sudo in general, and not requiring password in particular (was Re: trouble adding my user to sudoers list)

techlists at phpcoderusa.com techlists at phpcoderusa.com
Thu Jul 4 06:50:41 MST 2024 

Thank you so much George!!

Another Question.  I was a police officer in the 80's and 90's.  During 
my tenure the bank was on the hook for any criminal acts as long as the 
customer was not negligent. I only dealt with this on a couple 
occasional.

So If someone gets access to my online banking and I report it in a 
timely manner, or if someone washes one of my checks and I report it in 
a timely manner, is the bank on the hook or am I?

BTW I thought going old school was the most secure.  I do not trust the 
Internet.  My daily driver is a Linux Box and I do not use my cellular 
phone for anything except to talk and read some news.  I am semiretired 
and have home officed for a long time.

Any suggestions are appreciated.



On 2024-07-03 21:48, George Toft wrote:
> Sorry, Kieth, I have bad news for you. You took a 30+ year leap 
> backwards in security.
> 
> I can tell you for certain, from my bank fraud analyst friend (just got 
> promoted to financial crimes investigator), checks are the second most 
> insecure way of transferring money, first being putting the money in 
> the envelope. They helped the USPS bust a fraud ring who worked in the 
> Post Office - fraudsters were pulling checks out of envelopes inside 
> the local Post Office. My friend pulled out all the details for the 
> Postmaster General.
> 
> ACH is free (for you) and secure and guaranteed by the originator as 
> they are on the hook to prove the identity of who initiated the 
> transaction and they have to pay. It's all very complicated, and I'm 
> not going into details here.
> 
> I use ACH all the time. My physical devices have multi-layer physical 
> protection. Logical access control is in-place. Both have multi-factor 
> authentication. Password resets require multi-factor authentication.
> 
> And the DoD is worse - their systems have so many layers, it was easier 
> to just let my account get deleted from lack of use and rebuilt it from 
> scratch. I have notes that tell me screen-by-screen what to put in each 
> box and which ones to ignore. It's so secure, legitimate users can't 
> even get in... and this is just my health insurance.
> 
> Where all of this can break down - getting on topic - is with the SSH 
> protocol and web proxies. When you connect to a website using HTTPS 
> using a web proxy, your web browser uses it's cert to set up the 
> connection, or so it thinks. What's really happening is the proxy is 
> responding to the request and decrypting the message, then it forms a 
> new request and sends it to the bank, which believes the proxy and 
> sends it back. Everything gets decrypted on the proxy, so whoever has 
> admin access to the proxy can see everything. Kinda like opening 
> envelopes in the mail room :) Disclaimer: This is what some networking 
> guys told me in a presentation about 10 years ago.
> 
> In summary, ACH is safe if you do it from home without a proxy. Of 
> course "safe" is relative, but it's safer than checks in the mail. Drop 
> into your bank and ask the branch manager, or call their customer 
> service and ask. They won't tell you checks are bad, but they will 
> steer you to ACH and tell you it's better. Break out the Rosetta Stone 
> and figure out what "better" means in corporate-speak. Banks are in it 
> to win it, and they don't offer something for free unless they are 
> saving money (cost avoidance) on the alternatives.
> 
> Regards,
> 
> George Toft
> 
> On 7/3/2024 6:21 AM, techlists at phpcoderusa.com wrote:
>> <scroll>
>> 
>> On 2024-07-02 18:20, George Toft via PLUG-discuss wrote:
>>> I work for a bank, and you would be amazed at how much security is 
>>> baked into the connecting your browser to their web servers. Makes 
>>> the NSA look like freshmen. And no, I'm not telling you who I work 
>>> for.
>>> 
>>> Regards,
>>> 
>>> George Toft
>> 
>> I'd like to hear more.  The world is a hostile place.  I recently went 
>> old school.  I asked the bank to disarm my online banking.  I now deal 
>> with paper statements and everything gets paid by check. Not as 
>> convenient as on-line banking, however I am hoping it makes my world a 
>> little bit more secure.
>> 
>> What are your thoughts?
>> 
>> Keith
>> 
>> 
>> 
>> 
>> 
>>> 
>>> On 6/29/2024 5:19 PM, Keith Smith via PLUG-discuss wrote:
>>>> Mike,
>>>> 
>>>> The world is a hostile place.  The more precautions you take the 
>>>> better.  I cover the camera on my cellular phone while not in use.  
>>>> I cover the camera that is built into my laptop while it is not in 
>>>> use.  I think on-line banking is dangerous.  At some point I want to 
>>>> turn off WIFI and go to wired only on my local net.
>>>> 
>>>> We lock our cars and houses for a reason.
>>>> 
>>>> I do not know as much security as I'd like, however it might be 
>>>> necessary at some point to to become more cyber.
>>>> 
>>>> About 24 years ago the members of the Tucson Free Unix Group (TFUG) 
>>>> helped me build a server that I ran out of my home.  We left the 
>>>> email relay open and I got exploited.  About 10 years ago I became 
>>>> root and I accidentally overwrote my home directory. yikes... both 
>>>> were painful.  The first example is a reason we must be more aware 
>>>> of what we are doing. The 2nd is an example why we should use sudo 
>>>> as much as we can instead of becoming root.
>>>> 
>>>> Keith
>>>> 
>>>> 
>>>> 
>>>> On 2024-06-29 08:55, Michael via PLUG-discuss wrote:
>>>>> I just realized, while 99% of the people on this list are honest 
>>>>> there
>>>>> is the diabolical 1%. So I guess I enter my password for the rest 
>>>>> of
>>>>> my life. Or do you think that it really matters considering this is
>>>>> only a mailing list?
>>>>> 
>>>>> On Sat, Jun 29, 2024, 10:22 AM Michael <bmike1 at gmail.com> wrote:
>>>>> 
>>>>>> Thanks for saying this. I realized that I only needed to run apt 
>>>>>> as
>>>>>> root. I didn't know how to make it so I could do that..... but
>>>>>> chatgt did!
>>>>>> 
>>>>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss
>>>>>> <plug-discuss at lists.phxlinux.org> wrote:
>>>>>> 
>>>>>>> NO WORRIES FROM THIS END RUSTY.
>>>>>>> 
>>>>>>> As a general rule, I use sudo only for very specific tasks
>>>>>>> (usually updating my development package tree on OS X) and no
>>>>>>> where else will I run anything as root. I have seen what happens
>>>>>>> to linux machines that run infected binaries as root and it can
>>>>>>> get ugly pretty fast. In one case, I couldn’t take the machine
>>>>>>> out of service because of other items I was involved with, so I
>>>>>>> simply made part of the dir tree immutable after replacing a few
>>>>>>> files in /etc. That would fill up the system logs with an error
>>>>>>> message about a specific binary trying to replace a small number
>>>>>>> of conf files. Once the offending binary was found, it made 
>>>>>>> things
>>>>>>> easier trying to disable it or get rid of it. However, after a
>>>>>>> while, I simply pulled the drive and ran it through a Dod secure
>>>>>>> erase and installed a newer linux bistro on it. I did use the 
>>>>>>> same
>>>>>>> trick with chattr to make /bin, /sbin and /etc immutable. That
>>>>>>> last turned out to be handy as I caught someone trying to rootkit
>>>>>>> my machine using a known exploit, only they couldn’t get it to
>>>>>>> run because the binaries they wanted to replace couldn’t be
>>>>>>> written to. :)Yes, this would be a bit excessive, but over the
>>>>>>> long run, proved far less inconvenient than having to wipe and
>>>>>>> reinstall an OS.
>>>>>>> 
>>>>>>> -Eric
>>>>>>> From the central Offices of the Technomage Guild, security
