Hey, I guess I need to change my username as well. On Sun, Jun 30, 2024, 7:34 AM Michael wrote: > Yeah. That happened to me to a LONG time ago, too; now that I think about > it. > > On Sat, Jun 29, 2024, 9:36 PM wrote: > >> I have had several situations where I needed to become root because I >> was unable to compete the task using sudo. Maybe I do not >> understand.... >> >> >> >> On 2024-06-29 19:05, Michael wrote: >> > I thought using suddenly was the same as becoming root >> > >> > On Sat, Jun 29, 2024, 7:19 PM wrote: >> > >> >> Mike, >> >> >> >> The world is a hostile place. The more precautions you take the >> >> better. >> >> I cover the camera on my cellular phone while not in use. I cover >> >> the >> >> camera that is built into my laptop while it is not in use. I think >> >> >> >> on-line banking is dangerous. At some point I want to turn off WIFI >> >> and >> >> go to wired only on my local net. >> >> >> >> We lock our cars and houses for a reason. >> >> >> >> I do not know as much security as I'd like, however it might be >> >> necessary at some point to to become more cyber. >> >> >> >> About 24 years ago the members of the Tucson Free Unix Group (TFUG) >> >> helped me build a server that I ran out of my home. We left the >> >> email >> >> relay open and I got exploited. About 10 years ago I became root >> >> and I >> >> accidentally overwrote my home directory. yikes... both were >> >> painful. >> >> The first example is a reason we must be more aware of what we are >> >> doing. The 2nd is an example why we should use sudo as much as we >> >> can >> >> instead of becoming root. >> >> >> >> Keith >> >> >> >> On 2024-06-29 08:55, Michael via PLUG-discuss wrote: >> >>> I just realized, while 99% of the people on this list are honest >> >> there >> >>> is the diabolical 1%. So I guess I enter my password for the rest >> >> of >> >>> my life. Or do you think that it really matters considering this >> >> is >> >>> only a mailing list? >> >>> >> >>> On Sat, Jun 29, 2024, 10:22 AM Michael wrote: >> >>> >> >>>> Thanks for saying this. I realized that I only needed to run apt >> >> as >> >>>> root. I didn't know how to make it so I could do that..... but >> >>>> chatgt did! >> >>>> >> >>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss >> >>>> wrote: >> >>>> >> >>>>> NO WORRIES FROM THIS END RUSTY. >> >>>>> >> >>>>> As a general rule, I use sudo only for very specific tasks >> >>>>> (usually updating my development package tree on OS X) and no >> >>>>> where else will I run anything as root. I have seen what happens >> >>>>> to linux machines that run infected binaries as root and it can >> >>>>> get ugly pretty fast. In one case, I couldn’t take the machine >> >>>>> out of service because of other items I was involved with, so I >> >>>>> simply made part of the dir tree immutable after replacing a few >> >>>>> files in /etc. That would fill up the system logs with an error >> >>>>> message about a specific binary trying to replace a small number >> >>>>> of conf files. Once the offending binary was found, it made >> >> things >> >>>>> easier trying to disable it or get rid of it. However, after a >> >>>>> while, I simply pulled the drive and ran it through a Dod secure >> >>>>> erase and installed a newer linux bistro on it. I did use the >> >> same >> >>>>> trick with chattr to make /bin, /sbin and /etc immutable. That >> >>>>> last turned out to be handy as I caught someone trying to >> >> rootkit >> >>>>> my machine using a known exploit, only they couldn’t get it to >> >>>>> run because the binaries they wanted to replace couldn’t be >> >>>>> written to. :)Yes, this would be a bit excessive, but over the >> >>>>> long run, proved far less inconvenient than having to wipe and >> >>>>> reinstall an OS. >> >>>>> >> >>>>> -Eric >> >>>>> From the central Offices of the Technomage Guild, security >> >>>>> Applications Dept. >> >>>>> >> >>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss >> >>>>> wrote: >> >>>>>> >> >>>>>> (Deep breath. Calm...) >> >>>>>> >> >>>>>> I can't figure out how to respond rationally to the below, so >> >>>>> all I'm going to say is - before you call troll, you might want >> >>>>> to research the author, and read a bit more carefully what they >> >>>>> wrote. I don't believe I recommended any of the crazy things >> >> you >> >>>>> suggest. And I certainly didn't intend to imply any of that. >> >>>>>> >> >>>>>> On the other hand, it may not have been clear, so I'll just >> >> say >> >>>>> "Sorry that what I wrote wasn't clear, but english isn't my >> >> first >> >>>>> language. Unfortunately its the only one I know". >> >>>>>> >> >>>>>> And on that note, I'll shut up. >> >>>>>> >> >>>>>> On 6/26/24 15:05, Ryan Petris wrote: >> >>>>>>> I feel like you're trolling so I'm not going to spend very >> >> much >> >>>>> time on this. >> >>>>>>> >> >>>>>>> It's been a generally good security practice for at least the >> >>>>> last 25+ years to not regularly run as a privileged user, >> >>>>> requiring some sort of escalation to do administrative-type >> >> tasks. >> >>>>> By using passwordless sudo, you're taking away that escalation. >> >>>>> Why not just run as root? Then you don't need sudo at all. In >> >>>>> fact, why even have a password at all? Why encrypt? Why don't >> >> you >> >>>>> just put all your data on a publicly accessible FTP server and >> >>>>> just grab stuff when you need it? The NSA has all your data >> >> anyway >> >>>>> and you don't have anything to hide so why not just leave it out >> >>>>> there for the world to see? >> >>>>>>> >> >>>>>>> As for something malicious needing to be written to use sudo, >> >>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it >> >> didn't >> >>>>> at least try then that seams like a pretty dumb malicious script >> >>>>> to me. >> >>>>>>> >> >>>>>>> You also don't necessarily need to open/run something for it >> >> to >> >>>>> run. IIRC there was a recent image vulnerability in Gnome's >> >>>>> tracker-miner application which indexes files in your home >> >>>>> directory. And before you say that wouldn't happen in KDE, it >> >> too >> >>>>> has a similar program, I believe called Baloo. >> >>>>>>> >> >>>>>>> There also exists the recent doas program and the systemd >> >>>>> replacement run0 to do the same. >> >>>>>>> >> >>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via >> >>>>> PLUG-discuss wrote: >> >>>>>>>> Actually, I'd like to start a bit of a discussion on this. >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> First, I know that for some reason RedHat seems to think that >> >>>>> sudo is >> >>>>>>>> bad/insecure. >> >>>>>>>> >> >>>>>>>> I'd like to know the logic there, as I think the argument FOR >> >>>>> using sudo >> >>>>>>>> is MUCH stronger than any argument I've heard (which, >> >>>>> admittedly, is >> >>>>>>>> pretty close to zero) AGAINST it. Here's my thinking: >> >>>>>>>> >> >>>>>>>> Allowing users to become root via sudo gives you: >> >>>>>>>> >> >>>>>>>> - VERY fine control over what programs a user can use as root >> >>>>>>>> >> >>>>>>>> - The ability to remove admin privs (ability to run as root) >> >>>>> from an >> >>>>>>>> individual WITHOUT having to change root password everywhere. >> >>>>>>>> >> >>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a >> >>>>> corporation, >> >>>>>>>> that 2nd feature is well worth the price of admission, PLUS I >> >>>>> can only >> >>>>>>>> allow certain admins to run certain programs? Very nice. >> >>>>>>>> >> >>>>>>>> So, for example, at my last place I allowed the 'tester' user >> >>>>> to run >> >>>>>>>> fdisk as root, because they needed to partition the disk >> >> under >> >>>>> test. In >> >>>>>>>> my case, and since the network that we ran on was totally >> >>>>> isolated from >> >>>>>>>> the corporate network, I let fdisk be run without needing a >> >>>>> password. >> >>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it >> >>>>> was no big >> >>>>>>>> deal - I could recreate the machine from scratch (minus >> >>>>> whatever data >> >>>>>>>> hadn't been copied off yet - which would only be their most >> >>>>> recent run), >> >>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8 >> >>>>> minutes of >> >>>>>>>> scripted 'dd' ;-) However, if the test user wanted to become >> >>>>> root using >> >>>>>>>> su, they had to enter the test user password. >> >>>>>>>> >> >>>>>>>> So, back to the original question - setting sudo to not >> >>>>> require a >> >>>>>>>> password. We should have asked, what program do you want to >> >>>>> run as root >> >>>>>>>> without requiring a password? How secure is your system? >> >> What >> >>>>> else do >> >>>>>>>> you use it for? Who has access? etc, etc, etc. >> >>>>>>>> >> >>>>>>>> There's one other minor objection I have to the 'zero >> >> defense' >> >>>>> statement >> >>>>>>>> below - the malicious thing you downloaded (and, I assume >> >> ran) >> >>>>> has to be >> >>>>>>>> written to USE sudo in its attempt to break in, I believe, or >> >>>>> it >> >>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su - >> >>>>> myscript' >> >>>>>>>> won't do it). >> >>>>>>>> >> >>>>>>>> And, if you're truly paranoid about stuff you download, you >> >>>>> should: >> >>>>>>>> >> >>>>>>>> 1 - NEVER download something you don't have an excellent >> >>>>> reason to >> >>>>>>>> believe is 'safe', and ALWAYS make sure you actually >> >>>>> downloaded it from >> >>>>>>>> where you thought you did. >> >>>>>>>> >> >>>>>>>> 2 - For the TRULY paranoid, have a machine you use to >> >> download >> >>>>> and test >> >>>>>>>> software on, which you can totally disconnect from your >> >>>>> network (not >> >>>>>>>> JUST the internet), and which has NO confidential info, and >> >>>>> which you >> >>>>>>>> can erase and rebuild without caring. Run the downloaded >> >>>>> stuff there, >> >>>>>>>> for a long time, until you're pretty sure it won't bite you. >> >>>>>>>> >> >>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything >> >>>>> from >> >>>>>>>> anywhere, disconnect from the internet permanently, get >> >>>>> high-tech locks >> >>>>>>>> for your doors, and wrap your house in a faraday cage! >> >>>>>>>> >> >>>>>>>> And probably don't leave the house.... >> >>>>>>>> >> >>>>>>>> The point of number 3 is that there is always a risk, even >> >>>>> with >> >>>>>>>> 'well-known' software, and as someone else said - they're >> >>>>> watching you >> >>>>>>>> anyway. The question is how 'safe' do you want to be? And >> >> how >> >>>>> paranoid >> >>>>>>>> are you, really? >> >>>>>>>> >> >>>>>>>> Wow, talk about rabbit hole! ;-) >> >>>>>>>> >> >>>>>>>> 'Let the flames begin!' :-) >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: >> >>>>>>>>>> wanted sudo not to require a password. >> >>>>>>>>> Please reconsider this... This is VERY BAD security >> >> practice. >> >>>>> There's basically zero defense if you happen to download/run >> >>>>> something malicious. >> >>>>>>>>> >> >>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss >> >>>>> wrote: >> >>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being >> >>>>> good at troubleshooting so I figured I'd give it a go. I sprint >> >>>>> about half an hour asking it the wrong question but after that >> >> it >> >>>>> took 2 minutes. I wanted sudo not to require a password. it is >> >>>>> wonderful! now I don't have to bug you guys. so it looks like >> >> this >> >>>>> is the end of the user group unless you want to talk about OT >> >>>>> stuff. >> >>>>>>>>>> >> >>>>>>>>>> -- >> >>>>>>>>>> :-)~MIKE~(-: >> >>>>>>>>>> --------------------------------------------------- >> >>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> >>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >> >>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >>>>>>>>>> >> >>>>>>>>> --------------------------------------------------- >> >>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> >>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >> >>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >>>>>>>> --------------------------------------------------- >> >>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> >>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >> >>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >>>>>>>> >> >>>>>> --------------------------------------------------- >> >>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> >>>>>> To subscribe, unsubscribe, or to change your mail settings: >> >>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >>>>> >> >>>>> --------------------------------------------------- >> >>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> >>>>> To subscribe, unsubscribe, or to change your mail settings: >> >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >>> --------------------------------------------------- >> >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> >>> To subscribe, unsubscribe, or to change your mail settings: >> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >