Hey, I guess I need to change my username as well.
On Sun, Jun 30, 2024, 7:34 AM Michael <
bmike1@gmail.com> wrote:
> Yeah. That happened to me to a LONG time ago, too; now that I think about
> it.
>
> On Sat, Jun 29, 2024, 9:36 PM <techlists@phpcoderusa.com> wrote:
>
>> I have had several situations where I needed to become root because I
>> was unable to compete the task using sudo. Maybe I do not
>> understand....
>>
>>
>>
>> On 2024-06-29 19:05, Michael wrote:
>> > I thought using suddenly was the same as becoming root
>> >
>> > On Sat, Jun 29, 2024, 7:19 PM <techlists@phpcoderusa.com> wrote:
>> >
>> >> Mike,
>> >>
>> >> The world is a hostile place. The more precautions you take the
>> >> better.
>> >> I cover the camera on my cellular phone while not in use. I cover
>> >> the
>> >> camera that is built into my laptop while it is not in use. I think
>> >>
>> >> on-line banking is dangerous. At some point I want to turn off WIFI
>> >> and
>> >> go to wired only on my local net.
>> >>
>> >> We lock our cars and houses for a reason.
>> >>
>> >> I do not know as much security as I'd like, however it might be
>> >> necessary at some point to to become more cyber.
>> >>
>> >> About 24 years ago the members of the Tucson Free Unix Group (TFUG)
>> >> helped me build a server that I ran out of my home. We left the
>> >> email
>> >> relay open and I got exploited. About 10 years ago I became root
>> >> and I
>> >> accidentally overwrote my home directory. yikes... both were
>> >> painful.
>> >> The first example is a reason we must be more aware of what we are
>> >> doing. The 2nd is an example why we should use sudo as much as we
>> >> can
>> >> instead of becoming root.
>> >>
>> >> Keith
>> >>
>> >> On 2024-06-29 08:55, Michael via PLUG-discuss wrote:
>> >>> I just realized, while 99% of the people on this list are honest
>> >> there
>> >>> is the diabolical 1%. So I guess I enter my password for the rest
>> >> of
>> >>> my life. Or do you think that it really matters considering this
>> >> is
>> >>> only a mailing list?
>> >>>
>> >>> On Sat, Jun 29, 2024, 10:22 AM Michael <bmike1@gmail.com> wrote:
>> >>>
>> >>>> Thanks for saying this. I realized that I only needed to run apt
>> >> as
>> >>>> root. I didn't know how to make it so I could do that..... but
>> >>>> chatgt did!
>> >>>>
>> >>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss
>> >>>> <plug-discuss@lists.phxlinux.org> wrote:
>> >>>>
>> >>>>> NO WORRIES FROM THIS END RUSTY.
>> >>>>>
>> >>>>> As a general rule, I use sudo only for very specific tasks
>> >>>>> (usually updating my development package tree on OS X) and no
>> >>>>> where else will I run anything as root. I have seen what happens
>> >>>>> to linux machines that run infected binaries as root and it can
>> >>>>> get ugly pretty fast. In one case, I couldn’t take the machine
>> >>>>> out of service because of other items I was involved with, so I
>> >>>>> simply made part of the dir tree immutable after replacing a few
>> >>>>> files in /etc. That would fill up the system logs with an error
>> >>>>> message about a specific binary trying to replace a small number
>> >>>>> of conf files. Once the offending binary was found, it made
>> >> things
>> >>>>> easier trying to disable it or get rid of it. However, after a
>> >>>>> while, I simply pulled the drive and ran it through a Dod secure
>> >>>>> erase and installed a newer linux bistro on it. I did use the
>> >> same
>> >>>>> trick with chattr to make /bin, /sbin and /etc immutable. That
>> >>>>> last turned out to be handy as I caught someone trying to
>> >> rootkit
>> >>>>> my machine using a known exploit, only they couldn’t get it to
>> >>>>> run because the binaries they wanted to replace couldn’t be
>> >>>>> written to. :)Yes, this would be a bit excessive, but over the
>> >>>>> long run, proved far less inconvenient than having to wipe and
>> >>>>> reinstall an OS.
>> >>>>>
>> >>>>> -Eric
>> >>>>> From the central Offices of the Technomage Guild, security
>> >>>>> Applications Dept.
>> >>>>>
>> >>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss
>> >>>>> <plug-discuss@lists.phxlinux.org> wrote:
>> >>>>>>
>> >>>>>> (Deep breath. Calm...)
>> >>>>>>
>> >>>>>> I can't figure out how to respond rationally to the below, so
>> >>>>> all I'm going to say is - before you call troll, you might want
>> >>>>> to research the author, and read a bit more carefully what they
>> >>>>> wrote. I don't believe I recommended any of the crazy things
>> >> you
>> >>>>> suggest. And I certainly didn't intend to imply any of that.
>> >>>>>>
>> >>>>>> On the other hand, it may not have been clear, so I'll just
>> >> say
>> >>>>> "Sorry that what I wrote wasn't clear, but english isn't my
>> >> first
>> >>>>> language. Unfortunately its the only one I know".
>> >>>>>>
>> >>>>>> And on that note, I'll shut up.
>> >>>>>>
>> >>>>>> On 6/26/24 15:05, Ryan Petris wrote:
>> >>>>>>> I feel like you're trolling so I'm not going to spend very
>> >> much
>> >>>>> time on this.
>> >>>>>>>
>> >>>>>>> It's been a generally good security practice for at least the
>> >>>>> last 25+ years to not regularly run as a privileged user,
>> >>>>> requiring some sort of escalation to do administrative-type
>> >> tasks.
>> >>>>> By using passwordless sudo, you're taking away that escalation.
>> >>>>> Why not just run as root? Then you don't need sudo at all. In
>> >>>>> fact, why even have a password at all? Why encrypt? Why don't
>> >> you
>> >>>>> just put all your data on a publicly accessible FTP server and
>> >>>>> just grab stuff when you need it? The NSA has all your data
>> >> anyway
>> >>>>> and you don't have anything to hide so why not just leave it out
>> >>>>> there for the world to see?
>> >>>>>>>
>> >>>>>>> As for something malicious needing to be written to use sudo,
>> >>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it
>> >> didn't
>> >>>>> at least try then that seams like a pretty dumb malicious script
>> >>>>> to me.
>> >>>>>>>
>> >>>>>>> You also don't necessarily need to open/run something for it
>> >> to
>> >>>>> run. IIRC there was a recent image vulnerability in Gnome's
>> >>>>> tracker-miner application which indexes files in your home
>> >>>>> directory. And before you say that wouldn't happen in KDE, it
>> >> too
>> >>>>> has a similar program, I believe called Baloo.
>> >>>>>>>
>> >>>>>>> There also exists the recent doas program and the systemd
>> >>>>> replacement run0 to do the same.
>> >>>>>>>
>> >>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via
>> >>>>> PLUG-discuss wrote:
>> >>>>>>>> Actually, I'd like to start a bit of a discussion on this.
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> First, I know that for some reason RedHat seems to think that
>> >>>>> sudo is
>> >>>>>>>> bad/insecure.
>> >>>>>>>>
>> >>>>>>>> I'd like to know the logic there, as I think the argument FOR
>> >>>>> using sudo
>> >>>>>>>> is MUCH stronger than any argument I've heard (which,
>> >>>>> admittedly, is
>> >>>>>>>> pretty close to zero) AGAINST it. Here's my thinking:
>> >>>>>>>>
>> >>>>>>>> Allowing users to become root via sudo gives you:
>> >>>>>>>>
>> >>>>>>>> - VERY fine control over what programs a user can use as root
>> >>>>>>>>
>> >>>>>>>> - The ability to remove admin privs (ability to run as root)
>> >>>>> from an
>> >>>>>>>> individual WITHOUT having to change root password everywhere.
>> >>>>>>>>
>> >>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a
>> >>>>> corporation,
>> >>>>>>>> that 2nd feature is well worth the price of admission, PLUS I
>> >>>>> can only
>> >>>>>>>> allow certain admins to run certain programs? Very nice.
>> >>>>>>>>
>> >>>>>>>> So, for example, at my last place I allowed the 'tester' user
>> >>>>> to run
>> >>>>>>>> fdisk as root, because they needed to partition the disk
>> >> under
>> >>>>> test. In
>> >>>>>>>> my case, and since the network that we ran on was totally
>> >>>>> isolated from
>> >>>>>>>> the corporate network, I let fdisk be run without needing a
>> >>>>> password.
>> >>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it
>> >>>>> was no big
>> >>>>>>>> deal - I could recreate the machine from scratch (minus
>> >>>>> whatever data
>> >>>>>>>> hadn't been copied off yet - which would only be their most
>> >>>>> recent run),
>> >>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8
>> >>>>> minutes of
>> >>>>>>>> scripted 'dd' ;-) However, if the test user wanted to become
>> >>>>> root using
>> >>>>>>>> su, they had to enter the test user password.
>> >>>>>>>>
>> >>>>>>>> So, back to the original question - setting sudo to not
>> >>>>> require a
>> >>>>>>>> password. We should have asked, what program do you want to
>> >>>>> run as root
>> >>>>>>>> without requiring a password? How secure is your system?
>> >> What
>> >>>>> else do
>> >>>>>>>> you use it for? Who has access? etc, etc, etc.
>> >>>>>>>>
>> >>>>>>>> There's one other minor objection I have to the 'zero
>> >> defense'
>> >>>>> statement
>> >>>>>>>> below - the malicious thing you downloaded (and, I assume
>> >> ran)
>> >>>>> has to be
>> >>>>>>>> written to USE sudo in its attempt to break in, I believe, or
>> >>>>> it
>> >>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -
>> >>>>> myscript'
>> >>>>>>>> won't do it).
>> >>>>>>>>
>> >>>>>>>> And, if you're truly paranoid about stuff you download, you
>> >>>>> should:
>> >>>>>>>>
>> >>>>>>>> 1 - NEVER download something you don't have an excellent
>> >>>>> reason to
>> >>>>>>>> believe is 'safe', and ALWAYS make sure you actually
>> >>>>> downloaded it from
>> >>>>>>>> where you thought you did.
>> >>>>>>>>
>> >>>>>>>> 2 - For the TRULY paranoid, have a machine you use to
>> >> download
>> >>>>> and test
>> >>>>>>>> software on, which you can totally disconnect from your
>> >>>>> network (not
>> >>>>>>>> JUST the internet), and which has NO confidential info, and
>> >>>>> which you
>> >>>>>>>> can erase and rebuild without caring. Run the downloaded
>> >>>>> stuff there,
>> >>>>>>>> for a long time, until you're pretty sure it won't bite you.
>> >>>>>>>>
>> >>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything
>> >>>>> from
>> >>>>>>>> anywhere, disconnect from the internet permanently, get
>> >>>>> high-tech locks
>> >>>>>>>> for your doors, and wrap your house in a faraday cage!
>> >>>>>>>>
>> >>>>>>>> And probably don't leave the house....
>> >>>>>>>>
>> >>>>>>>> The point of number 3 is that there is always a risk, even
>> >>>>> with
>> >>>>>>>> 'well-known' software, and as someone else said - they're
>> >>>>> watching you
>> >>>>>>>> anyway. The question is how 'safe' do you want to be? And
>> >> how
>> >>>>> paranoid
>> >>>>>>>> are you, really?
>> >>>>>>>>
>> >>>>>>>> Wow, talk about rabbit hole! ;-)
>> >>>>>>>>
>> >>>>>>>> 'Let the flames begin!' :-)
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>> >>>>>>>>>> wanted sudo not to require a password.
>> >>>>>>>>> Please reconsider this... This is VERY BAD security
>> >> practice.
>> >>>>> There's basically zero defense if you happen to download/run
>> >>>>> something malicious.
>> >>>>>>>>>
>> >>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss
>> >>>>> wrote:
>> >>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being
>> >>>>> good at troubleshooting so I figured I'd give it a go. I sprint
>> >>>>> about half an hour asking it the wrong question but after that
>> >> it
>> >>>>> took 2 minutes. I wanted sudo not to require a password. it is
>> >>>>> wonderful! now I don't have to bug you guys. so it looks like
>> >> this
>> >>>>> is the end of the user group unless you want to talk about OT
>> >>>>> stuff.
>> >>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> :-)~MIKE~(-:
>> >>>>>>>>>> ---------------------------------------------------
>> >>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> >>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>> >>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> >>>>>>>>>>
>> >>>>>>>>> ---------------------------------------------------
>> >>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> >>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>> >>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> >>>>>>>> ---------------------------------------------------
>> >>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> >>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>> >>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> >>>>>>>>
>> >>>>>> ---------------------------------------------------
>> >>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> >>>>>> To subscribe, unsubscribe, or to change your mail settings:
>> >>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> >>>>>
>> >>>>> ---------------------------------------------------
>> >>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> >>>>> To subscribe, unsubscribe, or to change your mail settings:
>> >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> >>> ---------------------------------------------------
>> >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> >>> To subscribe, unsubscribe, or to change your mail settings:
>> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss