Re: sudo in general, and not requiring password in particula…

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: George Toft via PLUG-discuss
Date:  
To: techlists
CC: George Toft, Main PLUG discussion list
Subject: Re: sudo in general, and not requiring password in particular (was Re: trouble adding my user to sudoers list)
Had a chance to casually ask about the washed check thing today. Big
eye-roll. Police report. Affidavits. Close the checking account. Big
investigation. Sounds like a PITA.

Regards,

George Toft

On 7/4/2024 3:14 PM, wrote:
> Thanks George!!  Lot s to think about.
>
>
> On 2024-07-04 14:23, George Toft wrote:
>> <scroll>
>>
>> Regards,
>>
>> George Toft
>>
>> On 7/4/2024 6:50 AM, wrote:
>>> Thank you so much George!!
>>>
>>> Another Question.  I was a police officer in the 80's and 90's.
>>> During my tenure the bank was on the hook for any criminal acts as
>>> long as the customer was not negligent. I only dealt with this on a
>>> couple occasional.
>>>
>>> So If someone gets access to my online banking and I report it in a
>>> timely manner, or if someone washes one of my checks and I report it
>>> in a timely manner, is the bank on the hook or am I?
>>
>> There are a ton of rules with more acronyms than the IT world has. I
>> would love to tell you what I understand, but I'd be talking out my ass.
>>
>>
>>> BTW I thought going old school was the most secure.  I do not trust
>>> the Internet.  My daily driver is a Linux Box and I do not use my
>>> cellular phone for anything except to talk and read some news.  I am
>>> semiretired and have home officed for a long time.
>>
>> Not sure there is any magic incantation that I can say that would put
>> you at ease, other than "Risk Analysis," "Government Regulation,"
>> "Audit and Reviews," "Compliance," "Controls and Countermeasures,"
>> and "Fines." We have to comply with a bazillion rules all designed to
>> protect you, the bank customer. Some regions are really strict and
>> their governments show they really care, like the EU - their rules
>> are so restrictive. Here's an example: You cannot log into a server
>> that serves the EU if Payment Card Information (PCI) is involved with
>> the same user ID that you used to log into your work station. This
>> prevents lateral movement from an insider attack should the attacker
>> get an employee's credentials or Kerberos TGT (Hey!!! It's now
>> on-topic!!!) . This is just an example. We have external inspectors
>> and government auditors on site almost every two weeks making us
>> prove compliance with all the rules, and the bigger we get, the more
>> rules and more regulatory auditors we get to talk to. We actually
>> have two people on my team of 27 whose job used to be project
>> management, now is audit and compliance. All of this to protect you.
>>
>> Let's not forget about the Security Operations Center monitoring
>> employee activities. Refer to the GTFOBins email from yesterday. I
>> documented a chained attack to get root based on that page, and the
>> SOC came knocking saying "George, we noticed suspicious activity on
>> this server and this date. Whatcha doin'?" Fortunately, I documented
>> everything and emailed it to my manager, so all I had to do was
>> forward that back to the SOC.
>>
>> Mail scares me. I had to send my LEA ID in recently via USPS. I'm
>> hoping they got it.
>>
>>
>>> Any suggestions are appreciated.
>>>
>>>
>>>
>>> On 2024-07-03 21:48, George Toft wrote:
>>>> Sorry, Kieth, I have bad news for you. You took a 30+ year leap
>>>> backwards in security.
>>>>
>>>> I can tell you for certain, from my bank fraud analyst friend (just
>>>> got promoted to financial crimes investigator), checks are the
>>>> second most insecure way of transferring money, first being putting
>>>> the money in the envelope. They helped the USPS bust a fraud ring
>>>> who worked in the Post Office - fraudsters were pulling checks out
>>>> of envelopes inside the local Post Office. My friend pulled out all
>>>> the details for the Postmaster General.
>>>>
>>>> ACH is free (for you) and secure and guaranteed by the originator
>>>> as they are on the hook to prove the identity of who initiated the
>>>> transaction and they have to pay. It's all very complicated, and
>>>> I'm not going into details here.
>>>>
>>>> I use ACH all the time. My physical devices have multi-layer
>>>> physical protection. Logical access control is in-place. Both have
>>>> multi-factor authentication. Password resets require multi-factor
>>>> authentication.
>>>>
>>>> And the DoD is worse - their systems have so many layers, it was
>>>> easier to just let my account get deleted from lack of use and
>>>> rebuilt it from scratch. I have notes that tell me screen-by-screen
>>>> what to put in each box and which ones to ignore. It's so secure,
>>>> legitimate users can't even get in... and this is just my health
>>>> insurance.
>>>>
>>>> Where all of this can break down - getting on topic - is with the
>>>> SSH protocol and web proxies. When you connect to a website using
>>>> HTTPS using a web proxy, your web browser uses it's cert to set up
>>>> the connection, or so it thinks. What's really happening is the
>>>> proxy is responding to the request and decrypting the message, then
>>>> it forms a new request and sends it to the bank, which believes the
>>>> proxy and sends it back. Everything gets decrypted on the proxy, so
>>>> whoever has admin access to the proxy can see everything. Kinda
>>>> like opening envelopes in the mail room :) Disclaimer: This is what
>>>> some networking guys told me in a presentation about 10 years ago.
>>>>
>>>> In summary, ACH is safe if you do it from home without a proxy. Of
>>>> course "safe" is relative, but it's safer than checks in the mail.
>>>> Drop into your bank and ask the branch manager, or call their
>>>> customer service and ask. They won't tell you checks are bad, but
>>>> they will steer you to ACH and tell you it's better. Break out the
>>>> Rosetta Stone and figure out what "better" means in
>>>> corporate-speak. Banks are in it to win it, and they don't offer
>>>> something for free unless they are saving money (cost avoidance) on
>>>> the alternatives.
>>>>
>>>> Regards,
>>>>
>>>> George Toft
>>>>
>>>> On 7/3/2024 6:21 AM, wrote:
>>>>> <scroll>
>>>>>
>>>>> On 2024-07-02 18:20, George Toft via PLUG-discuss wrote:
>>>>>> I work for a bank, and you would be amazed at how much security
>>>>>> is baked into the connecting your browser to their web servers.
>>>>>> Makes the NSA look like freshmen. And no, I'm not telling you who
>>>>>> I work for.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> George Toft
>>>>>
>>>>> I'd like to hear more.  The world is a hostile place.  I recently
>>>>> went old school.  I asked the bank to disarm my online banking.  I
>>>>> now deal with paper statements and everything gets paid by check.
>>>>> Not as convenient as on-line banking, however I am hoping it makes
>>>>> my world a little bit more secure.
>>>>>
>>>>> What are your thoughts?
>>>>>
>>>>> Keith
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> On 6/29/2024 5:19 PM, Keith Smith via PLUG-discuss wrote:
>>>>>>> Mike,
>>>>>>>
>>>>>>> The world is a hostile place.  The more precautions you take the
>>>>>>> better.  I cover the camera on my cellular phone while not in
>>>>>>> use.  I cover the camera that is built into my laptop while it
>>>>>>> is not in use. I think on-line banking is dangerous.  At some
>>>>>>> point I want to turn off WIFI and go to wired only on my local net.
>>>>>>>
>>>>>>> We lock our cars and houses for a reason.
>>>>>>>
>>>>>>> I do not know as much security as I'd like, however it might be
>>>>>>> necessary at some point to to become more cyber.
>>>>>>>
>>>>>>> About 24 years ago the members of the Tucson Free Unix Group
>>>>>>> (TFUG) helped me build a server that I ran out of my home.  We
>>>>>>> left the email relay open and I got exploited. About 10 years
>>>>>>> ago I became root and I accidentally overwrote my home
>>>>>>> directory. yikes... both were painful. The first example is a
>>>>>>> reason we must be more aware of what we are doing. The 2nd is an
>>>>>>> example why we should use sudo as much as we can instead of
>>>>>>> becoming root.
>>>>>>>
>>>>>>> Keith
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 2024-06-29 08:55, Michael via PLUG-discuss wrote:
>>>>>>>> I just realized, while 99% of the people on this list are
>>>>>>>> honest there
>>>>>>>> is the diabolical 1%. So I guess I enter my password for the
>>>>>>>> rest of
>>>>>>>> my life. Or do you think that it really matters considering
>>>>>>>> this is
>>>>>>>> only a mailing list?
>>>>>>>>
>>>>>>>> On Sat, Jun 29, 2024, 10:22 AM Michael <> wrote:
>>>>>>>>
>>>>>>>>> Thanks for saying this. I realized that I only needed to run
>>>>>>>>> apt as
>>>>>>>>> root. I didn't know how to make it so I could do that..... but
>>>>>>>>> chatgt did!
>>>>>>>>>
>>>>>>>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss
>>>>>>>>> <> wrote:
>>>>>>>>>
>>>>>>>>>> NO WORRIES FROM THIS END RUSTY.
>>>>>>>>>>
>>>>>>>>>> As a general rule, I use sudo only for very specific tasks
>>>>>>>>>> (usually updating my development package tree on OS X) and no
>>>>>>>>>> where else will I run anything as root. I have seen what happens
>>>>>>>>>> to linux machines that run infected binaries as root and it can
>>>>>>>>>> get ugly pretty fast. In one case, I couldn’t take the machine
>>>>>>>>>> out of service because of other items I was involved with, so I
>>>>>>>>>> simply made part of the dir tree immutable after replacing a few
>>>>>>>>>> files in /etc. That would fill up the system logs with an error
>>>>>>>>>> message about a specific binary trying to replace a small number
>>>>>>>>>> of conf files. Once the offending binary was found, it made
>>>>>>>>>> things
>>>>>>>>>> easier trying to disable it or get rid of it. However, after a
>>>>>>>>>> while, I simply pulled the drive and ran it through a Dod secure
>>>>>>>>>> erase and installed a newer linux bistro on it. I did use the
>>>>>>>>>> same
>>>>>>>>>> trick with chattr to make /bin, /sbin and /etc immutable. That
>>>>>>>>>> last turned out to be handy as I caught someone trying to
>>>>>>>>>> rootkit
>>>>>>>>>> my machine using a known exploit, only they couldn’t get it to
>>>>>>>>>> run because the binaries they wanted to replace couldn’t be
>>>>>>>>>> written to. :)Yes, this would be a bit excessive, but over the
>>>>>>>>>> long run, proved far less inconvenient than having to wipe and
>>>>>>>>>> reinstall an OS.
>>>>>>>>>>
>>>>>>>>>> -Eric
>>>>>>>>>> From the central Offices of the Technomage Guild, security
>>>>>>>>>> Applications Dept.
>>>>>>>>>>
>>>>>>>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss
>>>>>>>>>> <> wrote:
>>>>>>>>>>>
>>>>>>>>>>> (Deep breath.  Calm...)
>>>>>>>>>>>
>>>>>>>>>>> I can't figure out how to respond rationally to the below, so
>>>>>>>>>> all I'm going to say is - before you call troll, you might want
>>>>>>>>>> to research the author, and read a bit more carefully what they
>>>>>>>>>> wrote.  I don't believe I recommended any of the crazy things
>>>>>>>>>> you
>>>>>>>>>> suggest.  And I certainly didn't intend to imply any of that.
>>>>>>>>>>>
>>>>>>>>>>> On the other hand, it may not have  been clear, so I'll just
>>>>>>>>>>> say
>>>>>>>>>> "Sorry that what I wrote wasn't clear, but english isn't my
>>>>>>>>>> first
>>>>>>>>>> language.  Unfortunately its the only one I know".
>>>>>>>>>>>
>>>>>>>>>>> And on that note, I'll shut up.
>>>>>>>>>>>
>>>>>>>>>>> On 6/26/24 15:05, Ryan Petris wrote:
>>>>>>>>>>>> I feel like you're trolling so I'm not going to spend very
>>>>>>>>>>>> much
>>>>>>>>>> time on this.
>>>>>>>>>>>>
>>>>>>>>>>>> It's been a generally good security practice for at least the
>>>>>>>>>> last 25+ years to not regularly run as a privileged user,
>>>>>>>>>> requiring some sort of escalation to do administrative-type
>>>>>>>>>> tasks.
>>>>>>>>>> By using passwordless sudo, you're taking away that escalation.
>>>>>>>>>> Why not just run as root? Then you don't need sudo at all. In
>>>>>>>>>> fact, why even have a password at all? Why encrypt? Why don't
>>>>>>>>>> you
>>>>>>>>>> just put all your data on a publicly accessible FTP server and
>>>>>>>>>> just grab stuff when you need it? The NSA has all your data
>>>>>>>>>> anyway
>>>>>>>>>> and you don't have anything to hide so why not just leave it out
>>>>>>>>>> there for the world to see?
>>>>>>>>>>>>
>>>>>>>>>>>> As for something malicious needing to be written to use sudo,
>>>>>>>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it
>>>>>>>>>> didn't
>>>>>>>>>> at least try then that seams like a pretty dumb malicious script
>>>>>>>>>> to me.
>>>>>>>>>>>>
>>>>>>>>>>>> You also don't necessarily need to open/run something for
>>>>>>>>>>>> it to
>>>>>>>>>> run. IIRC there was a recent image vulnerability in Gnome's
>>>>>>>>>> tracker-miner application which indexes files in your home
>>>>>>>>>> directory. And before you say that wouldn't happen in KDE, it
>>>>>>>>>> too
>>>>>>>>>> has a similar program, I believe called Baloo.
>>>>>>>>>>>>
>>>>>>>>>>>> There also exists the recent doas program and the systemd
>>>>>>>>>> replacement run0 to do the same.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via
>>>>>>>>>> PLUG-discuss wrote:
>>>>>>>>>>>>> Actually, I'd like to start a bit of a discussion on this.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> First, I know that for some reason RedHat seems to think that
>>>>>>>>>> sudo is
>>>>>>>>>>>>> bad/insecure.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'd like to know the logic there, as I think the argument FOR
>>>>>>>>>> using sudo
>>>>>>>>>>>>> is MUCH stronger than any argument I've heard (which,
>>>>>>>>>> admittedly, is
>>>>>>>>>>>>> pretty close to zero) AGAINST it.   Here's my thinking:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Allowing users to become root via sudo gives you:
>>>>>>>>>>>>>
>>>>>>>>>>>>> - VERY fine control over what programs a user can use as root
>>>>>>>>>>>>>
>>>>>>>>>>>>> - The ability to remove admin privs (ability to run as root)
>>>>>>>>>> from an
>>>>>>>>>>>>> individual WITHOUT having to change root password everywhere.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a
>>>>>>>>>> corporation,
>>>>>>>>>>>>> that 2nd feature is well worth the price of admission, PLUS I
>>>>>>>>>> can only
>>>>>>>>>>>>> allow certain admins to run certain programs? Very nice.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So, for example, at my last place I allowed the 'tester' user
>>>>>>>>>> to run
>>>>>>>>>>>>> fdisk as root, because they needed to partition the disk
>>>>>>>>>>>>> under
>>>>>>>>>> test.  In
>>>>>>>>>>>>> my case, and since the network that we ran on was totally
>>>>>>>>>> isolated from
>>>>>>>>>>>>> the corporate network, I let fdisk be run without needing a
>>>>>>>>>> password.
>>>>>>>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it
>>>>>>>>>> was no big
>>>>>>>>>>>>> deal - I could recreate the machine from scratch (minus
>>>>>>>>>> whatever data
>>>>>>>>>>>>> hadn't been copied off yet - which would only be their most
>>>>>>>>>> recent run),
>>>>>>>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8
>>>>>>>>>> minutes of
>>>>>>>>>>>>> scripted 'dd' ;-) However, if the test user wanted to become
>>>>>>>>>> root using
>>>>>>>>>>>>> su, they had to enter the test user password.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So, back to the original question - setting sudo to not
>>>>>>>>>> require a
>>>>>>>>>>>>> password.  We should have asked, what program do you want to
>>>>>>>>>> run as root
>>>>>>>>>>>>> without requiring a password? How secure is your system? What
>>>>>>>>>> else do
>>>>>>>>>>>>> you use it for?  Who has access?  etc, etc, etc.
>>>>>>>>>>>>>
>>>>>>>>>>>>> There's one other minor objection I have to the 'zero
>>>>>>>>>>>>> defense'
>>>>>>>>>> statement
>>>>>>>>>>>>> below - the malicious thing you downloaded (and, I assume
>>>>>>>>>>>>> ran)
>>>>>>>>>> has to be
>>>>>>>>>>>>> written to USE sudo in its attempt to break in, I believe, or
>>>>>>>>>> it
>>>>>>>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -
>>>>>>>>>> myscript'
>>>>>>>>>>>>> won't do it).
>>>>>>>>>>>>>
>>>>>>>>>>>>> And, if you're truly paranoid about stuff you download, you
>>>>>>>>>> should:
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1 - NEVER download something you don't have an excellent
>>>>>>>>>> reason to
>>>>>>>>>>>>> believe is 'safe', and ALWAYS make sure you actually
>>>>>>>>>> downloaded it from
>>>>>>>>>>>>> where you thought you did.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2 - For the TRULY paranoid, have a machine you use to
>>>>>>>>>>>>> download
>>>>>>>>>> and test
>>>>>>>>>>>>> software on, which you can totally disconnect from your
>>>>>>>>>> network (not
>>>>>>>>>>>>> JUST the internet), and which has NO confidential info, and
>>>>>>>>>> which you
>>>>>>>>>>>>> can erase and rebuild without caring.  Run the downloaded
>>>>>>>>>> stuff there,
>>>>>>>>>>>>> for a long time, until you're pretty sure it won't bite you.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything
>>>>>>>>>> from
>>>>>>>>>>>>> anywhere, disconnect from the internet permanently, get
>>>>>>>>>> high-tech locks
>>>>>>>>>>>>> for your doors, and wrap your house in a faraday cage!
>>>>>>>>>>>>>
>>>>>>>>>>>>> And probably don't leave the house....
>>>>>>>>>>>>>
>>>>>>>>>>>>> The point of number 3 is that there is always a risk, even
>>>>>>>>>> with
>>>>>>>>>>>>> 'well-known' software, and as someone else said - they're
>>>>>>>>>> watching you
>>>>>>>>>>>>> anyway.  The question is how 'safe' do you want to be? And
>>>>>>>>>>>>> how
>>>>>>>>>> paranoid
>>>>>>>>>>>>> are you, really?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Wow, talk about rabbit hole! ;-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> 'Let the flames begin!' :-)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>>>>>>>>>>>>>>> wanted sudo not to require a password.
>>>>>>>>>>>>>> Please reconsider this... This is VERY BAD security
>>>>>>>>>>>>>> practice.
>>>>>>>>>> There's basically zero defense if you happen to download/run
>>>>>>>>>> something malicious.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss
>>>>>>>>>> wrote:
>>>>>>>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being
>>>>>>>>>> good at troubleshooting so I figured I'd give it a go. I sprint
>>>>>>>>>> about half an hour asking it the wrong question but after
>>>>>>>>>> that it
>>>>>>>>>> took 2 minutes. I wanted sudo not to require a password. it is
>>>>>>>>>> wonderful! now I don't have to bug you guys. so it looks like
>>>>>>>>>> this
>>>>>>>>>> is the end of the user group unless you want to talk about OT
>>>>>>>>>> stuff.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- :-)~MIKE~(-:
>>>>>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>>>>>> PLUG-discuss mailing list:
>>>>>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>>>>> PLUG-discuss mailing list:
>>>>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>>>> PLUG-discuss mailing list:
>>>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>>>>
>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>> PLUG-discuss mailing list:
>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>> PLUG-discuss mailing list:
>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>> ---------------------------------------------------
>>>>>>>> PLUG-discuss mailing list:
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>> ---------------------------------------------------
>>>>>>> PLUG-discuss mailing list:
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>> ---------------------------------------------------
>>>>>> PLUG-discuss mailing list:
>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss