Re: [eug-lug]chmod syntax
On Fri, Jan 02, 2004 at 08:55:59AM -0800, Ben Barrett wrote: > >On Thu, 1 Jan 2004 21:01:14 -0800 >Jacob Meuser <[EMAIL PROTECTED]> wrote: > >| On Thu, Jan 01, 2004 at 03:19:53PM -0800, Ben Barrett wrote: >| > Ah yes, sudo is a Good Thing, although be wary of allowing "sudo su", >| > for if you are trying to limit your normal users' actions, and get a log >| > of what they sudo, you'll only ever see that they became root, at which >| > point they have untrackable control. >| >| That's only the tip of the iceberg, so to speak. Don't forget that >| such seemingly harmless programs as 'less' and 'more' can execute >| commands, like "!sh". > >Are you talking about control-Z suspend or something else? > No, shell escapes. Many *NIX programs, especially ones that originated before job control became common, support some keystroke combination to launch a subshell, so that the user can run a command without having to exit from their current program and lose their work. Vi, for example, will do it from the ! keystroke, as will ed. The launched subshell has the powers and abilities of the program that launched it, so "sudo vi" and ! will give you a root shell. -- "That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX." "Well, that's something," Avi says. "Normally those two are mutually exclusive."--Neal Stephenson, "Cryptonomicon" ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]chmod syntax
On Fri, Jan 02, 2004 at 08:55:59AM -0800, Ben Barrett wrote: > On Thu, 1 Jan 2004 21:01:14 -0800 > Jacob Meuser <[EMAIL PROTECTED]> wrote: > > | On Thu, Jan 01, 2004 at 03:19:53PM -0800, Ben Barrett wrote: > | > Ah yes, sudo is a Good Thing, although be wary of allowing "sudo su", > | > for if you are trying to limit your normal users' actions, and get a log > | > of what they sudo, you'll only ever see that they became root, at which > | > point they have untrackable control. > | > | That's only the tip of the iceberg, so to speak. Don't forget that > | such seemingly harmless programs as 'less' and 'more' can execute > | commands, like "!sh". > > Are you talking about control-Z suspend or something else? Something else, I'm talking about pagers executing commands. Try it: $ touch /tmp/tmp $ sudo less /tmp/tmp password: (when less starts type "!sh" without the "s) # whoami root # exit !done (press RETURN) (back in less type "q") $ > | The only really effective way to limit what users can do with sudo is > | explicitly list, with full pathnames and making sure there's no way for > | the user to modify, which programs and possibly with which arguments > | they are allowed to sudo. > | > | If they run 'sudo su', that action will be logged, not only in the > | sudo log, but also the security/login logs. The best way to stop > | that kind of behaviour is by policy, making 'sudo su' grounds for > | termination. > > That's not going to help when an attacker gets ahold of someone's password, > then you're mostly SOL, But when is that not the case? If the admin is using 'su', then the admin knows and is typing root's password. You could also only allow authentication through keys to lessen the chance of a stolen password. > If "sudo su" is undesirable, I would say that the most effective ways to > block that action, is as you say, allowing only a specific list of > path/executables available for sudo'ing -- or just don't use sudo. > Without sudo, you might take advantage of a chrooted environment, or a > usermode linux (UML)... or something similar. Other ideas, anyone? Usually sudo is used by admins to do system administration, in which case, these options aren't feasible. There are many, many options for security. I like to use group permissions. -- <[EMAIL PROTECTED]> ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]PDA Howto
Dirk, the device should look the same to your computer whether you use the usb cradle or the simpler usb hotsync cable... I haven't much else to offer, sorry = ) Ben PS - oh, yeah: be wary of anything vizor-specific, since you have a sony palmOS device (which is not a Vizor, exactly, but most of the stuff should be the same). Does your use PalmOS v4 ? PPS - have you seen http://tldp.org/HOWTO/PalmOS-HOWTO/ ?? I *highly* suggest always searching tldp.org (ie, linuxdoc.org) when trying to find things out; it might be hard to believe but this can be *more* helpful than google! (ie foofle.com) On Fri, 02 Jan 2004 07:46:58 -0800 Dirk Ouellette <[EMAIL PROTECTED]> wrote: | | I commented out the /dev/pilot as I wasn't sure of its correctness. Do I | need the USB cradle as in the above Howto article? | Dirk ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]chmod syntax
On Thu, 1 Jan 2004 21:01:14 -0800 Jacob Meuser <[EMAIL PROTECTED]> wrote: | On Thu, Jan 01, 2004 at 03:19:53PM -0800, Ben Barrett wrote: | > Ah yes, sudo is a Good Thing, although be wary of allowing "sudo su", | > for if you are trying to limit your normal users' actions, and get a log | > of what they sudo, you'll only ever see that they became root, at which | > point they have untrackable control. | | That's only the tip of the iceberg, so to speak. Don't forget that | such seemingly harmless programs as 'less' and 'more' can execute | commands, like "!sh". Are you talking about control-Z suspend or something else? | | The only really effective way to limit what users can do with sudo is | explicitly list, with full pathnames and making sure there's no way for | the user to modify, which programs and possibly with which arguments | they are allowed to sudo. | | If they run 'sudo su', that action will be logged, not only in the | sudo log, but also the security/login logs. The best way to stop | that kind of behaviour is by policy, making 'sudo su' grounds for | termination. That's not going to help when an attacker gets ahold of someone's password, then you're mostly SOL, except for finding out when the bad person did the "sudo su" -- if they didn't remove the logs! For instance, once someone becomes root, they could remount the filesystem with "noatime" so that any files they peek or poke don't change their last-access-time field... very effective. If "sudo su" is undesirable, I would say that the most effective ways to block that action, is as you say, allowing only a specific list of path/executables available for sudo'ing -- or just don't use sudo. Without sudo, you might take advantage of a chrooted environment, or a usermode linux (UML)... or something similar. Other ideas, anyone? | | The sudo-users mailing list archive | http://www.sudo.ws/pipermail/sudo-users/, | is full of sudo "gotchas" and solutions. | thanks! ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
[eug-lug]PDA Howto
I have the USB HotSync cable with my new Clie PEG-SJ22 pda but after following the howto @ http://www.linuxlookup.com/html/guides/visor-jpilot.html#2.2 I still can't get the Clie to sync with my Fedora box. The last lines of my /etc/fstab look like; /dev/hda12 swapswapdefaults 0 0 /dev/cdrom1 /mnt/cdrom1 udf,iso9660 noauto,user,kudzu,ro 0 0 /dev/sda1 /mnt/camera auto user,noauto 0 0 /dev/sda1 /mnt/neuros vfat user,sync,noauto 0 0 #/dev/pilot /mnt/CLIE autouser,sync,noauto0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0 I commented out the /dev/pilot as I wasn't sure of its correctness. Do I need the USB cradle as in the above Howto article? Dirk ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
