I thought using suddenly was the same as becoming root
On Sat, Jun 29, 2024, 7:19 PM <
techlists@phpcoderusa.com> wrote:
> Mike,
>
> The world is a hostile place. The more precautions you take the better.
> I cover the camera on my cellular phone while not in use. I cover the
> camera that is built into my laptop while it is not in use. I think
> on-line banking is dangerous. At some point I want to turn off WIFI and
> go to wired only on my local net.
>
> We lock our cars and houses for a reason.
>
> I do not know as much security as I'd like, however it might be
> necessary at some point to to become more cyber.
>
> About 24 years ago the members of the Tucson Free Unix Group (TFUG)
> helped me build a server that I ran out of my home. We left the email
> relay open and I got exploited. About 10 years ago I became root and I
> accidentally overwrote my home directory. yikes... both were painful.
> The first example is a reason we must be more aware of what we are
> doing. The 2nd is an example why we should use sudo as much as we can
> instead of becoming root.
>
> Keith
>
>
>
> On 2024-06-29 08:55, Michael via PLUG-discuss wrote:
> > I just realized, while 99% of the people on this list are honest there
> > is the diabolical 1%. So I guess I enter my password for the rest of
> > my life. Or do you think that it really matters considering this is
> > only a mailing list?
> >
> > On Sat, Jun 29, 2024, 10:22 AM Michael <bmike1@gmail.com> wrote:
> >
> >> Thanks for saying this. I realized that I only needed to run apt as
> >> root. I didn't know how to make it so I could do that..... but
> >> chatgt did!
> >>
> >> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss
> >> <plug-discuss@lists.phxlinux.org> wrote:
> >>
> >>> NO WORRIES FROM THIS END RUSTY.
> >>>
> >>> As a general rule, I use sudo only for very specific tasks
> >>> (usually updating my development package tree on OS X) and no
> >>> where else will I run anything as root. I have seen what happens
> >>> to linux machines that run infected binaries as root and it can
> >>> get ugly pretty fast. In one case, I couldn’t take the machine
> >>> out of service because of other items I was involved with, so I
> >>> simply made part of the dir tree immutable after replacing a few
> >>> files in /etc. That would fill up the system logs with an error
> >>> message about a specific binary trying to replace a small number
> >>> of conf files. Once the offending binary was found, it made things
> >>> easier trying to disable it or get rid of it. However, after a
> >>> while, I simply pulled the drive and ran it through a Dod secure
> >>> erase and installed a newer linux bistro on it. I did use the same
> >>> trick with chattr to make /bin, /sbin and /etc immutable. That
> >>> last turned out to be handy as I caught someone trying to rootkit
> >>> my machine using a known exploit, only they couldn’t get it to
> >>> run because the binaries they wanted to replace couldn’t be
> >>> written to. :)Yes, this would be a bit excessive, but over the
> >>> long run, proved far less inconvenient than having to wipe and
> >>> reinstall an OS.
> >>>
> >>> -Eric
> >>> From the central Offices of the Technomage Guild, security
> >>> Applications Dept.
> >>>
> >>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss
> >>> <plug-discuss@lists.phxlinux.org> wrote:
> >>>>
> >>>> (Deep breath. Calm...)
> >>>>
> >>>> I can't figure out how to respond rationally to the below, so
> >>> all I'm going to say is - before you call troll, you might want
> >>> to research the author, and read a bit more carefully what they
> >>> wrote. I don't believe I recommended any of the crazy things you
> >>> suggest. And I certainly didn't intend to imply any of that.
> >>>>
> >>>> On the other hand, it may not have been clear, so I'll just say
> >>> "Sorry that what I wrote wasn't clear, but english isn't my first
> >>> language. Unfortunately its the only one I know".
> >>>>
> >>>> And on that note, I'll shut up.
> >>>>
> >>>> On 6/26/24 15:05, Ryan Petris wrote:
> >>>>> I feel like you're trolling so I'm not going to spend very much
> >>> time on this.
> >>>>>
> >>>>> It's been a generally good security practice for at least the
> >>> last 25+ years to not regularly run as a privileged user,
> >>> requiring some sort of escalation to do administrative-type tasks.
> >>> By using passwordless sudo, you're taking away that escalation.
> >>> Why not just run as root? Then you don't need sudo at all. In
> >>> fact, why even have a password at all? Why encrypt? Why don't you
> >>> just put all your data on a publicly accessible FTP server and
> >>> just grab stuff when you need it? The NSA has all your data anyway
> >>> and you don't have anything to hide so why not just leave it out
> >>> there for the world to see?
> >>>>>
> >>>>> As for something malicious needing to be written to use sudo,
> >>> why wouldn't it? sudo is ubiquitous on unix systems; if it didn't
> >>> at least try then that seams like a pretty dumb malicious script
> >>> to me.
> >>>>>
> >>>>> You also don't necessarily need to open/run something for it to
> >>> run. IIRC there was a recent image vulnerability in Gnome's
> >>> tracker-miner application which indexes files in your home
> >>> directory. And before you say that wouldn't happen in KDE, it too
> >>> has a similar program, I believe called Baloo.
> >>>>>
> >>>>> There also exists the recent doas program and the systemd
> >>> replacement run0 to do the same.
> >>>>>
> >>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via
> >>> PLUG-discuss wrote:
> >>>>>> Actually, I'd like to start a bit of a discussion on this.
> >>>>>>
> >>>>>>
> >>>>>> First, I know that for some reason RedHat seems to think that
> >>> sudo is
> >>>>>> bad/insecure.
> >>>>>>
> >>>>>> I'd like to know the logic there, as I think the argument FOR
> >>> using sudo
> >>>>>> is MUCH stronger than any argument I've heard (which,
> >>> admittedly, is
> >>>>>> pretty close to zero) AGAINST it. Here's my thinking:
> >>>>>>
> >>>>>> Allowing users to become root via sudo gives you:
> >>>>>>
> >>>>>> - VERY fine control over what programs a user can use as root
> >>>>>>
> >>>>>> - The ability to remove admin privs (ability to run as root)
> >>> from an
> >>>>>> individual WITHOUT having to change root password everywhere.
> >>>>>>
> >>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a
> >>> corporation,
> >>>>>> that 2nd feature is well worth the price of admission, PLUS I
> >>> can only
> >>>>>> allow certain admins to run certain programs? Very nice.
> >>>>>>
> >>>>>> So, for example, at my last place I allowed the 'tester' user
> >>> to run
> >>>>>> fdisk as root, because they needed to partition the disk under
> >>> test. In
> >>>>>> my case, and since the network that we ran on was totally
> >>> isolated from
> >>>>>> the corporate network, I let fdisk be run without needing a
> >>> password.
> >>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it
> >>> was no big
> >>>>>> deal - I could recreate the machine from scratch (minus
> >>> whatever data
> >>>>>> hadn't been copied off yet - which would only be their most
> >>> recent run),
> >>>>>> in 10 minutes (which was about 2 minutes of my time, and 8
> >>> minutes of
> >>>>>> scripted 'dd' ;-) However, if the test user wanted to become
> >>> root using
> >>>>>> su, they had to enter the test user password.
> >>>>>>
> >>>>>> So, back to the original question - setting sudo to not
> >>> require a
> >>>>>> password. We should have asked, what program do you want to
> >>> run as root
> >>>>>> without requiring a password? How secure is your system? What
> >>> else do
> >>>>>> you use it for? Who has access? etc, etc, etc.
> >>>>>>
> >>>>>> There's one other minor objection I have to the 'zero defense'
> >>> statement
> >>>>>> below - the malicious thing you downloaded (and, I assume ran)
> >>> has to be
> >>>>>> written to USE sudo in its attempt to break in, I believe, or
> >>> it
> >>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -
> >>> myscript'
> >>>>>> won't do it).
> >>>>>>
> >>>>>> And, if you're truly paranoid about stuff you download, you
> >>> should:
> >>>>>>
> >>>>>> 1 - NEVER download something you don't have an excellent
> >>> reason to
> >>>>>> believe is 'safe', and ALWAYS make sure you actually
> >>> downloaded it from
> >>>>>> where you thought you did.
> >>>>>>
> >>>>>> 2 - For the TRULY paranoid, have a machine you use to download
> >>> and test
> >>>>>> software on, which you can totally disconnect from your
> >>> network (not
> >>>>>> JUST the internet), and which has NO confidential info, and
> >>> which you
> >>>>>> can erase and rebuild without caring. Run the downloaded
> >>> stuff there,
> >>>>>> for a long time, until you're pretty sure it won't bite you.
> >>>>>>
> >>>>>> 3 - For the REALLY REALLY paranoid, don't download anything
> >>> from
> >>>>>> anywhere, disconnect from the internet permanently, get
> >>> high-tech locks
> >>>>>> for your doors, and wrap your house in a faraday cage!
> >>>>>>
> >>>>>> And probably don't leave the house....
> >>>>>>
> >>>>>> The point of number 3 is that there is always a risk, even
> >>> with
> >>>>>> 'well-known' software, and as someone else said - they're
> >>> watching you
> >>>>>> anyway. The question is how 'safe' do you want to be? And how
> >>> paranoid
> >>>>>> are you, really?
> >>>>>>
> >>>>>> Wow, talk about rabbit hole! ;-)
> >>>>>>
> >>>>>> 'Let the flames begin!' :-)
> >>>>>>
> >>>>>>
> >>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
> >>>>>>>> wanted sudo not to require a password.
> >>>>>>> Please reconsider this... This is VERY BAD security practice.
> >>> There's basically zero defense if you happen to download/run
> >>> something malicious.
> >>>>>>>
> >>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss
> >>> wrote:
> >>>>>>>> then I remember that a PLUG member mentioned ChatGPT being
> >>> good at troubleshooting so I figured I'd give it a go. I sprint
> >>> about half an hour asking it the wrong question but after that it
> >>> took 2 minutes. I wanted sudo not to require a password. it is
> >>> wonderful! now I don't have to bug you guys. so it looks like this
> >>> is the end of the user group unless you want to talk about OT
> >>> stuff.
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> :-)~MIKE~(-:
> >>>>>>>> ---------------------------------------------------
> >>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> >>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>>>>>>
> >>>>>>> ---------------------------------------------------
> >>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> >>>>>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>>>> ---------------------------------------------------
> >>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> >>>>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>>>>
> >>>> ---------------------------------------------------
> >>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> >>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> > ---------------------------------------------------
> > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> > To subscribe, unsubscribe, or to change your mail settings:
> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)