Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On 03/02/2010 08:40 PM, Ray Kohler wrote:
> On Tue, Mar 2, 2010 at 9:24 PM, David C. Rankin
> wrote:
>> On 03/01/2010 05:03 PM, Ray Kohler wrote:
>>> What would worry me is things like JavaScript exploits and worms -
>>> things that you download and then run as yourself, whether
>>> intentionally or not. A password prompt will block malware like that,
>>> but with no password, you just go owned in one step.
>>
>> How would this be any different than 'sudo' configured to allow members of
>> the
>> wheel group to sudo w/o a password?
>>
>> Same answer - data prevails - set sudo to require a password? I have run
>> servers
>> for more than a decade with sudo/wheel group access enabled w/o a password -
>> no
>> problems. May have just been lucky :p
>>
>> Ray, all - any different thoughts about sudo w/o a password compared to su?
>> Or
>> same answer, with no password, you just got owned in one step :p
>
> Yes, same answer, you get owned. In fact, even with a password
> required, the "5 minute grace window" for sudo does you in - some bad
> guy just keeps trying to sudo, until you do it legitimately, thereby
> allowing it freely for 5 minutes, and then he's got root.
>
> What I actually do, myself, is to not install sudo at all, and just
> use su. I also uncomment the pam line that requires wheel membership
> to su. In order to make su be a little more comfortable, I do this:
>
> alias su='su -m'
>
> sr ()
> {
> /bin/su -m -c "$*"
> }
>
> I only recommend doing away with sudo if you're the only person who
> has root on the machine. For multiple users needing such access,
> sudo's fine-grained controls are well worth it, and prevent you from
> having to hand out the root password every time it gets changed.
>
Again, thank you Ray!
Thankfully, all my boxes are one root user (me) boxes. So I guess I'm
really
trying to save me from myself. I did uncomment the pam require wheel auth to
limit any possible su/sudo access to require members of the wheel group.
Interesting discussion, I've learned a bit more.
--
David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On Wed, Mar 3, 2010 at 9:06 AM, Mauro Santos wrote: >> Yes, same answer, you get owned. In fact, even with a password >> required, the "5 minute grace window" for sudo does you in - some bad >> guy just keeps trying to sudo, until you do it legitimately, thereby >> allowing it freely for 5 minutes, and then he's got root. > > Isn't it possible to lock that to specific consoles with > "Defaults tty_tickets" in /etc/sudoers ? I guess that with the 5 min. > grace window will give a good balance between annoyance and security. That's a nice feature, but there's still a hole in it. Consider the case where you run sudo, close the window, and within the next 5 minutes something else allocates a PTY. It's likely to get the one you just closed, with your ticket still good for it.
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
> Yes, same answer, you get owned. In fact, even with a password > required, the "5 minute grace window" for sudo does you in - some bad > guy just keeps trying to sudo, until you do it legitimately, thereby > allowing it freely for 5 minutes, and then he's got root. Isn't it possible to lock that to specific consoles with "Defaults tty_tickets" in /etc/sudoers ? I guess that with the 5 min. grace window will give a good balance between annoyance and security.
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On 03/03/2010, Ty John wrote: > On Tue, 02 Mar 2010 20:24:20 -0600 > "David C. Rankin" wrote: > >> On 03/01/2010 05:03 PM, Ray Kohler wrote: >> > What would worry me is things like JavaScript exploits and worms - >> > things that you download and then run as yourself, whether >> > intentionally or not. A password prompt will block malware like >> > that, but with no password, you just go owned in one step. >> >> How would this be any different than 'sudo' configured to allow >> members of the wheel group to sudo w/o a password? >> >> Same answer - data prevails - set sudo to require a password? I have >> run servers for more than a decade with sudo/wheel group access >> enabled w/o a password - no problems. May have just been lucky :p >> >> Ray, all - any different thoughts about sudo w/o a password compared >> to su? Or same answer, with no password, you just got owned in one >> step :p >> > > sudo can be limited to only certain commands also. IMO su should remain > as secure as possible and sudo should be customised for the situation. It's all a moot point. If you want to talk about "things that you run yourself", then su/sudo does nothing to help you in any way. Most of the su/sudo thing derived from *NIX machines being academic remote systems accessed by more than one person, and not a single-user desktop which could be attacked and infected by the user's own epic failures. http://www.geekzone.co.nz/foobar/6229 -- GPG/PGP ID: B42DDCAD
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On Tue, 02 Mar 2010 20:24:20 -0600 "David C. Rankin" wrote: > On 03/01/2010 05:03 PM, Ray Kohler wrote: > > What would worry me is things like JavaScript exploits and worms - > > things that you download and then run as yourself, whether > > intentionally or not. A password prompt will block malware like > > that, but with no password, you just go owned in one step. > > How would this be any different than 'sudo' configured to allow > members of the wheel group to sudo w/o a password? > > Same answer - data prevails - set sudo to require a password? I have > run servers for more than a decade with sudo/wheel group access > enabled w/o a password - no problems. May have just been lucky :p > > Ray, all - any different thoughts about sudo w/o a password compared > to su? Or same answer, with no password, you just got owned in one > step :p > sudo can be limited to only certain commands also. IMO su should remain as secure as possible and sudo should be customised for the situation.
