > >>>>>> I can't figure out how to respond rationally to the below, so > >>>>> all I'm going to say is - before you call troll, you might want > >>>>> to research the author, and read a bit more carefully what they > >>>>> wrote. I don't believe I recommended any of the crazy things > >> you > >>>>> suggest. And I certainly didn't intend to imply any of that. > >>>>>> > >>>>>> On the other hand, it may not have been clear, so I'll just > >> say > >>>>> "Sorry that what I wrote wasn't clear, but english isn't my > >> first > >>>>> language. Unfortunately its the only one I know". > >>>>>> > >>>>>> And on that note, I'll shut up. > >>>>>> > >>>>>> On 6/26/24 15:05, Ryan Petris wrote: > >>>>>>> I feel like you're trolling so I'm not going to spend very > >> much > >>>>> time on this. > >>>>>>> > >>>>>>> It's been a generally good security practice for at least the > >>>>> last 25+ years to not regularly run as a privileged user, > >>>>> requiring some sort of escalation to do administrative-type > >> tasks. > >>>>> By using passwordless sudo, you're taking away that escalation. > >>>>> Why not just run as root? Then you don't need sudo at all. In > >>>>> fact, why even have a password at all? Why encrypt? Why don't > >> you > >>>>> just put all your data on a publicly accessible FTP server and > >>>>> just grab stuff when you need it? The NSA has all your data > >> anyway > >>>>> and you don't have anything to hide so why not just leave it out > >>>>> there for the world to see? > >>>>>>> > >>>>>>> As for something malicious needing to be written to use sudo, > >>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it > >> didn't > >>>>> at least try then that seams like a pretty dumb malicious script > >>>>> to me. > >>>>>>> > >>>>>>> You also don't necessarily need to open/run something for it > >> to > >>>>> run. IIRC there was a recent image vulnerability in Gnome's > >>>>> tracker-miner application which indexes files in your home > >>>>> directory. And before you say that wouldn't happen in KDE, it > >> too > >>>>> has a similar program, I believe called Baloo. > >>>>>>> > >>>>>>> There also exists the recent doas program and the systemd > >>>>> replacement run0 to do the same. > >>>>>>> > >>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via > >>>>> PLUG-discuss wrote: > >>>>>>>> Actually, I'd like to start a bit of a discussion on this. > >>>>>>>> > >>>>>>>> > >>>>>>>> First, I know that for some reason RedHat seems to think that > >>>>> sudo is > >>>>>>>> bad/insecure. > >>>>>>>> > >>>>>>>> I'd like to know the logic there, as I think the argument FOR > >>>>> using sudo > >>>>>>>> is MUCH stronger than any argument I've heard (which, > >>>>> admittedly, is > >>>>>>>> pretty close to zero) AGAINST it. Here's my thinking: > >>>>>>>> > >>>>>>>> Allowing users to become root via sudo gives you: > >>>>>>>> > >>>>>>>> - VERY fine control over what programs a user can use as root > >>>>>>>> > >>>>>>>> - The ability to remove admin privs (ability to run as root) > >>>>> from an > >>>>>>>> individual WITHOUT having to change root password everywhere. > >>>>>>>> > >>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a > >>>>> corporation, > >>>>>>>> that 2nd feature is well worth the price of admission, PLUS I > >>>>> can only > >>>>>>>> allow certain admins to run certain programs? Very nice. > >>>>>>>> > >>>>>>>> So, for example, at my last place I allowed the 'tester' user > >>>>> to run > >>>>>>>> fdisk as root, because they needed to partition the disk > >> under > >>>>> test. In > >>>>>>>> my case, and since the network that we ran on was totally > >>>>> isolated from > >>>>>>>> the corporate network, I let fdisk be run without needing a > >>>>> password. > >>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it > >>>>> was no big > >>>>>>>> deal - I could recreate the machine from scratch (minus > >>>>> whatever data > >>>>>>>> hadn't been copied off yet - which would only be their most > >>>>> recent run), > >>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8 > >>>>> minutes of > >>>>>>>> scripted 'dd' ;-) However, if the test user wanted to become > >>>>> root using > >>>>>>>> su, they had to enter the test user password. > >>>>>>>> > >>>>>>>> So, back to the original question - setting sudo to not > >>>>> require a > >>>>>>>> password. We