sudo in general, and not requiring password in particular (w…

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Rusty Carruth via PLUG-discuss
Date:  
To: plug-discuss
CC: Rusty Carruth
Old-Topics: Re: trouble adding my user to sudoers list
Subject: sudo in general, and not requiring password in particular (was Re: trouble adding my user to sudoers list)
Actually, I'd like to start a bit of a discussion on this.


First, I know that for some reason RedHat seems to think that sudo is
bad/insecure.

I'd like to know the logic there, as I think the argument FOR using sudo
is MUCH stronger than any argument I've heard (which, admittedly, is
pretty close to zero) AGAINST it.   Here's my thinking:

Allowing users to become root via sudo gives you:

 - VERY fine control over what programs a user can use as root

 - The ability to remove admin privs (ability to run as root) from an
individual WITHOUT having to change root password everywhere.

Now, remember, RH is supposedly 'corporate friendly'.  As a corporation,
that 2nd feature is well worth the price of admission, PLUS I can only
allow certain admins to run certain programs? Very nice.

So, for example, at my last place I allowed the 'tester' user to run
fdisk as root, because they needed to partition the disk under test.  In
my case, and since the network that we ran on was totally isolated from
the corporate network, I let fdisk be run without needing a password. 
Oh, and if they messed up and fdisk'ed the boot partition, it was no big
deal - I could recreate the machine from scratch (minus whatever data
hadn't been copied off yet - which would only be their most recent run),
in 10 minutes (which was about 2 minutes of my time, and 8 minutes of
scripted 'dd' ;-)  However, if the test user wanted to become root using
su, they had to enter the test user password.

So, back to the original question - setting sudo to not require a
password.  We should have asked, what program do you want to run as root
without requiring a password?  How secure is your system? What else do
you use it for?  Who has access?  etc, etc, etc.

There's one other minor objection I have to the 'zero defense' statement
below - the malicious thing you downloaded (and, I assume ran) has to be
written to USE sudo in its attempt to break in, I believe, or it
wouldn't matter HOW open your sudo was. (simply saying 'su - myscript'
won't do it).

And, if you're truly paranoid about stuff you download, you should:

1 - NEVER download something you don't have an excellent reason to
believe is 'safe', and ALWAYS make sure you actually downloaded it from
where you thought you did.

2 - For the TRULY paranoid, have a machine you use to download and test
software on, which you can totally disconnect from your network (not
JUST the internet), and which has NO confidential info, and which you
can erase and rebuild without caring.  Run the downloaded stuff there,
for a long time, until you're pretty sure it won't bite you.

3 - For the REALLY REALLY paranoid, don't download anything from
anywhere, disconnect from the internet permanently, get high-tech locks
for your doors, and wrap your house in a faraday cage!

And probably don't leave the house....

The point of number 3 is that there is always a risk, even with
'well-known' software, and as someone else said - they're watching you
anyway.  The question is how 'safe' do you want to be? And how paranoid
are you, really?

Wow, talk about rabbit hole! ;-)

'Let the flames begin!' :-)


On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>> wanted sudo not to require a password.
> Please reconsider this... This is VERY BAD security practice. There's basically zero defense if you happen to download/run something malicious.
>
> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:
>> then I remember that a PLUG member mentioned ChatGPT being good at troubleshooting so I figured I'd give it a go. I sprint about half an hour asking it the wrong question but after that it took 2 minutes. I wanted sudo not to require a password. it is wonderful! now I don't have to bug you guys. so it looks like this is the end of the user group unless you want to talk about OT stuff.
>>
>> --
>> :-)~MIKE~(-:
>> ---------------------------------------------------
>> PLUG-discuss mailing list:
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
> ---------------------------------------------------
> PLUG-discuss mailing list:
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss