sudo in general, and not requiring password in particular (was Re: trouble adding my user to sudoers list)
Michael
bmike1 at gmail.com
Sun Jun 30 05:34:17 MST 2024
Yeah. That happened to me to a LONG time ago, too; now that I think about
it.
On Sat, Jun 29, 2024, 9:36 PM <techlists at phpcoderusa.com> wrote:
> I have had several situations where I needed to become root because I
> was unable to compete the task using sudo. Maybe I do not
> understand....
>
>
>
> On 2024-06-29 19:05, Michael wrote:
> > I thought using suddenly was the same as becoming root
> >
> > On Sat, Jun 29, 2024, 7:19 PM <techlists at phpcoderusa.com> wrote:
> >
> >> Mike,
> >>
> >> The world is a hostile place. The more precautions you take the
> >> better.
> >> I cover the camera on my cellular phone while not in use. I cover
> >> the
> >> camera that is built into my laptop while it is not in use. I think
> >>
> >> on-line banking is dangerous. At some point I want to turn off WIFI
> >> and
> >> go to wired only on my local net.
> >>
> >> We lock our cars and houses for a reason.
> >>
> >> I do not know as much security as I'd like, however it might be
> >> necessary at some point to to become more cyber.
> >>
> >> About 24 years ago the members of the Tucson Free Unix Group (TFUG)
> >> helped me build a server that I ran out of my home. We left the
> >> email
> >> relay open and I got exploited. About 10 years ago I became root
> >> and I
> >> accidentally overwrote my home directory. yikes... both were
> >> painful.
> >> The first example is a reason we must be more aware of what we are
> >> doing. The 2nd is an example why we should use sudo as much as we
> >> can
> >> instead of becoming root.
> >>
> >> Keith
> >>
> >> On 2024-06-29 08:55, Michael via PLUG-discuss wrote:
> >>> I just realized, while 99% of the people on this list are honest
> >> there
> >>> is the diabolical 1%. So I guess I enter my password for the rest
> >> of
> >>> my life. Or do you think that it really matters considering this
> >> is
> >>> only a mailing list?
> >>>
> >>> On Sat, Jun 29, 2024, 10:22 AM Michael <bmike1 at gmail.com> wrote:
> >>>
> >>>> Thanks for saying this. I realized that I only needed to run apt
> >> as
> >>>> root. I didn't know how to make it so I could do that..... but
> >>>> chatgt did!
> >>>>
> >>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss
> >>>> <plug-discuss at lists.phxlinux.org> wrote:
> >>>>
> >>>>> NO WORRIES FROM THIS END RUSTY.
> >>>>>
> >>>>> As a general rule, I use sudo only for very specific tasks
> >>>>> (usually updating my development package tree on OS X) and no
> >>>>> where else will I run anything as root. I have seen what happens
> >>>>> to linux machines that run infected binaries as root and it can
> >>>>> get ugly pretty fast. In one case, I couldn’t take the machine
> >>>>> out of service because of other items I was involved with, so I
> >>>>> simply made part of the dir tree immutable after replacing a few
> >>>>> files in /etc. That would fill up the system logs with an error
> >>>>> message about a specific binary trying to replace a small number
> >>>>> of conf files. Once the offending binary was found, it made
> >> things
> >>>>> easier trying to disable it or get rid of it. However, after a
> >>>>> while, I simply pulled the drive and ran it through a Dod secure
> >>>>> erase and installed a newer linux bistro on it. I did use the
> >> same
> >>>>> trick with chattr to make /bin, /sbin and /etc immutable. That
> >>>>> last turned out to be handy as I caught someone trying to
> >> rootkit
> >>>>> my machine using a known exploit, only they couldn’t get it to
> >>>>> run because the binaries they wanted to replace couldn’t be
> >>>>> written to. :)Yes, this would be a bit excessive, but over the
> >>>>> long run, proved far less inconvenient than having to wipe and
> >>>>> reinstall an OS.
> >>>>>
> >>>>> -Eric
> >>>>> From the central Offices of the Technomage Guild, security
> >>>>> Applications Dept.
> >>>>>
> >>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss
> >>>>> <plug-discuss at lists.phxlinux.org> wrote:
> >>>>>>
> >>>>>> (Deep breath. Calm...)
> >>>>>>
> >>>>>> I can't figure out how to respond rationally to the below, so
> >>>>> all I'm going to say is - before you call troll, you might want
> >>>>> to research the author, and read a bit more carefully what they
> >>>>> wrote. I don't believe I recommended any of the crazy things
> >> you
> >>>>> suggest. And I certainly didn't intend to imply any of that.
> >>>>>>
> >>>>>> On the other hand, it may not have been clear, so I'll just
> >> say
> >>>>> "Sorry that what I wrote wasn't clear, but english isn't my
> >> first
> >>>>> language. Unfortunately its the only one I know".
> >>>>>>
> >>>>>> And on that note, I'll shut up.
> >>>>>>
> >>>>>> On 6/26/24 15:05, Ryan Petris wrote:
> >>>>>>> I feel like you're trolling so I'm not going to spend very
> >> much
> >>>>> time on this.
> >>>>>>>
> >>>>>>> It's been a generally good security practice for at least the
> >>>>> last 25+ years to not regularly run as a privileged user,
> >>>>> requiring some sort of escalation to do administrative-type
> >> tasks.
> >>>>> By using passwordless sudo, you're taking away that escalation.
> >>>>> Why not just run as root? Then you don't need sudo at all. In
> >>>>> fact, why even have a password at all? Why encrypt? Why don't
> >> you
> >>>>> just put all your data on a publicly accessible FTP server and
> >>>>> just grab stuff when you need it? The NSA has all your data
> >> anyway
> >>>>> and you don't have anything to hide so why not just leave it out
> >>>>> there for the world to see?
> >>>>>>>
> >>>>>>> As for something malicious needing to be written to use sudo,
> >>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it
> >> didn't
> >>>>> at least try then that seams like a pretty dumb malicious script
> >>>>> to me.
> >>>>>>>
> >>>>>>> You also don't necessarily need to open/run something for it
> >> to
> >>>>> run. IIRC there was a recent image vulnerability in Gnome's
> >>>>> tracker-miner application which indexes files in your home
> >>>>> directory. And before you say that wouldn't happen in KDE, it
> >> too
> >>>>> has a similar program, I believe called Baloo.
> >>>>>>>
> >>>>>>> There also exists the recent doas program and the systemd
> >>>>> replacement run0 to do the same.
> >>>>>>>
> >>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via
> >>>>> PLUG-discuss wrote:
> >>>>>>>> Actually, I'd like to start a bit of a discussion on this.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> First, I know that for some reason RedHat seems to think that
> >>>>> sudo is
> >>>>>>>> bad/insecure.
> >>>>>>>>
> >>>>>>>> I'd like to know the logic there, as I think the argument FOR
> >>>>> using sudo
> >>>>>>>> is MUCH stronger than any argument I've heard (which,
> >>>>> admittedly, is
> >>>>>>>> pretty close to zero) AGAINST it. Here's my thinking:
> >>>>>>>>
> >>>>>>>> Allowing users to become root via sudo gives you:
> >>>>>>>>
> >>>>>>>> - VERY fine control over what programs a user can use as root
> >>>>>>>>
> >>>>>>>> - The ability to remove admin privs (ability to run as root)
> >>>>> from an
> >>>>>>>> individual WITHOUT having to change root password everywhere.
> >>>>>>>>
> >>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a
> >>>>> corporation,
> >>>>>>>> that 2nd feature is well worth the price of admission, PLUS I
> >>>>> can only
> >>>>>>>> allow certain admins to run certain programs? Very nice.
> >>>>>>>>
> >>>>>>>> So, for example, at my last place I allowed the 'tester' user
> >>>>> to run
> >>>>>>>> fdisk as root, because they needed to partition the disk
> >> under
> >>>>> test. In
> >>>>>>>> my case, and since the network that we ran on was totally
> >>>>> isolated from
> >>>>>>>> the corporate network, I let fdisk be run without needing a
> >>>>> password.
> >>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it
> >>>>> was no big
> >>>>>>>> deal - I could recreate the machine from scratch (minus
> >>>>> whatever data
> >>>>>>>> hadn't been copied off yet - which would only be their most
> >>>>> recent run),
> >>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8
> >>>>> minutes of
> >>>>>>>> scripted 'dd' ;-) However, if the test user wanted to become
> >>>>> root using
> >>>>>>>> su, they had to enter the test user password.
> >>>>>>>>
> >>>>>>>> So, back to the original question - setting sudo to not
> >>>>> require a
> >>>>>>>> password. We should have asked, what program do you want to
> >>>>> run as root
> >>>>>>>> without requiring a password? How secure is your system?
> >> What
> >>>>> else do
> >>>>>>>> you use it for? Who has access? etc, etc, etc.
> >>>>>>>>
> >>>>>>>> There's one other minor objection I have to the 'zero
> >> defense'
> >>>>> statement
> >>>>>>>> below - the malicious thing you downloaded (and, I assume
> >> ran)
> >>>>> has to be
> >>>>>>>> written to USE sudo in its attempt to break in, I believe, or
> >>>>> it
> >>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -
> >>>>> myscript'
> >>>>>>>> won't do it).
> >>>>>>>>
> >>>>>>>> And, if you're truly paranoid about stuff you download, you
> >>>>> should:
> >>>>>>>>
> >>>>>>>> 1 - NEVER download something you don't have an excellent
> >>>>> reason to
> >>>>>>>> believe is 'safe', and ALWAYS make sure you actually
> >>>>> downloaded it from
> >>>>>>>> where you thought you did.
> >>>>>>>>
> >>>>>>>> 2 - For the TRULY paranoid, have a machine you use to
> >> download
> >>>>> and test
> >>>>>>>> software on, which you can totally disconnect from your
> >>>>> network (not
> >>>>>>>> JUST the internet), and which has NO confidential info, and
> >>>>> which you
> >>>>>>>> can erase and rebuild without caring. Run the downloaded
> >>>>> stuff there,
> >>>>>>>> for a long time, until you're pretty sure it won't bite you.
> >>>>>>>>
> >>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything
> >>>>> from
> >>>>>>>> anywhere, disconnect from the internet permanently, get
> >>>>> high-tech locks
> >>>>>>>> for your doors, and wrap your house in a faraday cage!
> >>>>>>>>
> >>>>>>>> And probably don't leave the house....
> >>>>>>>>
> >>>>>>>> The point of number 3 is that there is always a risk, even
> >>>>> with
> >>>>>>>> 'well-known' software, and as someone else said - they're
> >>>>> watching you
> >>>>>>>> anyway. The question is how 'safe' do you want to be? And
> >> how
> >>>>> paranoid
> >>>>>>>> are you, really?
> >>>>>>>>
> >>>>>>>> Wow, talk about rabbit hole! ;-)
> >>>>>>>>
> >>>>>>>> 'Let the flames begin!' :-)
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
> >>>>>>>>>> wanted sudo not to require a password.
> >>>>>>>>> Please reconsider this... This is VERY BAD security
> >> practice.
> >>>>> There's basically zero defense if you happen to download/run
> >>>>> something malicious.
> >>>>>>>>>
> >>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss
> >>>>> wrote:
> >>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being
> >>>>> good at troubleshooting so I figured I'd give it a go. I sprint
> >>>>> about half an hour asking it the wrong question but after that
> >> it
> >>>>> took 2 minutes. I wanted sudo not to require a password. it is
> >>>>> wonderful! now I don't have to bug you guys. so it looks like
> >> this
> >>>>> is the end of the user group unless you want to talk about OT
> >>>>> stuff.
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> :-)~MIKE~(-:
> >>>>>>>>>> ---------------------------------------------------
> >>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> >>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>>>>>>>>
> >>>>>>>>> ---------------------------------------------------
> >>>>>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> >>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>>>>>> ---------------------------------------------------
> >>>>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> >>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>>>>>>
> >>>>>> ---------------------------------------------------
> >>>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> >>>>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>>>
> >>>>> ---------------------------------------------------
> >>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> >>>>> To subscribe, unsubscribe, or to change your mail settings:
> >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20240630/ece0a4fe/attachment.htm>
More information about the PLUG-discuss
mailing list