Re: sudo in general, and not requiring password in particula…

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Keith Smith via PLUG-discuss
Date:  
To: Michael
CC: techlists, plug-discuss, eric.oyen
Subject: Re: sudo in general, and not requiring password in particular (was Re: trouble adding my user to sudoers list)
I have had several situations where I needed to become root because I
was unable to compete the task using sudo. Maybe I do not
understand....



On 2024-06-29 19:05, Michael wrote:
> I thought using suddenly was the same as becoming root
>
> On Sat, Jun 29, 2024, 7:19 PM <> wrote:
>
>> Mike,
>>
>> The world is a hostile place. The more precautions you take the
>> better.
>> I cover the camera on my cellular phone while not in use. I cover
>> the
>> camera that is built into my laptop while it is not in use. I think
>>
>> on-line banking is dangerous. At some point I want to turn off WIFI
>> and
>> go to wired only on my local net.
>>
>> We lock our cars and houses for a reason.
>>
>> I do not know as much security as I'd like, however it might be
>> necessary at some point to to become more cyber.
>>
>> About 24 years ago the members of the Tucson Free Unix Group (TFUG)
>> helped me build a server that I ran out of my home. We left the
>> email
>> relay open and I got exploited. About 10 years ago I became root
>> and I
>> accidentally overwrote my home directory. yikes... both were
>> painful.
>> The first example is a reason we must be more aware of what we are
>> doing. The 2nd is an example why we should use sudo as much as we
>> can
>> instead of becoming root.
>>
>> Keith
>>
>> On 2024-06-29 08:55, Michael via PLUG-discuss wrote:
>>> I just realized, while 99% of the people on this list are honest
>> there
>>> is the diabolical 1%. So I guess I enter my password for the rest
>> of
>>> my life. Or do you think that it really matters considering this
>> is
>>> only a mailing list?
>>>
>>> On Sat, Jun 29, 2024, 10:22 AM Michael <> wrote:
>>>
>>>> Thanks for saying this. I realized that I only needed to run apt
>> as
>>>> root. I didn't know how to make it so I could do that..... but
>>>> chatgt did!
>>>>
>>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss
>>>> <> wrote:
>>>>
>>>>> NO WORRIES FROM THIS END RUSTY.
>>>>>
>>>>> As a general rule, I use sudo only for very specific tasks
>>>>> (usually updating my development package tree on OS X) and no
>>>>> where else will I run anything as root. I have seen what happens
>>>>> to linux machines that run infected binaries as root and it can
>>>>> get ugly pretty fast. In one case, I couldn’t take the machine
>>>>> out of service because of other items I was involved with, so I
>>>>> simply made part of the dir tree immutable after replacing a few
>>>>> files in /etc. That would fill up the system logs with an error
>>>>> message about a specific binary trying to replace a small number
>>>>> of conf files. Once the offending binary was found, it made
>> things
>>>>> easier trying to disable it or get rid of it. However, after a
>>>>> while, I simply pulled the drive and ran it through a Dod secure
>>>>> erase and installed a newer linux bistro on it. I did use the
>> same
>>>>> trick with chattr to make /bin, /sbin and /etc immutable. That
>>>>> last turned out to be handy as I caught someone trying to
>> rootkit
>>>>> my machine using a known exploit, only they couldn’t get it to
>>>>> run because the binaries they wanted to replace couldn’t be
>>>>> written to. :)Yes, this would be a bit excessive, but over the
>>>>> long run, proved far less inconvenient than having to wipe and
>>>>> reinstall an OS.
>>>>>
>>>>> -Eric
>>>>> From the central Offices of the Technomage Guild, security
>>>>> Applications Dept.
>>>>>
>>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss
>>>>> <> wrote:
>>>>>>
>>>>>> (Deep breath. Calm...)
>>>>>>
>>>>>> I can't figure out how to respond rationally to the below, so
>>>>> all I'm going to say is - before you call troll, you might want
>>>>> to research the author, and read a bit more carefully what they
>>>>> wrote. I don't believe I recommended any of the crazy things
>> you
>>>>> suggest. And I certainly didn't intend to imply any of that.
>>>>>>
>>>>>> On the other hand, it may not have been clear, so I'll just
>> say
>>>>> "Sorry that what I wrote wasn't clear, but english isn't my
>> first
>>>>> language. Unfortunately its the only one I know".
>>>>>>
>>>>>> And on that note, I'll shut up.
>>>>>>
>>>>>> On 6/26/24 15:05, Ryan Petris wrote:
>>>>>>> I feel like you're trolling so I'm not going to spend very
>> much
>>>>> time on this.
>>>>>>>
>>>>>>> It's been a generally good security practice for at least the
>>>>> last 25+ years to not regularly run as a privileged user,
>>>>> requiring some sort of escalation to do administrative-type
>> tasks.
>>>>> By using passwordless sudo, you're taking away that escalation.
>>>>> Why not just run as root? Then you don't need sudo at all. In
>>>>> fact, why even have a password at all? Why encrypt? Why don't
>> you
>>>>> just put all your data on a publicly accessible FTP server and
>>>>> just grab stuff when you need it? The NSA has all your data
>> anyway
>>>>> and you don't have anything to hide so why not just leave it out
>>>>> there for the world to see?
>>>>>>>
>>>>>>> As for something malicious needing to be written to use sudo,
>>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it
>> didn't
>>>>> at least try then that seams like a pretty dumb malicious script
>>>>> to me.
>>>>>>>
>>>>>>> You also don't necessarily need to open/run something for it
>> to
>>>>> run. IIRC there was a recent image vulnerability in Gnome's
>>>>> tracker-miner application which indexes files in your home
>>>>> directory. And before you say that wouldn't happen in KDE, it
>> too
>>>>> has a similar program, I believe called Baloo.
>>>>>>>
>>>>>>> There also exists the recent doas program and the systemd
>>>>> replacement run0 to do the same.
>>>>>>>
>>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via
>>>>> PLUG-discuss wrote:
>>>>>>>> Actually, I'd like to start a bit of a discussion on this.
>>>>>>>>
>>>>>>>>
>>>>>>>> First, I know that for some reason RedHat seems to think that
>>>>> sudo is
>>>>>>>> bad/insecure.
>>>>>>>>
>>>>>>>> I'd like to know the logic there, as I think the argument FOR
>>>>> using sudo
>>>>>>>> is MUCH stronger than any argument I've heard (which,
>>>>> admittedly, is
>>>>>>>> pretty close to zero) AGAINST it. Here's my thinking:
>>>>>>>>
>>>>>>>> Allowing users to become root via sudo gives you:
>>>>>>>>
>>>>>>>> - VERY fine control over what programs a user can use as root
>>>>>>>>
>>>>>>>> - The ability to remove admin privs (ability to run as root)
>>>>> from an
>>>>>>>> individual WITHOUT having to change root password everywhere.
>>>>>>>>
>>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a
>>>>> corporation,
>>>>>>>> that 2nd feature is well worth the price of admission, PLUS I
>>>>> can only
>>>>>>>> allow certain admins to run certain programs? Very nice.
>>>>>>>>
>>>>>>>> So, for example, at my last place I allowed the 'tester' user
>>>>> to run
>>>>>>>> fdisk as root, because they needed to partition the disk
>> under
>>>>> test. In
>>>>>>>> my case, and since the network that we ran on was totally
>>>>> isolated from
>>>>>>>> the corporate network, I let fdisk be run without needing a
>>>>> password.
>>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it
>>>>> was no big
>>>>>>>> deal - I could recreate the machine from scratch (minus
>>>>> whatever data
>>>>>>>> hadn't been copied off yet - which would only be their most
>>>>> recent run),
>>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8
>>>>> minutes of
>>>>>>>> scripted 'dd' ;-) However, if the test user wanted to become
>>>>> root using
>>>>>>>> su, they had to enter the test user password.
>>>>>>>>
>>>>>>>> So, back to the original question - setting sudo to not
>>>>> require a
>>>>>>>> password. We should have asked, what program do you want to
>>>>> run as root
>>>>>>>> without requiring a password? How secure is your system?
>> What
>>>>> else do
>>>>>>>> you use it for? Who has access? etc, etc, etc.
>>>>>>>>
>>>>>>>> There's one other minor objection I have to the 'zero
>> defense'
>>>>> statement
>>>>>>>> below - the malicious thing you downloaded (and, I assume
>> ran)
>>>>> has to be
>>>>>>>> written to USE sudo in its attempt to break in, I believe, or
>>>>> it
>>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -
>>>>> myscript'
>>>>>>>> won't do it).
>>>>>>>>
>>>>>>>> And, if you're truly paranoid about stuff you download, you
>>>>> should:
>>>>>>>>
>>>>>>>> 1 - NEVER download something you don't have an excellent
>>>>> reason to
>>>>>>>> believe is 'safe', and ALWAYS make sure you actually
>>>>> downloaded it from
>>>>>>>> where you thought you did.
>>>>>>>>
>>>>>>>> 2 - For the TRULY paranoid, have a machine you use to
>> download
>>>>> and test
>>>>>>>> software on, which you can totally disconnect from your
>>>>> network (not
>>>>>>>> JUST the internet), and which has NO confidential info, and
>>>>> which you
>>>>>>>> can erase and rebuild without caring. Run the downloaded
>>>>> stuff there,
>>>>>>>> for a long time, until you're pretty sure it won't bite you.
>>>>>>>>
>>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything
>>>>> from
>>>>>>>> anywhere, disconnect from the internet permanently, get
>>>>> high-tech locks
>>>>>>>> for your doors, and wrap your house in a faraday cage!
>>>>>>>>
>>>>>>>> And probably don't leave the house....
>>>>>>>>
>>>>>>>> The point of number 3 is that there is always a risk, even
>>>>> with
>>>>>>>> 'well-known' software, and as someone else said - they're
>>>>> watching you
>>>>>>>> anyway. The question is how 'safe' do you want to be? And
>> how
>>>>> paranoid
>>>>>>>> are you, really?
>>>>>>>>
>>>>>>>> Wow, talk about rabbit hole! ;-)
>>>>>>>>
>>>>>>>> 'Let the flames begin!' :-)
>>>>>>>>
>>>>>>>>
>>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>>>>>>>>>> wanted sudo not to require a password.
>>>>>>>>> Please reconsider this... This is VERY BAD security
>> practice.
>>>>> There's basically zero defense if you happen to download/run
>>>>> something malicious.
>>>>>>>>>
>>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss
>>>>> wrote:
>>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being
>>>>> good at troubleshooting so I figured I'd give it a go. I sprint
>>>>> about half an hour asking it the wrong question but after that
>> it
>>>>> took 2 minutes. I wanted sudo not to require a password. it is
>>>>> wonderful! now I don't have to bug you guys. so it looks like
>> this
>>>>> is the end of the user group unless you want to talk about OT
>>>>> stuff.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> :-)~MIKE~(-:
>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>> PLUG-discuss mailing list:
>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>
>>>>>>>>> ---------------------------------------------------
>>>>>>>>> PLUG-discuss mailing list:
>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>> ---------------------------------------------------
>>>>>>>> PLUG-discuss mailing list:
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>
>>>>>> ---------------------------------------------------
>>>>>> PLUG-discuss mailing list:
>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list:
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list:
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss