sudo in general, and not requiring password in particular (was Re: trouble adding my user to sudoers list)

rusty rustycar54 at descomp.com
Wed Jul 3 13:00:23 MST 2024 

Let me start by apologizing here - I'm feeling a bit silly...

how about 'becomeroot' or 'iwannaplaygod' or 'rootme' or maybe even 
'meroot'  or 'beroot'

Yeah, sorry, but remember I did apologize first! ;-)
And, of course, DON'T POST what you made it!

On Wed, Jul 3, 2024 at 07:59, Michael via PLUG-discuss 
<plug-discuss at lists.phxlinux.org> wrote:
> I've figured out how I'm going to secure my system. I will link sudo 
> to another command and then create an alias for sudo that will echo 
> something like, 'Sudo has been disabled,' if I forget. Now I need 
> suggestions on what to use. Chat gpt suggests supersudo but that's 
> too long. What do you all think?
> 
> On Tue, Jul 2, 2024 at 11:42 PM George Toft via PLUG-discuss 
> <plug-discuss at lists.phxlinux.org 
> <mailto:plug-discuss at lists.phxlinux.org>> wrote:
>> Okay, I now come begging for more information on why RH thinks sudo 
>> is
>>  bad. But first a little background...
>> 
>>  Where I work, the first thing we do is remove sudo and replace it 
>> with a
>>  shell script that calls our centralized Privileged Access Management
>>  (PAM) system (not naming vendor). The use of sudo requires and 
>> exception
>>  and review and is not permanent. So I'm very versed on the 
>> principles
>>  and implementation of PAM. Last year our Staff Architect asked me to
>>  compare and contrast sudo against <unnamed product>. Side-by-side,
>>  feature-by-feature, I did so, based on our POC's on Red Hat Identity
>>  Manager (IdM), which uses sudo, and locally engineered solutions.
>> 
>>  I personally detest sudo because it's like chmod 777 * - makes
>>  everything work so much better, and software vendors can just drop 
>> in
>>  their own sudo rules in /etc/sudoers.d/ and make magic happen 
>> without
>>  you ever knowing what happened. Several times we've had to convert 
>> some
>>  vendor's sudo rules to our own system's rules, and I ask the vendor 
>> "Why
>>  do you have this rule?" Their answer: "We don't know." OFFS :(
>> 
>>  As far as sudo goes, it is included in the Center for Internet
>>  Security's (CIS) Benchmarks, which is the embodiment of the 
>> information
>>  security industry's best practices. I did some work for them for a
>>  couple years, and every change (add/mod/delete) required consensus
>>  approval from 80 organizations around the world, including thee 
>> letter
>>  agencies in the US and abroad. Many/most auditors expect financial
>>  institutions to follow this guide, or explain convincingly why not. 
>> So
>>  every six months, we get to say: "We don't use sudo. Instead, we do
>>  this." And then we get to do live demos of timed privileged access.
>>  Haven't had a follow-on question in the last 8 years.
>> 
>>  (OT: I cringe at referring to CIS because of their collusion with 
>> the
>>  Arizona Secretary of State and the Department of Homeland Security 
>> to
>>  suppress people's First Amendment Right to Free Speech. Proof is in 
>> the
>>  Elon Musk Twitter Dump. I do not have a copy of the email on my
>>  computer. I generally don't tell people I did work for them - it's 
>> so
>>  embarrassing. Effing Ratbastards.)
>> 
>>  So... back to the original question, as I was not able to find 
>> anything
>>  saying Red Hat discourages sudo, nor was my favorite AI. Please 
>> toss me
>>  a cookie...
>> 
>>  Regards,
>> 
>>  George Toft
>> 
>>  On 6/26/2024 12:23 PM, Rusty Carruth via PLUG-discuss wrote:
>>  > Actually, I'd like to start a bit of a discussion on this.
>>  >
>>  >
>>  > First, I know that for some reason RedHat seems to think that 
>> sudo is
>>  > bad/insecure.
>>  >
>>  > I'd like to know the logic there, as I think the argument FOR 
>> using
>>  > sudo is MUCH stronger than any argument I've heard (which, 
>> admittedly,
>>  > is pretty close to zero) AGAINST it.   Here's my thinking:
>>  >
>>  > Allowing users to become root via sudo gives you:
>>  >
>>  >  - VERY fine control over what programs a user can use as root
>>  >
>>  >  - The ability to remove admin privs (ability to run as root) 
>> from an
>>  > individual WITHOUT having to change root password everywhere.
>>  >
>>  > Now, remember, RH is supposedly 'corporate friendly'.  As a
>>  > corporation, that 2nd feature is well worth the price of 
>> admission,
>>  > PLUS I can only allow certain admins to run certain programs? 
>> Very nice.
>>  >
>>  > So, for example, at my last place I allowed the 'tester' user to 
>> run
>>  > fdisk as root, because they needed to partition the disk under 
>> test.
>>  > In my case, and since the network that we ran on was totally 
>> isolated
>>  > from the corporate network, I let fdisk be run without needing a
>>  > password.  Oh, and if they messed up and fdisk'ed the boot 
>> partition,
>>  > it was no big deal - I could recreate the machine from scratch 
>> (minus
>>  > whatever data hadn't been copied off yet - which would only be 
>> their
>>  > most recent run), in 10 minutes (which was about 2 minutes of my 
>> time,
>>  > and 8 minutes of scripted 'dd' ;-)  However, if the test user 
>> wanted
>>  > to become root using su, they had to enter the test user password.
>>  >
>>  > So, back to the original question - setting sudo to not require a
>>  > password.  We should have asked, what program do you want to run 
>> as
>>  > root without requiring a password?  How secure is your system? 
>> What
>>  > else do you use it for?  Who has access?  etc, etc, etc.
>>  >
>>  > There's one other minor objection I have to the 'zero defense'
>>  > statement below - the malicious thing you downloaded (and, I 
>> assume
>>  > ran) has to be written to USE sudo in its attempt to break in, I
>>  > believe, or it wouldn't matter HOW open your sudo was. (simply 
>> saying
>>  > 'su - myscript' won't do it).
>>  >
>>  > And, if you're truly paranoid about stuff you download, you 
>> should:
>>  >
>>  > 1 - NEVER download something you don't have an excellent reason to
>>  > believe is 'safe', and ALWAYS make sure you actually downloaded it
>>  > from where you thought you did.
>>  >
>>  > 2 - For the TRULY paranoid, have a machine you use to download and
>>  > test software on, which you can totally disconnect from your 
>> network
>>  > (not JUST the internet), and which has NO confidential info, and 
>> which
>>  > you can erase and rebuild without caring.  Run the downloaded 
>> stuff
>>  > there, for a long time, until you're pretty sure it won't bite 
>> you.
>>  >
>>  > 3 - For the REALLY REALLY paranoid, don't download anything from
>>  > anywhere, disconnect from the internet permanently, get high-tech
>>  > locks for your doors, and wrap your house in a faraday cage!
>>  >
>>  > And probably don't leave the house....
>>  >
>>  > The point of number 3 is that there is always a risk, even with
>>  > 'well-known' software, and as someone else said - they're 
>> watching you
>>  > anyway.  The question is how 'safe' do you want to be? And how
>>  > paranoid are you, really?
>>  >
>>  > Wow, talk about rabbit hole! ;-)
>>  >
>>  > 'Let the flames begin!' :-)
>>  >
>>  >
>>  > On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>>  >>> wanted sudo not to require a password.
>>  >> Please reconsider this... This is VERY BAD security practice. 
>> There's
>>  >> basically zero defense if you happen to download/run something
>>  >> malicious.
>>  >>
>>  >> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:
>>  >>>   then I remember that a PLUG member mentioned ChatGPT being 
>> good at
>>  >>> troubleshooting so I figured I'd give it a go. I sprint about 
>> half
>>  >>> an hour asking it the wrong question but after that it took 2
>>  >>> minutes. I wanted sudo not to require a password. it is 
>> wonderful!
>>  >>> now I don't have to bug you guys. so it looks like this is the 
>> end
>>  >>> of the user group unless you want to talk about OT stuff.
>>  >>>
>>  >>> --
>>  >>> :-)~MIKE~(-:
>>  >>> ---------------------------------------------------
>>  >>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org 
>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>  >>> To subscribe, unsubscribe, or to change your mail settings:
>>  >>> <https://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>  >>>
>>  >>
>>  >> ---------------------------------------------------
>>  >> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org 
>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>  >> To subscribe, unsubscribe, or to change your mail settings:
>>  >> <https://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>  > ---------------------------------------------------
>>  > PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org 
>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>  > To subscribe, unsubscribe, or to change your mail settings:
>>  > <https://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>  ---------------------------------------------------
>>  PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org 
>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>  To subscribe, unsubscribe, or to change your mail settings:
>> <https://lists.phxlinux.org/mailman/listinfo/plug-discuss>
> 
> 
> --
> :-)~MIKE~(-:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20240703/4712a427/attachment.htm>

More information about the PLUG-discuss mailing list