sudo in general, and not requiring password in particular (was Re: trouble adding my user to sudoers list)
Michael
bmike1 at gmail.com
Sat Jun 29 08:22:02 MST 2024
Thanks for saying this. I realized that I only needed to run apt as root. I
didn't know how to make it so I could do that..... but chatgt did!
On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss <
plug-discuss at lists.phxlinux.org> wrote:
> NO WORRIES FROM THIS END RUSTY.
>
> As a general rule, I use sudo only for very specific tasks (usually
> updating my development package tree on OS X) and no where else will I run
> anything as root. I have seen what happens to linux machines that run
> infected binaries as root and it can get ugly pretty fast. In one case, I
> couldn’t take the machine out of service because of other items I was
> involved with, so I simply made part of the dir tree immutable after
> replacing a few files in /etc. That would fill up the system logs with an
> error message about a specific binary trying to replace a small number of
> conf files. Once the offending binary was found, it made things easier
> trying to disable it or get rid of it. However, after a while, I simply
> pulled the drive and ran it through a Dod secure erase and installed a
> newer linux bistro on it. I did use the same trick with chattr to make
> /bin, /sbin and /etc immutable. That last turned out to be handy as I
> caught someone trying to rootkit my machine using a known exploit, only
> they couldn’t get it to run because the binaries they wanted to replace
> couldn’t be written to. :)Yes, this would be a bit excessive, but over the
> long run, proved far less inconvenient than having to wipe and reinstall an
> OS.
>
> -Eric
> From the central Offices of the Technomage Guild, security Applications
> Dept.
>
>
> > On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss <
> plug-discuss at lists.phxlinux.org> wrote:
> >
> > (Deep breath. Calm...)
> >
> > I can't figure out how to respond rationally to the below, so all I'm
> going to say is - before you call troll, you might want to research the
> author, and read a bit more carefully what they wrote. I don't believe I
> recommended any of the crazy things you suggest. And I certainly didn't
> intend to imply any of that.
> >
> > On the other hand, it may not have been clear, so I'll just say "Sorry
> that what I wrote wasn't clear, but english isn't my first language.
> Unfortunately its the only one I know".
> >
> > And on that note, I'll shut up.
> >
> > On 6/26/24 15:05, Ryan Petris wrote:
> >> I feel like you're trolling so I'm not going to spend very much time on
> this.
> >>
> >> It's been a generally good security practice for at least the last 25+
> years to not regularly run as a privileged user, requiring some sort of
> escalation to do administrative-type tasks. By using passwordless sudo,
> you're taking away that escalation. Why not just run as root? Then you
> don't need sudo at all. In fact, why even have a password at all? Why
> encrypt? Why don't you just put all your data on a publicly accessible FTP
> server and just grab stuff when you need it? The NSA has all your data
> anyway and you don't have anything to hide so why not just leave it out
> there for the world to see?
> >>
> >> As for something malicious needing to be written to use sudo, why
> wouldn't it? sudo is ubiquitous on unix systems; if it didn't at least try
> then that seams like a pretty dumb malicious script to me.
> >>
> >> You also don't necessarily need to open/run something for it to run.
> IIRC there was a recent image vulnerability in Gnome's tracker-miner
> application which indexes files in your home directory. And before you say
> that wouldn't happen in KDE, it too has a similar program, I believe called
> Baloo.
> >>
> >> There also exists the recent doas program and the systemd replacement
> run0 to do the same.
> >>
> >> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via PLUG-discuss wrote:
> >>> Actually, I'd like to start a bit of a discussion on this.
> >>>
> >>>
> >>> First, I know that for some reason RedHat seems to think that sudo is
> >>> bad/insecure.
> >>>
> >>> I'd like to know the logic there, as I think the argument FOR using
> sudo
> >>> is MUCH stronger than any argument I've heard (which, admittedly, is
> >>> pretty close to zero) AGAINST it. Here's my thinking:
> >>>
> >>> Allowing users to become root via sudo gives you:
> >>>
> >>> - VERY fine control over what programs a user can use as root
> >>>
> >>> - The ability to remove admin privs (ability to run as root) from an
> >>> individual WITHOUT having to change root password everywhere.
> >>>
> >>> Now, remember, RH is supposedly 'corporate friendly'. As a
> corporation,
> >>> that 2nd feature is well worth the price of admission, PLUS I can only
> >>> allow certain admins to run certain programs? Very nice.
> >>>
> >>> So, for example, at my last place I allowed the 'tester' user to run
> >>> fdisk as root, because they needed to partition the disk under test.
> In
> >>> my case, and since the network that we ran on was totally isolated from
> >>> the corporate network, I let fdisk be run without needing a password.
> >>> Oh, and if they messed up and fdisk'ed the boot partition, it was no
> big
> >>> deal - I could recreate the machine from scratch (minus whatever data
> >>> hadn't been copied off yet - which would only be their most recent
> run),
> >>> in 10 minutes (which was about 2 minutes of my time, and 8 minutes of
> >>> scripted 'dd' ;-) However, if the test user wanted to become root
> using
> >>> su, they had to enter the test user password.
> >>>
> >>> So, back to the original question - setting sudo to not require a
> >>> password. We should have asked, what program do you want to run as
> root
> >>> without requiring a password? How secure is your system? What else do
> >>> you use it for? Who has access? etc, etc, etc.
> >>>
> >>> There's one other minor objection I have to the 'zero defense'
> statement
> >>> below - the malicious thing you downloaded (and, I assume ran) has to
> be
> >>> written to USE sudo in its attempt to break in, I believe, or it
> >>> wouldn't matter HOW open your sudo was. (simply saying 'su - myscript'
> >>> won't do it).
> >>>
> >>> And, if you're truly paranoid about stuff you download, you should:
> >>>
> >>> 1 - NEVER download something you don't have an excellent reason to
> >>> believe is 'safe', and ALWAYS make sure you actually downloaded it from
> >>> where you thought you did.
> >>>
> >>> 2 - For the TRULY paranoid, have a machine you use to download and test
> >>> software on, which you can totally disconnect from your network (not
> >>> JUST the internet), and which has NO confidential info, and which you
> >>> can erase and rebuild without caring. Run the downloaded stuff there,
> >>> for a long time, until you're pretty sure it won't bite you.
> >>>
> >>> 3 - For the REALLY REALLY paranoid, don't download anything from
> >>> anywhere, disconnect from the internet permanently, get high-tech locks
> >>> for your doors, and wrap your house in a faraday cage!
> >>>
> >>> And probably don't leave the house....
> >>>
> >>> The point of number 3 is that there is always a risk, even with
> >>> 'well-known' software, and as someone else said - they're watching you
> >>> anyway. The question is how 'safe' do you want to be? And how paranoid
> >>> are you, really?
> >>>
> >>> Wow, talk about rabbit hole! ;-)
> >>>
> >>> 'Let the flames begin!' :-)
> >>>
> >>>
> >>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
> >>>>> wanted sudo not to require a password.
> >>>> Please reconsider this... This is VERY BAD security practice. There's
> basically zero defense if you happen to download/run something malicious.
> >>>>
> >>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:
> >>>>> then I remember that a PLUG member mentioned ChatGPT being good at
> troubleshooting so I figured I'd give it a go. I sprint about half an hour
> asking it the wrong question but after that it took 2 minutes. I wanted
> sudo not to require a password. it is wonderful! now I don't have to bug
> you guys. so it looks like this is the end of the user group unless you
> want to talk about OT stuff.
> >>>>>
> >>>>> --
> >>>>> :-)~MIKE~(-:
> >>>>> ---------------------------------------------------
> >>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> >>>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>>>
> >>>> ---------------------------------------------------
> >>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> >>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>
> > ---------------------------------------------------
> > PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> > To subscribe, unsubscribe, or to change your mail settings:
> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20240629/8497afe9/attachment.htm>
More information about the PLUG-discuss
mailing list