Re: sudo in general, and not requiring password in particula…

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Michael via PLUG-discuss
Date:  
To: plug-discuss
CC: Michael, eric.oyen
Subject: Re: sudo in general, and not requiring password in particular (was Re: trouble adding my user to sudoers list)
And that it's only a home computer.

On Sat, Jun 29, 2024, 10:55 AM Michael <> wrote:

> I just realized, while 99% of the people on this list are honest there is
> the diabolical 1%. So I guess I enter my password for the rest of my life.
> Or do you think that it really matters considering this is only a mailing
> list?
>
> On Sat, Jun 29, 2024, 10:22 AM Michael <> wrote:
>
>> Thanks for saying this. I realized that I only needed to run apt as root.
>> I didn't know how to make it so I could do that..... but chatgt did!
>>
>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss <
>> > wrote:
>>
>>> NO WORRIES FROM THIS END RUSTY.
>>>
>>> As a general rule, I use sudo only for very specific tasks (usually
>>> updating my development package tree on OS X) and no where else will I run
>>> anything as root. I have seen what happens to linux machines that run
>>> infected binaries as root and it can get ugly pretty fast. In one case, I
>>> couldn’t take the machine out of service because of other items I was
>>> involved with, so I simply made part of the dir tree immutable after
>>> replacing a few files in /etc. That would fill up the system logs with an
>>> error message about a specific binary trying to replace a small number of
>>> conf files. Once the offending binary was found, it made things easier
>>> trying to disable it or get rid of it. However, after a while, I simply
>>> pulled the drive and ran it through a Dod secure erase and installed a
>>> newer linux bistro on it. I did use the same trick with chattr to make
>>> /bin, /sbin and /etc immutable. That last turned out to be handy as I
>>> caught someone trying to rootkit my machine using a known exploit, only
>>> they couldn’t get it to run because the binaries they wanted to replace
>>> couldn’t be written to. :)Yes, this would be a bit excessive, but over the
>>> long run, proved far less inconvenient than having to wipe and reinstall an
>>> OS.
>>>
>>> -Eric
>>> From the central Offices of the Technomage Guild, security Applications
>>> Dept.
>>>
>>>
>>> > On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss <
>>> > wrote:
>>> >
>>> > (Deep breath. Calm...)
>>> >
>>> > I can't figure out how to respond rationally to the below, so all I'm
>>> going to say is - before you call troll, you might want to research the
>>> author, and read a bit more carefully what they wrote. I don't believe I
>>> recommended any of the crazy things you suggest. And I certainly didn't
>>> intend to imply any of that.
>>> >
>>> > On the other hand, it may not have been clear, so I'll just say
>>> "Sorry that what I wrote wasn't clear, but english isn't my first
>>> language. Unfortunately its the only one I know".
>>> >
>>> > And on that note, I'll shut up.
>>> >
>>> > On 6/26/24 15:05, Ryan Petris wrote:
>>> >> I feel like you're trolling so I'm not going to spend very much time
>>> on this.
>>> >>
>>> >> It's been a generally good security practice for at least the last
>>> 25+ years to not regularly run as a privileged user, requiring some sort of
>>> escalation to do administrative-type tasks. By using passwordless sudo,
>>> you're taking away that escalation. Why not just run as root? Then you
>>> don't need sudo at all. In fact, why even have a password at all? Why
>>> encrypt? Why don't you just put all your data on a publicly accessible FTP
>>> server and just grab stuff when you need it? The NSA has all your data
>>> anyway and you don't have anything to hide so why not just leave it out
>>> there for the world to see?
>>> >>
>>> >> As for something malicious needing to be written to use sudo, why
>>> wouldn't it? sudo is ubiquitous on unix systems; if it didn't at least try
>>> then that seams like a pretty dumb malicious script to me.
>>> >>
>>> >> You also don't necessarily need to open/run something for it to run.
>>> IIRC there was a recent image vulnerability in Gnome's tracker-miner
>>> application which indexes files in your home directory. And before you say
>>> that wouldn't happen in KDE, it too has a similar program, I believe called
>>> Baloo.
>>> >>
>>> >> There also exists the recent doas program and the systemd replacement
>>> run0 to do the same.
>>> >>
>>> >> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via PLUG-discuss
>>> wrote:
>>> >>> Actually, I'd like to start a bit of a discussion on this.
>>> >>>
>>> >>>
>>> >>> First, I know that for some reason RedHat seems to think that sudo is
>>> >>> bad/insecure.
>>> >>>
>>> >>> I'd like to know the logic there, as I think the argument FOR using
>>> sudo
>>> >>> is MUCH stronger than any argument I've heard (which, admittedly, is
>>> >>> pretty close to zero) AGAINST it. Here's my thinking:
>>> >>>
>>> >>> Allowing users to become root via sudo gives you:
>>> >>>