>>>>>>> Applications Dept.
>>>>>>> 
>>>>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss
>>>>>>> <plug-discuss at lists.phxlinux.org> wrote:
>>>>>>>> 
>>>>>>>> (Deep breath.  Calm...)
>>>>>>>> 
>>>>>>>> I can't figure out how to respond rationally to the below, so
>>>>>>> all I'm going to say is - before you call troll,  you might want
>>>>>>> to research the author, and read a bit more carefully what they
>>>>>>> wrote.  I don't believe I recommended any of the crazy things you
>>>>>>> suggest.  And I certainly didn't intend to imply any of that.
>>>>>>>> 
>>>>>>>> On the other hand, it may not have  been clear, so I'll just say
>>>>>>> "Sorry that what I wrote wasn't clear, but english isn't my first
>>>>>>> language.  Unfortunately its the only one I know".
>>>>>>>> 
>>>>>>>> And on that note, I'll shut up.
>>>>>>>> 
>>>>>>>> On 6/26/24 15:05, Ryan Petris wrote:
>>>>>>>>> I feel like you're trolling so I'm not going to spend very much
>>>>>>> time on this.
>>>>>>>>> 
>>>>>>>>> It's been a generally good security practice for at least the
>>>>>>> last 25+ years to not regularly run as a privileged user,
>>>>>>> requiring some sort of escalation to do administrative-type 
>>>>>>> tasks.
>>>>>>> By using passwordless sudo, you're taking away that escalation.
>>>>>>> Why not just run as root? Then you don't need sudo at all. In
>>>>>>> fact, why even have a password at all? Why encrypt? Why don't you
>>>>>>> just put all your data on a publicly accessible FTP server and
>>>>>>> just grab stuff when you need it? The NSA has all your data 
>>>>>>> anyway
>>>>>>> and you don't have anything to hide so why not just leave it out
>>>>>>> there for the world to see?
>>>>>>>>> 
>>>>>>>>> As for something malicious needing to be written to use sudo,
>>>>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it didn't
>>>>>>> at least try then that seams like a pretty dumb malicious script
>>>>>>> to me.
>>>>>>>>> 
>>>>>>>>> You also don't necessarily need to open/run something for it to
>>>>>>> run. IIRC there was a recent image vulnerability in Gnome's
>>>>>>> tracker-miner application which indexes files in your home
>>>>>>> directory. And before you say that wouldn't happen in KDE, it too
>>>>>>> has a similar program, I believe called Baloo.
>>>>>>>>> 
>>>>>>>>> There also exists the recent doas program and the systemd
>>>>>>> replacement run0 to do the same.
>>>>>>>>> 
>>>>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via
>>>>>>> PLUG-discuss wrote:
>>>>>>>>>> Actually, I'd like to start a bit of a discussion on this.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> First, I know that for some reason RedHat seems to think that
>>>>>>> sudo is
>>>>>>>>>> bad/insecure.
>>>>>>>>>> 
>>>>>>>>>> I'd like to know the logic there, as I think the argument FOR
>>>>>>> using sudo
>>>>>>>>>> is MUCH stronger than any argument I've heard (which,
>>>>>>> admittedly, is
>>>>>>>>>> pretty close to zero) AGAINST it.   Here's my thinking:
>>>>>>>>>> 
>>>>>>>>>> Allowing users to become root via sudo gives you:
>>>>>>>>>> 
>>>>>>>>>> - VERY fine control over what programs a user can use as root
>>>>>>>>>> 
>>>>>>>>>> - The ability to remove admin privs (ability to run as root)
>>>>>>> from an
>>>>>>>>>> individual WITHOUT having to change root password everywhere.
>>>>>>>>>> 
>>>>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a
>>>>>>> corporation,
>>>>>>>>>> that 2nd feature is well worth the price of admission, PLUS I
>>>>>>> can only
>>>>>>>>>> allow certain admins to run certain programs? Very nice.
>>>>>>>>>> 
>>>>>>>>>> So, for example, at my last place I allowed the 'tester' user
>>>>>>> to run
>>>>>>>>>> fdisk as root, because they needed to partition the disk under
>>>>>>> test.  In
>>>>>>>>>> my case, and since the network that we ran on was totally
>>>>>>> isolated from
>>>>>>>>>> the corporate network, I let fdisk be run without needing a
>>>>>>> password.
>>>>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it
>>>>>>> was no big
>>>>>>>>>> deal - I could recreate the machine from scratch (minus
>>>>>>> whatever data
>>>>>>>>>> hadn't been copied off yet - which would only be their most
>>>>>>> recent run),
>>>>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8
>>>>>>> minutes of
>>>>>>>>>> scripted 'dd' ;-)  However, if the test user wanted to become
>>>>>>> root using
>>>>>>>>>> su, they had to enter the test user password.
>>>>>>>>>> 
>>>>>>>>>> So, back to the original question - setting sudo to not
>>>>>>> require a
>>>>>>>>>> password.  We should have asked, what program do you want to
>>>>>>> run as root
>>>>>>>>>> without requiring a password? How secure is your system? What
>>>>>>> else do
>>>>>>>>>> you use it for?  Who has access?  etc, etc, etc.
>>>>>>>>>> 
>>>>>>>>>> There's one other minor objection I have to the 'zero defense'
>>>>>>> statement
>>>>>>>>>> below - the malicious thing you downloaded (and, I assume ran)
>>>>>>> has to be
>>>>>>>>>> written to USE sudo in its attempt to break in, I believe, or
>>>>>>> it
>>>>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -
>>>>>>> myscript'
>>>>>>>>>> won't do it).
>>>>>>>>>> 
>>>>>>>>>> And, if you're truly paranoid about stuff you download, you
>>>>>>> should:
>>>>>>>>>> 
>>>>>>>>>> 1 - NEVER download something you don't have an excellent
>>>>>>> reason to
>>>>>>>>>> believe is 'safe', and ALWAYS make sure you actually
>>>>>>> downloaded it from
>>>>>>>>>> where you thought you did.
>>>>>>>>>> 
>>>>>>>>>> 2 - For the TRULY paranoid, have a machine you use to download
>>>>>>> and test
>>>>>>>>>> software on, which you can totally disconnect from your
>>>>>>> network (not
>>>>>>>>>> JUST the internet), and which has NO confidential info, and
>>>>>>> which you
>>>>>>>>>> can erase and rebuild without caring.  Run the downloaded
>>>>>>> stuff there,
>>>>>>>>>> for a long time, until you're pretty sure it won't bite you.
>>>>>>>>>> 
>>>>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything
>>>>>>> from
>>>>>>>>>> anywhere, disconnect from the internet permanently, get
>>>>>>> high-tech locks
>>>>>>>>>> for your doors, and wrap your house in a faraday cage!
>>>>>>>>>> 
>>>>>>>>>> And probably don't leave the house....
>>>>>>>>>> 
>>>>>>>>>> The point of number 3 is that there is always a risk, even
>>>>>>> with
>>>>>>>>>> 'well-known' software, and as someone else said - they're
>>>>>>> watching you
>>>>>>>>>> anyway.  The question is how 'safe' do you want to be? And how
>>>>>>> paranoid
>>>>>>>>>> are you, really?
>>>>>>>>>> 
>>>>>>>>>> Wow, talk about rabbit hole! ;-)
>>>>>>>>>> 
>>>>>>>>>> 'Let the flames begin!' :-)
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>>>>>>>>>>>> wanted sudo not to require a password.
>>>>>>>>>>> Please reconsider this... This is VERY BAD security practice.
>>>>>>> There's basically zero defense if you happen to download/run
>>>>>>> something malicious.
>>>>>>>>>>> 
>>>>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss
>>>>>>> wrote:
>>>>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being
>>>>>>> good at troubleshooting so I figured I'd give it a go. I sprint
>>>>>>> about half an hour asking it the wrong question but after that it
>>>>>>> took 2 minutes. I wanted sudo not to require a password. it is
>>>>>>> wonderful! now I don't have to bug you guys. so it looks like 
>>>>>>> this
>>>>>>> is the end of the user group unless you want to talk about OT
>>>>>>> stuff.
>>>>>>>>>>>> 
>>>>>>>>>>>> -- :-)~MIKE~(-:
>>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>>> 
>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>> 
>>>>>>>> ---------------------------------------------------
>>>>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>> 
>>>>>>> ---------------------------------------------------
>>>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list