I have had several situations where I needed to become root because I
was unable to compete the task using sudo. Maybe I do not
understand....
On 2024-06-29 19:05, Michael wrote:
I thought using suddenly was the same as becoming root
On Sat, Jun 29, 2024, 7:19 PM <techli...@phpcoderusa.com> wrote:
Mike,
The world is a hostile place. The more precautions you take the
better.
I cover the camera on my cellular phone while not in use. I cover
the
camera that is built into my laptop while it is not in use. I think
on-line banking is dangerous. At some point I want to turn off WIFI
and
go to wired only on my local net.
We lock our cars and houses for a reason.
I do not know as much security as I'd like, however it might be
necessary at some point to to become more cyber.
About 24 years ago the members of the Tucson Free Unix Group (TFUG)
helped me build a server that I ran out of my home. We left the
email
relay open and I got exploited. About 10 years ago I became root
and I
accidentally overwrote my home directory. yikes... both were
painful.
The first example is a reason we must be more aware of what we are
doing. The 2nd is an example why we should use sudo as much as we
can
instead of becoming root.
Keith
On 2024-06-29 08:55, Michael via PLUG-discuss wrote:
I just realized, while 99% of the people on this list are honest
there
is the diabolical 1%. So I guess I enter my password for the rest
of
my life. Or do you think that it really matters considering this
is
only a mailing list?
On Sat, Jun 29, 2024, 10:22 AM Michael <bmi...@gmail.com> wrote:
Thanks for saying this. I realized that I only needed to run apt
as
root. I didn't know how to make it so I could do that..... but
chatgt did!
On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss
<plug-discuss@lists.phxlinux.org> wrote:
NO WORRIES FROM THIS END RUSTY.
As a general rule, I use sudo only for very specific tasks
(usually updating my development package tree on OS X) and no
where else will I run anything as root. I have seen what happens
to linux machines that run infected binaries as root and it can
get ugly pretty fast. In one case, I couldn’t take the machine
out of service because of other items I was involved with, so I
simply made part of the dir tree immutable after replacing a few
files in /etc. That would fill up the system logs with an error
message about a specific binary trying to replace a small number
of conf files. Once the offending binary was found, it made
things
easier trying to disable it or get rid of it. However, after a
while, I simply pulled the drive and ran it through a Dod secure
erase and installed a newer linux bistro on it. I did use the
same
trick with chattr to make /bin, /sbin and /etc immutable. That
last turned out to be handy as I caught someone trying to
rootkit
my machine using a known exploit, only they couldn’t get it to
run because the binaries they wanted to replace couldn’t be
written to. :)Yes, this would be a bit excessive, but over the
long run, proved far less inconvenient than having to wipe and
reinstall an OS.
-Eric
From the central Offices of the Technomage Guild, security
Applications Dept.
On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss
<plug-discuss@lists.phxlinux.org> wrote:
(Deep breath. Calm...)
I can't figure out how to respond rationally to the below, so
all I'm going to say is - before you call troll, you might want
to research the author, and read a bit more carefully what they
wrote. I don't believe I recommended any of the crazy things
you
suggest. And I certainly didn't intend to imply any of that.
On the other hand, it may not have been clear, so I'll just
say
"Sorry that what I wrote wasn't clear, but english isn't my
first
language. Unfortunately its the only one I know".
And on that note, I'll shut up.
On 6/26/24 15:05, Ryan Petris wrote:
I feel like you're trolling so I'm not going to spend very
much
time on this.
It's been a generally good security practice for at least the
last 25+ years to not regularly run as a privileged user,
requiring some sort of escalation to do administrative-type
tasks.
By using passwordless sudo, you're taking away that escalation.
Why not just run as root? Then you don't need sudo at all. In
fact, why even have a password at all? Why encrypt? Why don't
you
just put all your data on a publicly accessible FTP server and
just grab stuff when you need it? The NSA has all your data
anyway
and you don't have anything to hide so why not just leave it out
there for the world to see?
As for something malicious needing to be written to use sudo,
why wouldn't it? sudo is ubiquitous on unix systems; if it
didn't
at least try then that seams like a pretty dumb malicious script
to me.
You also don't necessarily need to open/run something for it
to
run. IIRC there was a recent image vulnerability in Gnome's
tracker-miner application which indexes files in your home
directory. And before you say that wouldn't happen in KDE, it
too
has a similar program, I believe called Baloo.
There also exists the recent doas program and the systemd
replacement run0 to do the same.
On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via
PLUG-discuss wrote:
Actually, I'd like to start a bit of a discussion on this.
First, I know that for some reason RedHat seems to think that
sudo is
bad/insecure.
I'd like to know the logic there, as I think the argument FOR
using sudo
is MUCH stronger than any argument I've heard (which,
admittedly, is
pretty close to zero) AGAINST it. Here's my thinking:
Allowing users to become root via sudo gives you:
- VERY fine control over what programs a user can use as root
- The ability to remove admin privs (ability to run as root)
from an
individual WITHOUT having to change root password everywhere.
Now, remember, RH is supposedly 'corporate friendly'. As a
corporation,
that 2nd feature is well worth the price of admission, PLUS I
can only
allow certain admins to run certain programs? Very nice.
So, for example, at my last place I allowed the 'tester' user
to run
fdisk as root, because they needed to partition the disk
under
test. In
my case, and since the network that we ran on was totally
isolated from
the corporate network, I let fdisk be run without needing a
password.
Oh, and if they messed up and fdisk'ed the boot partition, it
was no big
deal - I could recreate the machine from scratch (minus
whatever data
hadn't been copied off yet - which would only be their most
recent run),
in 10 minutes (which was about 2 minutes of my time, and 8
minutes of
scripted 'dd' ;-) However, if the test user wanted to become
root using
su, they had to enter the test user password.
So, back to the original question - setting sudo to not
require a
password. We should have asked, what program do you want to
run as root
without requiring a password? How secure is your system?
What
else do
you use it for? Who has access? etc, etc, etc.
There's one other minor objection I have to the 'zero
defense'
statement
below - the malicious thing you downloaded (and, I assume
ran)
has to be
written to USE sudo in its attempt to break in, I believe, or
it
wouldn't matter HOW open your sudo was. (simply saying 'su -
myscript'
won't do it).
And, if you're truly paranoid about stuff you download, you
should:
1 - NEVER download something you don't have an excellent
reason to
believe is 'safe', and ALWAYS make sure you actually
downloaded it from
where you thought you did.
2 - For the TRULY paranoid, have a machine you use to
download
and test
software on, which you can totally disconnect from your
network (not
JUST the internet), and which has NO confidential info, and
which you
can erase and rebuild without caring. Run the downloaded
stuff there,
for a long time, until you're pretty sure it won't bite you.
3 - For the REALLY REALLY paranoid, don't download anything
from
anywhere, disconnect from the internet permanently, get
high-tech locks
for your doors, and wrap your house in a faraday cage!
And probably don't leave the house....
The point of number 3 is that there is always a risk, even
with
'well-known' software, and as someone else said - they're
watching you
anyway. The question is how 'safe' do you want to be? And
how
paranoid
are you, really?
Wow, talk about rabbit hole! ;-)
'Let the flames begin!' :-)
On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
wanted sudo not to require a password.
Please reconsider this... This is VERY BAD security
practice.
There's basically zero defense if you happen to download/run
something malicious.
On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss
wrote:
then I remember that a PLUG member mentioned ChatGPT being
good at troubleshooting so I figured I'd give it a go. I sprint
about half an hour asking it the wrong question but after that
it
took 2 minutes. I wanted sudo not to require a password. it is
wonderful! now I don't have to bug you guys. so it looks like
this
is the end of the user group unless you want to talk about OT
stuff.
--
:-)~MIKE~(-:
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
