Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
Yes, same answer, you get owned. In fact, even with a password required, the 5 minute grace window for sudo does you in - some bad guy just keeps trying to sudo, until you do it legitimately, thereby allowing it freely for 5 minutes, and then he's got root. Isn't it possible to lock that to specific consoles with Defaults tty_tickets in /etc/sudoers ? I guess that with the 5 min. grace window will give a good balance between annoyance and security.
Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
On Wed, Mar 3, 2010 at 9:06 AM, Mauro Santos registo.maill...@gmail.com wrote: Yes, same answer, you get owned. In fact, even with a password required, the 5 minute grace window for sudo does you in - some bad guy just keeps trying to sudo, until you do it legitimately, thereby allowing it freely for 5 minutes, and then he's got root. Isn't it possible to lock that to specific consoles with Defaults tty_tickets in /etc/sudoers ? I guess that with the 5 min. grace window will give a good balance between annoyance and security. That's a nice feature, but there's still a hole in it. Consider the case where you run sudo, close the window, and within the next 5 minutes something else allocates a PTY. It's likely to get the one you just closed, with your ticket still good for it.
Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
On 03/01/2010 05:03 PM, Ray Kohler wrote: What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step. How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password? Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
On Tue, Mar 2, 2010 at 9:24 PM, David C. Rankin drankina...@suddenlinkmail.com wrote: On 03/01/2010 05:03 PM, Ray Kohler wrote: What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step. How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password? Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p Yes, same answer, you get owned. In fact, even with a password required, the 5 minute grace window for sudo does you in - some bad guy just keeps trying to sudo, until you do it legitimately, thereby allowing it freely for 5 minutes, and then he's got root. What I actually do, myself, is to not install sudo at all, and just use su. I also uncomment the pam line that requires wheel membership to su. In order to make su be a little more comfortable, I do this: alias su='su -m' sr () { /bin/su -m -c $* } I only recommend doing away with sudo if you're the only person who has root on the machine. For multiple users needing such access, sudo's fine-grained controls are well worth it, and prevent you from having to hand out the root password every time it gets changed.
Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
On Tue, 02 Mar 2010 20:24:20 -0600 David C. Rankin drankina...@suddenlinkmail.com wrote: On 03/01/2010 05:03 PM, Ray Kohler wrote: What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step. How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password? Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p sudo can be limited to only certain commands also. IMO su should remain as secure as possible and sudo should be customised for the situation.
Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
On 03/03/2010, Ty John ty...@eye-of-odin.com wrote: On Tue, 02 Mar 2010 20:24:20 -0600 David C. Rankin drankina...@suddenlinkmail.com wrote: On 03/01/2010 05:03 PM, Ray Kohler wrote: What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step. How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password? Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p sudo can be limited to only certain commands also. IMO su should remain as secure as possible and sudo should be customised for the situation. It's all a moot point. If you want to talk about things that you run yourself, then su/sudo does nothing to help you in any way. Most of the su/sudo thing derived from *NIX machines being academic remote systems accessed by more than one person, and not a single-user desktop which could be attacked and infected by the user's own epic failures. http://www.geekzone.co.nz/foobar/6229 -- GPG/PGP ID: B42DDCAD
Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
On 03/01/2010 07:58 PM, David C. Rankin wrote: As the comment says, the entry causes pam to implicitly trust members of the wheel group. Eliminating the need to type a 14 char pw 10 times a day is a time-saver. PAM itself should be pretty secure, but what you are trying to achieve isn't. There is a reason behind that password prompt. You don't want anyone who gains access to your account (daemons, scripts, ...) to have root access right away without ever asking for a password. If you don't want to type yours that often use sudo -s. -- Florian Pritz -- {flo,bluewi...@server-speed.net signature.asc Description: OpenPGP digital signature
Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
On 03/01/2010 01:14 PM, Florian Pritz wrote: On 03/01/2010 07:58 PM, David C. Rankin wrote: As the comment says, the entry causes pam to implicitly trust members of the wheel group. Eliminating the need to type a 14 char pw 10 times a day is a time-saver. PAM itself should be pretty secure, but what you are trying to achieve isn't. There is a reason behind that password prompt. You don't want anyone who gains access to your account (daemons, scripts, ...) to have root access right away without ever asking for a password. If you don't want to type yours that often use sudo -s. Ed, Florian, Thank you for your insight. I guess I should have also included the fact that the box in question sits in my home-office and physical security isn't an issue. Also, there is only one member of the wheel group -- me. Thinking through the threat scenario, as long as pam is doing its job and only allowing members of the wheel group to su without a password, that limits vulnerability to (1) a pam exploit or (2) privilege escalation by a user to become a member of the wheel group. I see it as pretty minimal, but I guess a good compromise is to revert to a password when then machine goes online, but to enjoy the convenience while I'm setting the box up while it doesn't have any access from the outside. It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
On Mon, Mar 1, 2010 at 17:58, David C. Rankin drankina...@suddenlinkmail.com wrote: It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p It's also a bigger issue if you use ssh or a vpn where you could potentially be getting connections from other places.
Re: [arch-general] Tired of being asked for a password for su? Arch has the solution
On Mon, Mar 1, 2010 at 5:58 PM, David C. Rankin drankina...@suddenlinkmail.com wrote: On 03/01/2010 01:14 PM, Florian Pritz wrote: On 03/01/2010 07:58 PM, David C. Rankin wrote: As the comment says, the entry causes pam to implicitly trust members of the wheel group. Eliminating the need to type a 14 char pw 10 times a day is a time-saver. PAM itself should be pretty secure, but what you are trying to achieve isn't. There is a reason behind that password prompt. You don't want anyone who gains access to your account (daemons, scripts, ...) to have root access right away without ever asking for a password. If you don't want to type yours that often use sudo -s. Ed, Florian, Thank you for your insight. I guess I should have also included the fact that the box in question sits in my home-office and physical security isn't an issue. Also, there is only one member of the wheel group -- me. Thinking through the threat scenario, as long as pam is doing its job and only allowing members of the wheel group to su without a password, that limits vulnerability to (1) a pam exploit or (2) privilege escalation by a user to become a member of the wheel group. I see it as pretty minimal, but I guess a good compromise is to revert to a password when then machine goes online, but to enjoy the convenience while I'm setting the box up while it doesn't have any access from the outside. It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.