[expert] Attn: Vincent - sudo article at mandrakesecure.net
Hey Vince, I just read your article at mandrakesecure.net regarding sudo. Excellent article. (Now, I just need to get going on the msec stuff so I can figure out how to tone down some of security level 4's more obnoxious habits :) I like what you mentioned regarding using sudo to restrict access to the su command. I've currently got sodo configured to allow anyone in the wheel group (which currently consists of me only, and isn't likely to change anytime soon... :) to run anything as root ("%wheel ALL=(ALL) NOPASSWD: ALL"), and as a result of your suggestion in your article, I've removed the suid bit from /bin/su. Assuming that msec level 4 doesn't decide to "repair" that later on, I've got that part covered. Couple of questions for you: If I've set up things like above, where someone in the wheel group can run anything, and then set up another entry which says that anyone in the adm group can run a more restricted subset of commands, what happens if the person (me, in this case) belongs to both groups? Does the higher access (wheel group) take priority, or does the lower, more restricted access (adm group) take priority? The other question is this: Is it possible to set up sshd so that it will use that key-based login thing you talked about in an earlier message for some users, while allowing password logins for others? That would be a kind-of happy medium for me, so that I can restrict access to my personal account without making things needlessly complicated for my friends who access the machine? I've already got sshd configured to deny direct root logins, so you have to login as someone else first and then su to root. Since I've just gotten rid of the suid bit off of /bin/su, I've made my personal login ID the "window to root." :-) As I previously mentioned, I'm pretty careful about the passwords I pick for myself, but if I can enable the key-based login for myself (while allowing password logins for others), I could make it that much harder for someone to compromise my machine. TIA! --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Attn: Vincent - sudo article at mandrakesecure.net
On Fri, 02 Aug 2002 13:35:58 -0700 "David Guntner" <[EMAIL PROTECTED]> wrote: > Hey Vince, I just read your article at mandrakesecure.net > regarding sudo. Excellent article. (Now, I just need to get > going on the msec stuff so I can figure out how to tone down > some of security level 4's more obnoxious habits :) > > I like what you mentioned regarding using sudo to restrict > access to the su command. I've currently got sodo configured to > allow anyone in the wheel group (which currently consists of me > only, and isn't likely to change anytime soon... :) to run > anything as root ("%wheel ALL=(ALL) NOPASSWD: ALL"), and > as a result of your suggestion in your article, I've removed the > suid bit from /bin/su. Assuming that msec level 4 doesn't > decide to "repair" that later on, I've got that part covered. > > Couple of questions for you: If I've set up things like above, > where someone in the wheel group can run anything, and then set > up another entry which says that anyone in the adm group can run > a more restricted subset of commands, what happens if the person > (me, in this case) belongs to both groups? Does the higher > access (wheel group) take priority, or does the lower, more > restricted access (adm group) take priority? > > The other question is this: Is it possible to set up sshd so > that it will use that key-based login thing you talked about in > an earlier message for some users, while allowing password > logins for others? That would be a kind-of happy medium for me, > so that I can restrict access to my personal account without > making things needlessly complicated for my friends who access > the machine? I've already got sshd configured to deny direct > root logins, so you have to login as someone else first and then > su to root. Since I've just gotten rid of the suid bit off of > /bin/su, I've made my personal login ID the "window to root." > :-) As I previously mentioned, I'm pretty careful about the > passwords I pick for myself, but if I can enable the key-based > login for myself (while allowing password logins for others), I > could make it that much harder for someone to compromise my > machine. > > TIA! > >--Dave > -- > David Guntner GEnie: Just say NO! > http://www.akaMail.com/pgpkey/davidg or key server > for PGP Public key > > The above brings a question to mind that I've never found an answer to. How is that Linux doesn't use 'groups' in the same manor as say FreeBSD. If you aren't wheel you don't get access to su, if you aren't in group newproject you can't see newprojects files etc etc. Better yet is there somewhere I can find info on how to implement this under Linux? James > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Attn: Vincent - sudo article at mandrakesecure.net
On Thu Aug 08, 2002 at 12:23:10PM -0700, David Guntner wrote: > (I'm cc'ing you, Vincent, because I'm not sure the list is working well > today and I want to be sure you see my reply.) Got both, so it's ok... =) > > On Fri Aug 02, 2002 at 01:35:58PM -0700, David Guntner wrote: > > > > I don't think I've replied to this already, but my mail is kinda > > messed up right now, so I'm not sure. If I have, forgive me. > > No you hadn't, and I was beginning to feel positively unloved. :-) hehehe... sorry about that. > I hope you get your mail straightened out soon. I know how much fun that > can be... I was trying to switch all of my email to Sylpheed from mutt... after doing so and using it for a few days I decided to go back to mutt... Sylpheed just wasn't doing what I needed it to do (wasn't working with TMDA properly). Oh well. > > Both. An easy way to check is to put the rules in then, as the user, > > run "sudo -l". It will list everything you have access to and as what > > user. I don't think sudo does a "first match wins", but checks to see > > if you apply to any given rule. If you do, you get access. > > > > Of course, if you have %wheel assigned to run everything as root, why > > would you need to be in the adm group? You obviously don't need to be > > in the adm group. > > I know it seems odd. :-) But the idea is that I want to be able to look at > certain files that are group readable to the adm group (which one of my > more trusted users is part of) without having to sudo to do it. If I > belong to the group, then I've already got access to the file. I love the > convenience of sudo, but I don't want to have to use it for everything I > do. Otherwise, I might just as well sign in as root all the time. :-) Fair enough. In that case, whatever privs you give to group adm, you don't have to give to group wheel also, unless you plan on having people in group wheel that are not in group adm, but it doesn't sound like that is what you are doing. > > A better option is to use a little more granularity > > in your rules and use sudo's grouping; ie. use something like: > > > > User_Alias ADM = dave, john > > > > ADM ALL = NOPASSWD: /etc/init.d/htttpd, /etc/init.d/mysql > > Good thought, though. I'll keep it in mind for future applications. =) [...] > > > the key-based login for myself (while allowing password logins for others), > > > I could make it that much harder for someone to compromise my machine. > > > > Ummm... good question. I believe you can do so with client options > > on your account. You'll have to allow password authentication > > server-wide, but you can probably setup your own personal config so > > that password authentication is not allowed on your account. > > > > Give me some time, I'm writing an article about the many uses of > > openssh for MandrakeSecure that I hope to have out next week. > > Sounds good. I'll be eagerly awaiting it. Like I said, I need to have > password authentication turned on because some of my friends just flat-out > aren't up to anything else. :-) But since *my* ID now effectively holds > the "keys to the kingdom," I want to lock it up as tight as I can. Looking around, I think it can be done, but I don't have the answer yet... My writing of the piece on openssh has been interrupted with a few other things that need to be dealt with first. I'll try to finish it up this weekend... then it will give you all kinds of tips and ideas on using openssh effectively... =) -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} msg56808/pgp0.pgp Description: PGP signature
Re: [expert] Attn: Vincent - sudo article at mandrakesecure.net
Vincent Danen grabbed a keyboard and wrote: > > On Thu Aug 08, 2002 at 12:23:10PM -0700, David Guntner wrote: > > > > Sounds good. I'll be eagerly awaiting it. Like I said, I need to have > > password authentication turned on because some of my friends just flat-out > > aren't up to anything else. :-) But since *my* ID now effectively holds > > the "keys to the kingdom," I want to lock it up as tight as I can. > > Looking around, I think it can be done, but I don't have the answer > yet... My writing of the piece on openssh has been interrupted with a > few other things that need to be dealt with first. I'll try to finish > it up this weekend... then it will give you all kinds of tips and > ideas on using openssh effectively... =) Sounds good. Let me know when it's done so I can look it over. If you sent such a notification to the group, please let me know again - I've been away for the weekend and just barely saw *this* note to reply to. If you sent another message since the one I'm replying to now, I didn't see it in the 500 pounds of E-Mail that I waded through upon my return from the camping trip :-) --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Attn: Vincent - sudo article at mandrakesecure.net
On Mon Aug 12, 2002 at 06:41:32PM -0700, David Guntner wrote: > > > Sounds good. I'll be eagerly awaiting it. Like I said, I need to have > > > password authentication turned on because some of my friends just flat-out > > > aren't up to anything else. :-) But since *my* ID now effectively holds > > > the "keys to the kingdom," I want to lock it up as tight as I can. > > > > Looking around, I think it can be done, but I don't have the answer > > yet... My writing of the piece on openssh has been interrupted with a > > few other things that need to be dealt with first. I'll try to finish > > it up this weekend... then it will give you all kinds of tips and > > ideas on using openssh effectively... =) > > Sounds good. Let me know when it's done so I can look it over. If you > sent such a notification to the group, please let me know again - I've been > away for the weekend and just barely saw *this* note to reply to. If you > sent another message since the one I'm replying to now, I didn't see it in > the 500 pounds of E-Mail that I waded through upon my return from the > camping trip :-) Well, no news on it yet... haven't gotten much further with that article (yet)... after I wrap a few other things up, I'll be trying to finish it off (hopefully tonight). -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} msg56954/pgp0.pgp Description: PGP signature