Re: /sbin vs /bin
to...@tuxteam.de wrote:
> On Sat, Jul 30, 2022 at 02:07:58PM -0400, Greg Wooledge wrote:
> > On Sat, Jul 30, 2022 at 02:02:21PM -0400, Timothy M Butterworth wrote:
> > > Logging in as root has become taboo. Sudo is the prefered mechanism for
> > > running administrator functions. I have root set to nologin with a null
> > > password to force sudo usage.
> >
> > This makes entering single-user mode ("rescue mode") impossible.
>
> Agreed. There are ways around that, but logging in as root while
> physically present is a quite honourable thing to do.
>
> Some swing this way, others the other way. Use the tool which suits
> you. Know its limitations.
>
> FWIW, not long ago sudo had a vulnerability. It is just much more
> complex, and complexity is an enemy of security (I say that as a
> fan of sudo and as a regular user).
The OpenBSD folk created "doas", which is packaged in Bullseye.
Description: minimal replacement for sudo
OpenDoas: a portable version of OpenBSD's doas command
doas is a minimal replacement for the venerable sudo. It was
initially written by Ted Unangst of the OpenBSD project to provide 95% of the
features of sudo with a fraction of the codebase.
I haven't used it, but I suspect it is excellent for
single-sysadmin machines.
-dsr-
Re: /sbin vs /bin
On Sat 30 Jul 2022 at 20:21:00 (+0200), to...@tuxteam.de wrote:
> On Sat, Jul 30, 2022 at 02:07:58PM -0400, Greg Wooledge wrote:
> > On Sat, Jul 30, 2022 at 02:02:21PM -0400, Timothy M Butterworth wrote:
> > > Logging in as root has become taboo. Sudo is the prefered mechanism for
> > > running administrator functions. I have root set to nologin with a null
> > > password to force sudo usage.
> >
> > This makes entering single-user mode ("rescue mode") impossible.
>
> Agreed. There are ways around that, but logging in as root while
> physically present is a quite honourable thing to do.
>
> Some swing this way, others the other way. Use the tool which suits
> you. Know its limitations.
>
> FWIW, not long ago sudo had a vulnerability. It is just much more
> complex, and complexity is an enemy of security (I say that as a
> fan of sudo and as a regular user).
> > > I would love to see Debian Bookworm disable
> > > root login by default.
Why? Any competent sysadmin can do that themselves easily enough.
The choices offered by the d-i are quite sufficient for a home user.
Cheers,
David.
Re: /sbin vs /bin
On Sat, Jul 30, 2022 at 02:07:58PM -0400, Greg Wooledge wrote:
> On Sat, Jul 30, 2022 at 02:02:21PM -0400, Timothy M Butterworth wrote:
> > Logging in as root has become taboo. Sudo is the prefered mechanism for
> > running administrator functions. I have root set to nologin with a null
> > password to force sudo usage.
>
> This makes entering single-user mode ("rescue mode") impossible.
Agreed. There are ways around that, but logging in as root while
physically present is a quite honourable thing to do.
Some swing this way, others the other way. Use the tool which suits
you. Know its limitations.
FWIW, not long ago sudo had a vulnerability. It is just much more
complex, and complexity is an enemy of security (I say that as a
fan of sudo and as a regular user).
Cheers
--
"all generalisations suck" tomás
signature.asc
Description: PGP signature
Re: /sbin vs /bin
On Sat, Jul 30, 2022 at 02:02:21PM -0400, Timothy M Butterworth wrote:
> Logging in as root has become taboo. Sudo is the prefered mechanism for
> running administrator functions. I have root set to nologin with a null
> password to force sudo usage.
This makes entering single-user mode ("rescue mode") impossible.
> One of the major issues with su root is that
> in a work environment with more than one administrator you would have to
> share the root password. Sharing one account provided no accountability as
> to who actually made changes. I would love to see Debian Bookworm disable
> root login by default. Root is a security vulnerability because the user
> name is known so it is easy to launch a brute force attack against the
> server.
If it's about "attacking a server", the default sshd configuration which
disallows root logins is already sufficient. There's no reason to stop
people from using a root password locally, to stop single-user mode from
working, etc.
(Of course, if that's what you want on *your* systems, you're free to do
that. I just don't think it's necessary to impose it on everyone else
by fiat.)
Re: /sbin vs /bin
On Fri, Jul 29, 2022 at 7:08 AM Greg Wooledge wrote: > On Thu, Jul 28, 2022 at 11:39:01PM -0500, Igor Korot wrote: > > Open the Terminal > > Become root by running su > > Try to run ldconfig -> "Command not found" > > Try to run /sbin/ldconfig -> execution successful > > https://wiki.debian.org/NewInBuster#Changes > > Changes > > The su command in buster is provided by the util-linux source package, > instead of the shadow source package, and no longer alters the PATH > variable by default. This means that after doing su, your PATH may > not contain directories like /sbin, and many system administration > commands will fail. There are several workarounds: > > * Use su - instead; this launches a login shell, which forces PATH > to be changed, but also changes everything else including the > working directory. > > * Use sudo instead. sudo still runs commands with an altered > PATH variable. > > o To get a regular root shell with the correct PATH, you may > use sudo -s. > > o To get a login shell as root (equivalent to su -), you may > use sudo -i. > > * Put ALWAYS_SET_PATH yes in /etc/default/su (create it) to get > an approximation of the old behavior. This is documented in su(1). > > * Put the system administration directories (/sbin, /usr/sbin, > /usr/local/sbin) in your regular account's PATH (see > EnvironmentVariables for help with this). > > Logging in as root has become taboo. Sudo is the prefered mechanism for running administrator functions. I have root set to nologin with a null password to force sudo usage. One of the major issues with su root is that in a work environment with more than one administrator you would have to share the root password. Sharing one account provided no accountability as to who actually made changes. I would love to see Debian Bookworm disable root login by default. Root is a security vulnerability because the user name is known so it is easy to launch a brute force attack against the server. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀
Re: /sbin vs /bin
On Thu, Jul 28, 2022 at 11:39:01PM -0500, Igor Korot wrote: > Open the Terminal > Become root by running su > Try to run ldconfig -> "Command not found" > Try to run /sbin/ldconfig -> execution successful https://wiki.debian.org/NewInBuster#Changes Changes The su command in buster is provided by the util-linux source package, instead of the shadow source package, and no longer alters the PATH variable by default. This means that after doing su, your PATH may not contain directories like /sbin, and many system administration commands will fail. There are several workarounds: * Use su - instead; this launches a login shell, which forces PATH to be changed, but also changes everything else including the working directory. * Use sudo instead. sudo still runs commands with an altered PATH variable. o To get a regular root shell with the correct PATH, you may use sudo -s. o To get a login shell as root (equivalent to su -), you may use sudo -i. * Put ALWAYS_SET_PATH yes in /etc/default/su (create it) to get an approximation of the old behavior. This is documented in su(1). * Put the system administration directories (/sbin, /usr/sbin, /usr/local/sbin) in your regular account's PATH (see EnvironmentVariables for help with this).
Re: /sbin vs /bin
On Thu, Jul 28, 2022 at 11:39:01PM -0500, Igor Korot wrote: > Hi, David, > > On Thu, Jul 28, 2022 at 11:10 PM David Wright > wrote: > > > > On Thu 28 Jul 2022 at 22:37:39 (-0500), Igor Korot wrote: > > > According to > > > https://packages.debian.org/cgi-bin/search_contents.pl?word=ldconfig&searchmode=searchfiles&case=insensitive&version=stable&arch=i386, > > > > > > ld config is located inside /sbin and it is installed through the > > > libc-bin. > > > > > > Trying to run ldconfig gives "No such file or directory" > > > Running "apt install libc-bin" says "Its installed and already a latest > > > version" > > > Only running "/sbin/ldconfig" makes it run. > > > > > > Is "/sbin" not in the default PATH variable? > > > > For an ordinary user: no. > > > > For root: yes. > > Wrong. ;-) > Boot into an OS and login as a regular user. > Open the Terminal > Become root by running su Ah, su. Don't use su unless you know very well what you are doing. Cheers -- t signature.asc Description: PGP signature
Re: /sbin vs /bin
On Thu 28 Jul 2022 at 23:39:01 (-0500), Igor Korot wrote: > On Thu, Jul 28, 2022 at 11:10 PM David Wright > wrote: > > On Thu 28 Jul 2022 at 22:37:39 (-0500), Igor Korot wrote: > > > According to > > > https://packages.debian.org/cgi-bin/search_contents.pl?word=ldconfig&searchmode=searchfiles&case=insensitive&version=stable&arch=i386, > > > > > > ld config is located inside /sbin and it is installed through the > > > libc-bin. > > > > > > Trying to run ldconfig gives "No such file or directory" > > > Running "apt install libc-bin" says "Its installed and already a latest > > > version" > > > Only running "/sbin/ldconfig" makes it run. > > > > > > Is "/sbin" not in the default PATH variable? > > > > For an ordinary user: no. > > > > For root: yes. > > Wrong. ;-) > Boot into an OS and login as a regular user. > Open the Terminal > Become root by running su You'd better get up to date on the change made to the behaviour of su. If you run plain "su", you don't get root's default PATH variable, but whatever it was before. > Try to run ldconfig -> "Command not found" > Try to run /sbin/ldconfig -> execution successful Cheers, David.
Re: /sbin vs /bin
Hi, David, On Thu, Jul 28, 2022 at 11:10 PM David Wright wrote: > > On Thu 28 Jul 2022 at 22:37:39 (-0500), Igor Korot wrote: > > According to > > https://packages.debian.org/cgi-bin/search_contents.pl?word=ldconfig&searchmode=searchfiles&case=insensitive&version=stable&arch=i386, > > > > ld config is located inside /sbin and it is installed through the libc-bin. > > > > Trying to run ldconfig gives "No such file or directory" > > Running "apt install libc-bin" says "Its installed and already a latest > > version" > > Only running "/sbin/ldconfig" makes it run. > > > > Is "/sbin" not in the default PATH variable? > > For an ordinary user: no. > > For root: yes. Wrong. ;-) Boot into an OS and login as a regular user. Open the Terminal Become root by running su Try to run ldconfig -> "Command not found" Try to run /sbin/ldconfig -> execution successful Thank you. > > Cheers, > David. >
Re: /sbin vs /bin
On Thu, Jul 28, 2022 at 11:10:07PM -0500, David Wright wrote: > On Thu 28 Jul 2022 at 22:37:39 (-0500), Igor Korot wrote: > > According to > > https://packages.debian.org/cgi-bin/search_contents.pl?word=ldconfig&searchmode=searchfiles&case=insensitive&version=stable&arch=i386, > > > > ld config is located inside /sbin and it is installed through the libc-bin. > > > > Trying to run ldconfig gives "No such file or directory" > > Running "apt install libc-bin" says "Its installed and already a latest > > version" > > Only running "/sbin/ldconfig" makes it run. > > > > Is "/sbin" not in the default PATH variable? > > For an ordinary user: no. > > For root: yes. To complement this: if you do "sudo ldconfig" everything should work. If you log in as root and do ldconfig, everything should work, too. Note that you shouldn't be able to run ldconfig as non-root (it does change files only root should be able to change). So even if you try /sbin/ldconfig as a regular user (is it this what you are trying to do?), it is going to fail at a latter stage. Cheers -- t signature.asc Description: PGP signature
Re: /sbin vs /bin
On Thu 28 Jul 2022 at 22:37:39 (-0500), Igor Korot wrote: > According to > https://packages.debian.org/cgi-bin/search_contents.pl?word=ldconfig&searchmode=searchfiles&case=insensitive&version=stable&arch=i386, > > ld config is located inside /sbin and it is installed through the libc-bin. > > Trying to run ldconfig gives "No such file or directory" > Running "apt install libc-bin" says "Its installed and already a latest > version" > Only running "/sbin/ldconfig" makes it run. > > Is "/sbin" not in the default PATH variable? For an ordinary user: no. For root: yes. Cheers, David.
/sbin vs /bin
Hi, ALL, According to https://packages.debian.org/cgi-bin/search_contents.pl?word=ldconfig&searchmode=searchfiles&case=insensitive&version=stable&arch=i386, ld config is located inside /sbin and it is installed through the libc-bin. Trying to run ldconfig gives "No such file or directory" Running "apt install libc-bin" says "Its installed and already a latest version" Only running "/sbin/ldconfig" makes it run. Is "/sbin" not in the default PATH variable? Thank you.