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On Tue, Mar 2, 2010 at 9:24 PM, David C. Rankin
wrote:
> On 03/01/2010 05:03 PM, Ray Kohler wrote:
>> What would worry me is things like JavaScript exploits and worms -
>> things that you download and then run as yourself, whether
>> intentionally or not. A password prompt will block malware like that,
>> but with no password, you just go owned in one step.
>
> How would this be any different than 'sudo' configured to allow members of the
> wheel group to sudo w/o a password?
>
> Same answer - data prevails - set sudo to require a password? I have run
> servers
> for more than a decade with sudo/wheel group access enabled w/o a password -
> no
> problems. May have just been lucky :p
>
> Ray, all - any different thoughts about sudo w/o a password compared to su? Or
> same answer, with no password, you just got owned in one step :p
Yes, same answer, you get owned. In fact, even with a password
required, the "5 minute grace window" for sudo does you in - some bad
guy just keeps trying to sudo, until you do it legitimately, thereby
allowing it freely for 5 minutes, and then he's got root.
What I actually do, myself, is to not install sudo at all, and just
use su. I also uncomment the pam line that requires wheel membership
to su. In order to make su be a little more comfortable, I do this:
alias su='su -m'
sr ()
{
/bin/su -m -c "$*"
}
I only recommend doing away with sudo if you're the only person who
has root on the machine. For multiple users needing such access,
sudo's fine-grained controls are well worth it, and prevent you from
having to hand out the root password every time it gets changed.
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On 03/01/2010 05:03 PM, Ray Kohler wrote: > What would worry me is things like JavaScript exploits and worms - > things that you download and then run as yourself, whether > intentionally or not. A password prompt will block malware like that, > but with no password, you just go owned in one step. How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password? Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On 03/01/2010 05:03 PM, Ray Kohler wrote: > On Mon, Mar 1, 2010 at 5:58 PM, David C. Rankin > wrote: >> On 03/01/2010 01:14 PM, Florian Pritz wrote: >>> On 03/01/2010 07:58 PM, David C. Rankin wrote: As the comment says, the entry causes pam to implicitly trust members of the wheel group. Eliminating the need to type a 14 char pw 10 times a day is a time-saver. >>> >>> PAM itself should be pretty secure, but what you are trying to achieve >>> isn't. There is a reason behind that password prompt. You don't want >>> anyone who gains access to your account (daemons, scripts, ...) to have >>> root access right away without ever asking for a password. If you don't >>> want to type yours that often use sudo -s. >>> >> >> Ed, Florian, >> >>Thank you for your insight. I guess I should have also included the >> fact that >> the box in question sits in my home-office and physical security isn't an >> issue. >> Also, there is only one member of the wheel group -- me. >> >>Thinking through the threat scenario, as long as pam is doing its job >> and only >> allowing members of the wheel group to su without a password, that limits >> vulnerability to (1) a pam exploit or (2) privilege escalation by a user to >> become a member of the wheel group. I see it as pretty minimal, but I guess a >> good compromise is to revert to a password when then machine goes online, >> but to >> enjoy the convenience while I'm setting the box up while it doesn't have any >> access from the outside. >> >>It worries me to think about the possible security implications, but >> the lazy >> side of me sure does like the convenience :p > > What would worry me is things like JavaScript exploits and worms - > things that you download and then run as yourself, whether > intentionally or not. A password prompt will block malware like that, > but with no password, you just go owned in one step. > That's what my limited understanding was missing! Good info Ray. When the box goes on-line the comment goes back in /etc/pam.d/su. Thank you for the info I needed. Now why would somebody put that commented ability in ../pam.d/su? Probably for just the exact reasons we have discussed in the thread. Learning has occurred, it's been a good day... -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On Mon, Mar 01, 2010 at 11:58:47PM +0100, David C. Rankin wrote: > It worries me to think about the possible security implications, but > the lazy > side of me sure does like the convenience :p Did you really think you will get the answer you are looking for here on the list? :) I'm lazy too, but I value my data more, I will never do this. But of course, I'm not in charge of your machine. Feel free to use the best solution for you, that's what freedom is about. Why do you seek for confirmation from some strangers? Cheers, Jaroslav -- In youth, it was a way I had To do my best to please, And change, with every passing lad, To suit his theories. But now I know the things I know, And do the things I do; And if you do not like me so, To hell, my love, with you! -- Dorothy Parker, "Indian Summer"
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On Mon, Mar 1, 2010 at 5:58 PM, David C. Rankin wrote: > On 03/01/2010 01:14 PM, Florian Pritz wrote: >> On 03/01/2010 07:58 PM, David C. Rankin wrote: >>> As the comment says, the entry causes pam to implicitly trust members >>> of the >>> wheel group. Eliminating the need to type a 14 char pw 10 times a day is a >>> time-saver. >> >> PAM itself should be pretty secure, but what you are trying to achieve >> isn't. There is a reason behind that password prompt. You don't want >> anyone who gains access to your account (daemons, scripts, ...) to have >> root access right away without ever asking for a password. If you don't >> want to type yours that often use sudo -s. >> > > Ed, Florian, > > Thank you for your insight. I guess I should have also included the > fact that > the box in question sits in my home-office and physical security isn't an > issue. > Also, there is only one member of the wheel group -- me. > > Thinking through the threat scenario, as long as pam is doing its job > and only > allowing members of the wheel group to su without a password, that limits > vulnerability to (1) a pam exploit or (2) privilege escalation by a user to > become a member of the wheel group. I see it as pretty minimal, but I guess a > good compromise is to revert to a password when then machine goes online, but > to > enjoy the convenience while I'm setting the box up while it doesn't have any > access from the outside. > > It worries me to think about the possible security implications, but > the lazy > side of me sure does like the convenience :p What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On Mon, Mar 1, 2010 at 17:58, David C. Rankin wrote: > It worries me to think about the possible security implications, but > the lazy > side of me sure does like the convenience :p > It's also a bigger issue if you use ssh or a vpn where you could potentially be getting connections from other places.
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On 03/01/2010 01:14 PM, Florian Pritz wrote: > On 03/01/2010 07:58 PM, David C. Rankin wrote: >> As the comment says, the entry causes pam to implicitly trust members >> of the >> wheel group. Eliminating the need to type a 14 char pw 10 times a day is a >> time-saver. > > PAM itself should be pretty secure, but what you are trying to achieve > isn't. There is a reason behind that password prompt. You don't want > anyone who gains access to your account (daemons, scripts, ...) to have > root access right away without ever asking for a password. If you don't > want to type yours that often use sudo -s. > Ed, Florian, Thank you for your insight. I guess I should have also included the fact that the box in question sits in my home-office and physical security isn't an issue. Also, there is only one member of the wheel group -- me. Thinking through the threat scenario, as long as pam is doing its job and only allowing members of the wheel group to su without a password, that limits vulnerability to (1) a pam exploit or (2) privilege escalation by a user to become a member of the wheel group. I see it as pretty minimal, but I guess a good compromise is to revert to a password when then machine goes online, but to enjoy the convenience while I'm setting the box up while it doesn't have any access from the outside. It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On 03/01/2010 07:58 PM, David C. Rankin wrote:
> As the comment says, the entry causes pam to implicitly trust members
> of the
> wheel group. Eliminating the need to type a 14 char pw 10 times a day is a
> time-saver.
PAM itself should be pretty secure, but what you are trying to achieve
isn't. There is a reason behind that password prompt. You don't want
anyone who gains access to your account (daemons, scripts, ...) to have
root access right away without ever asking for a password. If you don't
want to type yours that often use sudo -s.
--
Florian Pritz -- {flo,bluewi...@server-speed.net
signature.asc
Description: OpenPGP digital signature
Re: [arch-general] Tired of being asked for a password for "su"? Arch has the solution
On Monday 01 of March 2010 20:58, David C. Rankin wrote: > Guys, > > Working through the setup of my new server, I rad across a wonderful > hidden time-saver in /etc/pam.d/su. If you have configured sudo in the > normal way by providing sudo access to members of the 'wheel' group, you > can avoid having to type the root password to 'su' by uncommenting the > following line in /etc/pam.d/su: > In my own personal opinion, su shouldn't be passwordless. You can use sudo -i combined with NOPASSWD in sudoers instead. After all, you have sudo installed, and you are giving someone instant access . -- Real programmers don't document. If it was hard to write, it should be hard to understand. signature.asc Description: This is a digitally signed message part.