>>> >>> - VERY fine control over what programs a user can use as root
>>> >>>
>>> >>> - The ability to remove admin privs (ability to run as root) from an
>>> >>> individual WITHOUT having to change root password everywhere.
>>> >>>
>>> >>> Now, remember, RH is supposedly 'corporate friendly'. As a
>>> corporation,
>>> >>> that 2nd feature is well worth the price of admission, PLUS I can
>>> only
>>> >>> allow certain admins to run certain programs? Very nice.
>>> >>>
>>> >>> So, for example, at my last place I allowed the 'tester' user to run
>>> >>> fdisk as root, because they needed to partition the disk under
>>> test. In
>>> >>> my case, and since the network that we ran on was totally isolated
>>> from
>>> >>> the corporate network, I let fdisk be run without needing a password.
>>> >>> Oh, and if they messed up and fdisk'ed the boot partition, it was no
>>> big
>>> >>> deal - I could recreate the machine from scratch (minus whatever data
>>> >>> hadn't been copied off yet - which would only be their most recent
>>> run),
>>> >>> in 10 minutes (which was about 2 minutes of my time, and 8 minutes of
>>> >>> scripted 'dd' ;-) However, if the test user wanted to become root
>>> using
>>> >>> su, they had to enter the test user password.
>>> >>>
>>> >>> So, back to the original question - setting sudo to not require a
>>> >>> password. We should have asked, what program do you want to run as
>>> root
>>> >>> without requiring a password? How secure is your system? What else
>>> do
>>> >>> you use it for? Who has access? etc, etc, etc.
>>> >>>
>>> >>> There's one other minor objection I have to the 'zero defense'
>>> statement
>>> >>> below - the malicious thing you downloaded (and, I assume ran) has
>>> to be
>>> >>> written to USE sudo in its attempt to break in, I believe, or it
>>> >>> wouldn't matter HOW open your sudo was. (simply saying 'su -
>>> myscript'
>>> >>> won't do it).
>>> >>>
>>> >>> And, if you're truly paranoid about stuff you download, you should:
>>> >>>
>>> >>> 1 - NEVER download something you don't have an excellent reason to
>>> >>> believe is 'safe', and ALWAYS make sure you actually downloaded it
>>> from
>>> >>> where you thought you did.
>>> >>>
>>> >>> 2 - For the TRULY paranoid, have a machine you use to download and
>>> test
>>> >>> software on, which you can totally disconnect from your network (not
>>> >>> JUST the internet), and which has NO confidential info, and which you
>>> >>> can erase and rebuild without caring. Run the downloaded stuff
>>> there,
>>> >>> for a long time, until you're pretty sure it won't bite you.
>>> >>>
>>> >>> 3 - For the REALLY REALLY paranoid, don't download anything from
>>> >>> anywhere, disconnect from the internet permanently, get high-tech
>>> locks
>>> >>> for your doors, and wrap your house in a faraday cage!
>>> >>>
>>> >>> And probably don't leave the house....
>>> >>>
>>> >>> The point of number 3 is that there is always a risk, even with
>>> >>> 'well-known' software, and as someone else said - they're watching
>>> you
>>> >>> anyway. The question is how 'safe' do you want to be? And how
>>> paranoid
>>> >>> are you, really?
>>> >>>
>>> >>> Wow, talk about rabbit hole! ;-)
>>> >>>
>>> >>> 'Let the flames begin!' :-)
>>> >>>
>>> >>>
>>> >>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>>> >>>>> wanted sudo not to require a password.
>>> >>>> Please reconsider this... This is VERY BAD security practice.
>>> There's basically zero defense if you happen to download/run something
>>> malicious.
>>> >>>>
>>> >>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:
>>> >>>>> then I remember that a PLUG member mentioned ChatGPT being good
>>> at troubleshooting so I figured I'd give it a go. I sprint about half an
>>> hour asking it the wrong question but after that it took 2 minutes. I
>>> wanted sudo not to require a password. it is wonderful! now I don't have to
>>> bug you guys. so it looks like this is the end of the user group unless you
>>> want to talk about OT stuff.
>>> >>>>>
>>> >>>>> --
>>> >>>>> :-)~MIKE~(-:
>>> >>>>> ---------------------------------------------------
>>> >>>>> PLUG-discuss mailing list:
>>> >>>>> To subscribe, unsubscribe, or to change your mail settings:
>>> >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> >>>>>
>>> >>>> ---------------------------------------------------
>>> >>>> PLUG-discuss mailing list:
>>> >>>> To subscribe, unsubscribe, or to change your mail settings:
>>> >>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> >>> ---------------------------------------------------
>>> >>> PLUG-discuss mailing list:
>>> >>> To subscribe, unsubscribe, or to change your mail settings:
>>> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> >>>
>>> > ---------------------------------------------------
>>> > PLUG-discuss mailing list:
>>> > To subscribe, unsubscribe, or to change your mail settings:
>>> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list:
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>

---------------------------------------------------
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss