Amusing point of note, My company has a large investment in RHEL and they
use sudo, I think part of RH choice is about not choosing to enforce their
decisions on their userbase, wich I can appreciate.
On Wed, Jun 26, 2024 at 3:31 PM Rusty Carruth via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:
> Actually, I'd like to start a bit of a discussion on this.
>
>
> First, I know that for some reason RedHat seems to think that sudo is
> bad/insecure.
>
> I'd like to know the logic there, as I think the argument FOR using sudo
> is MUCH stronger than any argument I've heard (which, admittedly, is
> pretty close to zero) AGAINST it. Here's my thinking:
>
> Allowing users to become root via sudo gives you:
>
> - VERY fine control over what programs a user can use as root
>
> - The ability to remove admin privs (ability to run as root) from an
> individual WITHOUT having to change root password everywhere.
>
> Now, remember, RH is supposedly 'corporate friendly'. As a corporation,
> that 2nd feature is well worth the price of admission, PLUS I can only
> allow certain admins to run certain programs? Very nice.
>
> So, for example, at my last place I allowed the 'tester' user to run
> fdisk as root, because they needed to partition the disk under test. In
> my case, and since the network that we ran on was totally isolated from
> the corporate network, I let fdisk be run without needing a password.
> Oh, and if they messed up and fdisk'ed the boot partition, it was no big
> deal - I could recreate the machine from scratch (minus whatever data
> hadn't been copied off yet - which would only be their most recent run),
> in 10 minutes (which was about 2 minutes of my time, and 8 minutes of
> scripted 'dd' ;-) However, if the test user wanted to become root using
> su, they had to enter the test user password.
>
> So, back to the original question - setting sudo to not require a
> password. We should have asked, what program do you want to run as root
> without requiring a password? How secure is your system? What else do
> you use it for? Who has access? etc, etc, etc.
>
> There's one other minor objection I have to the 'zero defense' statement
> below - the malicious thing you downloaded (and, I assume ran) has to be
> written to USE sudo in its attempt to break in, I believe, or it
> wouldn't matter HOW open your sudo was. (simply saying 'su - myscript'
> won't do it).
>
> And, if you're truly paranoid about stuff you download, you should:
>
> 1 - NEVER download something you don't have an excellent reason to
> believe is 'safe', and ALWAYS make sure you actually downloaded it from
> where you thought you did.
>
> 2 - For the TRULY paranoid, have a machine you use to download and test
> software on, which you can totally disconnect from your network (not
> JUST the internet), and which has NO confidential info, and which you
> can erase and rebuild without caring. Run the downloaded stuff there,
> for a long time, until you're pretty sure it won't bite you.
>
> 3 - For the REALLY REALLY paranoid, don't download anything from
> anywhere, disconnect from the internet permanently, get high-tech locks
> for your doors, and wrap your house in a faraday cage!
>
> And probably don't leave the house....
>
> The point of number 3 is that there is always a risk, even with
> 'well-known' software, and as someone else said - they're watching you
> anyway. The question is how 'safe' do you want to be? And how paranoid
> are you, really?
>
> Wow, talk about rabbit hole! ;-)
>
> 'Let the flames begin!' :-)
>
>
> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
> >> wanted sudo not to require a password.
> > Please reconsider this... This is VERY BAD security practice. There's
> basically zero defense if you happen to download/run something malicious.
> >
> > On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:
> >> then I remember that a PLUG member mentioned ChatGPT being good at
> troubleshooting so I figured I'd give it a go. I sprint about half an hour
> asking it the wrong question but after that it took 2 minutes. I wanted
> sudo not to require a password. it is wonderful! now I don't have to bug
> you guys. so it looks like this is the end of the user group unless you
> want to talk about OT stuff.
> >>
> >> --
> >> :-)~MIKE~(-:
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> > To subscribe, unsubscribe, or to change your mail settings:
> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
--
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.
Stephen
---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)