Le 23/09/2017 à 16:54, Miroslav Rovis a écrit :
(Also replying to Didier Kryn, because it is related to my question put
following Edward email below, however, too much Edward's text missing in
Didier's reply.)
On 170923-09:15+0200, Edward Bartolo wrote:
Quote: "He's actually right: the least the superuser's password is
used, the better
and the safer."
Granted, but sudo as configured in Ubuntu makes the use of a superuser
password pointless. Sudo is configured to be a wide wide open door
leading to any part of a computer's 'household'. In other words, sudo
with the infamous 'user ALL=(ALL)' in /etc/sudoers makes root
practically like any other user.
I do have it (that exact section of my /etc/sudoers follows):
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Defaults targetpw
mr ALL=(ALL:ALL) ALL
Does the "Defaults targetpw", and a really strong password still keep me safe,
sudo-wise (not talking other measures: iptables, grsecurity, just sudo-wise)?
I am (as user mr) both:
# cat /etc/group | grep sudo
sudo:x:27:mr
#
member of group sudo, and have those lines under "Defaults targetpw". Really
interested about opinions/advice: safe, as far as sudo goes?
I don't know what "Default targetpw" is. Never used that. Here are
my only defaults:
Defaults env_reset
Defaults env_keep=EDITOR
Defaults
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults editor =
/usr/bin/nano:/usr/bin/vim:/usr/bin/vi:/usr/bin/emacs:/usr/bin/jed:/usr/bin/mg:/usr/bin/zile
You need to pass the user's editor for use with sudoedit and visudo,
but, for security, you must only allow known editors.
I don't give permissions to groups, only to some persons, based on
necessity and competence. For this I use "UserAlias" and "CmndAlias" and
I recommend it.
User_Alias ELOGADMIN = gahs, kryn, kaneda, neff
User_Alias PYTHONADM = kaneda
...
Cmnd_Alias VIEW = /bin/more, /usr/bin/less, /bin/grep
Cmnd_Alias HIDE = !/bin/more *shadow, !/usr/bin/less *shadow,
!/bin/grep *shadow
...
ELOGADMIN THIS_HOST = (elog) ALL
SYSADMIN THIS_HOST = (root) NOPASSWD: /bin/ls, VIEW, HIDE
SYSADMIN THIS_HOST = (root) /usr/sbin/service, /bin/mount
SUPER ALL = (root) ALL
Sudo does have its benefits but it must be used to control user
privileges. Granting all commands to every user is the opposite of
what security means.
As above, the targetpw helps against that...
And I don't get what Didier means. Citation below is manually pasted in.
On 170923-11:10+0200, Didier Kryn wrote:
Le 23/09/2017 à 08:49, Alessandro Selli a écrit :
He's actually right: the least the superuser's password is used, the better
and the safer.
Yep, you can invoke 'sudo su -l'; that's su without the root password.
It helps you forget the root password.
Didier
Whatever do you mean that command above "helps you forget the root password"?
See at the bottom :-)
Let me use grsecurity-kernel's exec_logging and audit chdir features ofmy
(miniply github repo) grsecurity-hardened kernel to explain my query. It was
originally 44 lines, and 44 lines of quick truth, but I reduced it to
20-something lines, as some of it is not relevant to here, and I deliberately
modified some info, where not relevant only. But, I wrapped all the lines for
email web, and inserted space btwn lines. Here:
The first 8 lines is me starting an xterm to test that Didier's command:
[...]
So what about and how that command "helps you forget the root password"? I did
have to type my root password right before I became "uid/euid:0/0 gid/egid:0/0"
having started as only "uid/euid:1000/1000 gid/egid:1000/1000"...
Regards?
Sorry but I'm lost in all these logs. What I meant is:
1) if you allow yourself in the sudoers file to run 'su' as root, then
you never need the root password anymore; you use yours instead.
2) if you never need the root password anymore then you might quickly
forget it, unless you have written it somewhere. But, since you don't
need it, one can argue it doesn't matter... I leave it to your apreciation.
One nice thing with sudo is that it doesn't ask the password
everytime you invoke it. Note that you can even give yourself the
permission to run su without a password:
mr all = (root) NOPASSWD: /bin/su
I wouldn't recommend it :-)
Didier
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