should have asked, what program do you want to > >>>>> run as root > >>>>>>>> without requiring a password? How secure is your system? > >> What > >>>>> else do > >>>>>>>> you use it for? Who has access? etc, etc, etc. > >>>>>>>> > >>>>>>>> There's one other minor objection I have to the 'zero > >> defense' > >>>>> statement > >>>>>>>> below - the malicious thing you downloaded (and, I assume > >> ran) > >>>>> has to be > >>>>>>>> written to USE sudo in its attempt to break in, I believe, or > >>>>> it > >>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su - > >>>>> myscript' > >>>>>>>> won't do it). > >>>>>>>> > >>>>>>>> And, if you're truly paranoid about stuff you download, you > >>>>> should: > >>>>>>>> > >>>>>>>> 1 - NEVER download something you don't have an excellent > >>>>> reason to > >>>>>>>> believe is 'safe', and ALWAYS make sure you actually > >>>>> downloaded it from > >>>>>>>> where you thought you did. > >>>>>>>> > >>>>>>>> 2 - For the TRULY paranoid, have a machine you use to > >> download > >>>>> and test > >>>>>>>> software on, which you can totally disconnect from your > >>>>> network (not > >>>>>>>> JUST the internet), and which has NO confidential info, and > >>>>> which you > >>>>>>>> can erase and rebuild without caring. Run the downloaded > >>>>> stuff there, > >>>>>>>> for a long time, until you're pretty sure it won't bite you. > >>>>>>>> > >>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything > >>>>> from > >>>>>>>> anywhere, disconnect from the internet permanently, get > >>>>> high-tech locks > >>>>>>>> for your doors, and wrap your house in a faraday cage! > >>>>>>>> > >>>>>>>> And probably don't leave the house.... > >>>>>>>> > >>>>>>>> The point of number 3 is that there is always a risk, even > >>>>> with > >>>>>>>> 'well-known' software, and as someone else said - they're > >>>>> watching you > >>>>>>>> anyway. The question is how 'safe' do you want to be? And > >> how > >>>>> paranoid > >>>>>>>> are you, really? > >>>>>>>> > >>>>>>>> Wow, talk about rabbit hole! ;-) > >>>>>>>> > >>>>>>>> 'Let the flames begin!' :-) > >>>>>>>> > >>>>>>>> > >>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: > >>>>>>>>>> wanted sudo not to require a password. > >>>>>>>>> Please reconsider this... This is VERY BAD security > >> practice. > >>>>> There's basically zero defense if you happen to download/run > >>>>> something malicious. > >>>>>>>>> > >>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss > >>>>> wrote: > >>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being > >>>>> good at troubleshooting so I figured I'd give it a go. I sprint > >>>>> about half an hour asking it the wrong question but after that > >> it > >>>>> took 2 minutes. I wanted sudo not to require a password. it is > >>>>> wonderful! now I don't have to bug you guys. so it looks like > >> this > >>>>> is the end of the user group unless you want to talk about OT > >>>>> stuff. > >>>>>>>>>> > >>>>>>>>>> -- > >>>>>>>>>> :-)~MIKE~(-: > >>>>>>>>>> --------------------------------------------------- > >>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: > >>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>>>>>>>>> > >>>>>>>>> --------------------------------------------------- > >>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: > >>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>>>>>>> --------------------------------------------------- > >>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>>>>>>> To subscribe, unsubscribe, or to change your mail settings: > >>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>>>>>>> > >>>>>> --------------------------------------------------- > >>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>>>>> To subscribe, unsubscribe, or to change your mail settings: > >>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>>>> > >>>>> --------------------------------------------------- > >>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>>>> To subscribe, unsubscribe, or to change your mail settings: > >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>> --------------------------------------------------- > >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>> To subscribe, unsubscribe, or to change your mail settings: > >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >