Re: [OpenIndiana-discuss] User roles and acting as root
Well, true, but it's root's command history. Which may not be relevant to what I'm actually doing at the moment. And in some OS's I use the root shell doesn't have command history at all. On Wed, Jun 15, 2011 at 1:08 PM, Dan Swartzendruber wrote: > > I'm confused. I use 'sudo -i' exclusively, and whenever I get in, I have > valid command history. > > -Original Message- > From: David Brodbeck [mailto:bro...@uw.edu] > Sent: Wednesday, June 15, 2011 3:49 PM > To: Discussion list for OpenIndiana > Subject: Re: [OpenIndiana-discuss] User roles and acting as root > > On Tue, Jun 14, 2011 at 11:53 AM, Ken Gunderson > wrote: > > > On a boxes where I, or one or two others I know and trust, are the only > > admin(s), I find sudo a complete pita and never use it. When I want > > root it's because I need to get something done and sudo just gets in my > > way and adds unnecessary typing w/o any benefit - if I'm going to make a > > typo or brain fart so bad as to blow up the box, sudo is not going to > > save me. Much better to actually have a # in your prompt and adhere to > > the old sysadmin adage of sitting on your hands for 5 seconds before > > hitting enter... > > > > Hm. For me it's the opposite; I now use sudo almost exclusively on my home > boxes, and rarely su to root. Part of it is I've come to rely heavily on > command history and command recall, and having to start all over with an > empty history (and, if I'm doing "su -", chdir back to the right working > directory) is a hassle. Some of the OS's I work with (FreeBSD, in > particular) have very basic statically-linked shells for root, in order to > make system recovery easier, and these often lack good tab-completion and > command history features. > > -- > David Brodbeck > System Administrator, Linguistics > University of Washington > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > > > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > -- David Brodbeck System Administrator, Linguistics University of Washington ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
I'm confused. I use 'sudo -i' exclusively, and whenever I get in, I have valid command history. -Original Message- From: David Brodbeck [mailto:bro...@uw.edu] Sent: Wednesday, June 15, 2011 3:49 PM To: Discussion list for OpenIndiana Subject: Re: [OpenIndiana-discuss] User roles and acting as root On Tue, Jun 14, 2011 at 11:53 AM, Ken Gunderson wrote: > On a boxes where I, or one or two others I know and trust, are the only > admin(s), I find sudo a complete pita and never use it. When I want > root it's because I need to get something done and sudo just gets in my > way and adds unnecessary typing w/o any benefit - if I'm going to make a > typo or brain fart so bad as to blow up the box, sudo is not going to > save me. Much better to actually have a # in your prompt and adhere to > the old sysadmin adage of sitting on your hands for 5 seconds before > hitting enter... > Hm. For me it's the opposite; I now use sudo almost exclusively on my home boxes, and rarely su to root. Part of it is I've come to rely heavily on command history and command recall, and having to start all over with an empty history (and, if I'm doing "su -", chdir back to the right working directory) is a hassle. Some of the OS's I work with (FreeBSD, in particular) have very basic statically-linked shells for root, in order to make system recovery easier, and these often lack good tab-completion and command history features. -- David Brodbeck System Administrator, Linguistics University of Washington ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
On Tue, Jun 14, 2011 at 11:53 AM, Ken Gunderson wrote: > On a boxes where I, or one or two others I know and trust, are the only > admin(s), I find sudo a complete pita and never use it. When I want > root it's because I need to get something done and sudo just gets in my > way and adds unnecessary typing w/o any benefit - if I'm going to make a > typo or brain fart so bad as to blow up the box, sudo is not going to > save me. Much better to actually have a # in your prompt and adhere to > the old sysadmin adage of sitting on your hands for 5 seconds before > hitting enter... > Hm. For me it's the opposite; I now use sudo almost exclusively on my home boxes, and rarely su to root. Part of it is I've come to rely heavily on command history and command recall, and having to start all over with an empty history (and, if I'm doing "su -", chdir back to the right working directory) is a hassle. Some of the OS's I work with (FreeBSD, in particular) have very basic statically-linked shells for root, in order to make system recovery easier, and these often lack good tab-completion and command history features. -- David Brodbeck System Administrator, Linguistics University of Washington ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
When I need a root terminal, I tend to simply: $sudo sh In a Solaris only environment I advise RBAC , but in a mixed Unix/Linux world, sudo makes more sense. With RBAC and root being a Role, we should "su - " to assume the root role. Mike On Tue, 2011-06-14 at 14:24 -0700, Gregory Youngblood wrote: > On Jun 14, 2011, at 1:35 PM, Gabriele Bulfon wrote: > > > Up until OpenSolaris, my first and only command was some "enters" on a "#". > > Just root, and just commands, for a life. > > Now I had times with opensolaris wanting me to pfexec everything. > > On OpenIndiana pfexec behave differently and does not run privileged as it > > did on OSol. > > And, afterall, sudo just asks for your password once, and it's done > > forever > > At least for the "first" user you configure on OI. > > Where is security here?? > > sudo "remembers" that you entered your password, and as long as you repeat > additional sudo command within the allowable time period, you do not have to > enter the password again. However, if you wait until that allowable time > period expires then sudo will prompt you for a password again (unless you > changed sudoers to not prompt for passwords again). > > I don't know why (I remember reading about it, but have since forgotten) why > pfexec in OI behaves differently than it did for OS. It didn't matter to me > since sudo worked, but I preferred pfexec since I had become accustomed to > using it in OS, so I usually make my user primary administrator so pfexec > works again. It's a bit of a 2x4 approach, but it makes me happy. I'm sure > there are better/more elegant ways to accomplish the same thing. > > As for why I prefer pfexec to sudo, I don't really have a clear, rational > answer. It's my understanding pfexec works within the solaris/oi roles system > while sudo is just a pure password privilege escalation. I probably have that > wrong, so welcome correction. > > As for security from sudo - it all depends on how you use it. In the default > form as installed the password has to be used to escalate privileges > initially and for a limited window of time. Assuming any compromise is not > the result of password compromise, it slows down the attacker's > effectiveness. Where sudo really shines, imo, is the ability to designate > safe commands that others can run. > > Consider a group of developers given access to a test or staging server. The > developers are not given carte blanche to do anything they want on the > server, but they do need the ability to restart some app or service, such as > apache. Using sudo you can allow them to do "apachectl start", "apachectl > restart", "apachectl graceful", and "apachectl configtest" as the super user, > without permitting them to run any other command or apachectl with any other > options than the ones listed. It's a powerful tool for being able to fine > tune exactly what commands and options users are allowed to do with escalated > privileges. > > Greg > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
Thanx for the explanation :) I decided to make my usual user a Primary Administrator, and I can pfexec anything ;) -- Da: Gregory Youngblood A: Discussion list for OpenIndiana Data: 14 giugno 2011 23.24.10 CEST Oggetto: Re: [OpenIndiana-discuss] User roles and acting as root On Jun 14, 2011, at 1:35 PM, Gabriele Bulfon wrote: Up until OpenSolaris, my first and only command was some "enters" on a "#". Just root, and just commands, for a life. Now I had times with opensolaris wanting me to pfexec everything. On OpenIndiana pfexec behave differently and does not run privileged as it did on OSol. And, afterall, sudo just asks for your password once, and it's done forever At least for the "first" user you configure on OI. Where is security here?? sudo "remembers" that you entered your password, and as long as you repeat additional sudo command within the allowable time period, you do not have to enter the password again. However, if you wait until that allowable time period expires then sudo will prompt you for a password again (unless you changed sudoers to not prompt for passwords again). I don't know why (I remember reading about it, but have since forgotten) why pfexec in OI behaves differently than it did for OS. It didn't matter to me since sudo worked, but I preferred pfexec since I had become accustomed to using it in OS, so I usually make my user primary administrator so pfexec works again. It's a bit of a 2x4 approach, but it makes me happy. I'm sure there are better/more elegant ways to accomplish the same thing. As for why I prefer pfexec to sudo, I don't really have a clear, rational answer. It's my understanding pfexec works within the solaris/oi roles system while sudo is just a pure password privilege escalation. I probably have that wrong, so welcome correction. As for security from sudo - it all depends on how you use it. In the default form as installed the password has to be used to escalate privileges initially and for a limited window of time. Assuming any compromise is not the result of password compromise, it slows down the attacker's effectiveness. Where sudo really shines, imo, is the ability to designate safe commands that others can run. Consider a group of developers given access to a test or staging server. The developers are not given carte blanche to do anything they want on the server, but they do need the ability to restart some app or service, such as apache. Using sudo you can allow them to do "apachectl start", "apachectl restart", "apachectl graceful", and "apachectl configtest" as the super user, without permitting them to run any other command or apachectl with any other options than the ones listed. It's a powerful tool for being able to fine tune exactly what commands and options users are allowed to do with escalated privileges. Greg ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
On Jun 14, 2011, at 1:35 PM, Gabriele Bulfon wrote: > Up until OpenSolaris, my first and only command was some "enters" on a "#". > Just root, and just commands, for a life. > Now I had times with opensolaris wanting me to pfexec everything. > On OpenIndiana pfexec behave differently and does not run privileged as it > did on OSol. > And, afterall, sudo just asks for your password once, and it's done > forever > At least for the "first" user you configure on OI. > Where is security here?? sudo "remembers" that you entered your password, and as long as you repeat additional sudo command within the allowable time period, you do not have to enter the password again. However, if you wait until that allowable time period expires then sudo will prompt you for a password again (unless you changed sudoers to not prompt for passwords again). I don't know why (I remember reading about it, but have since forgotten) why pfexec in OI behaves differently than it did for OS. It didn't matter to me since sudo worked, but I preferred pfexec since I had become accustomed to using it in OS, so I usually make my user primary administrator so pfexec works again. It's a bit of a 2x4 approach, but it makes me happy. I'm sure there are better/more elegant ways to accomplish the same thing. As for why I prefer pfexec to sudo, I don't really have a clear, rational answer. It's my understanding pfexec works within the solaris/oi roles system while sudo is just a pure password privilege escalation. I probably have that wrong, so welcome correction. As for security from sudo - it all depends on how you use it. In the default form as installed the password has to be used to escalate privileges initially and for a limited window of time. Assuming any compromise is not the result of password compromise, it slows down the attacker's effectiveness. Where sudo really shines, imo, is the ability to designate safe commands that others can run. Consider a group of developers given access to a test or staging server. The developers are not given carte blanche to do anything they want on the server, but they do need the ability to restart some app or service, such as apache. Using sudo you can allow them to do "apachectl start", "apachectl restart", "apachectl graceful", and "apachectl configtest" as the super user, without permitting them to run any other command or apachectl with any other options than the ones listed. It's a powerful tool for being able to fine tune exactly what commands and options users are allowed to do with escalated privileges. Greg ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
Up until OpenSolaris, my first and only command was some "enters" on a "#". Just root, and just commands, for a life. Now I had times with opensolaris wanting me to pfexec everything. On OpenIndiana pfexec behave differently and does not run privileged as it did on OSol. And, afterall, sudo just asks for your password once, and it's done forever At least for the "first" user you configure on OI. Where is security here?? -- Da: Dan Swartzendruber A: Discussion list for OpenIndiana Data: 14 giugno 2011 20.54.35 CEST Oggetto: Re: [OpenIndiana-discuss] User roles and acting as root Ken Gunderson wrote: Which is useful in environments where you have jr. sysadmins, backup operators, etc., i.e. different roles, not all of which you want/trust to have full root access, so tasks can be limited to only those necessary to fulfill that role. On a boxes where I, or one or two others I know and trust, are the only admin(s), I find sudo a complete pita and never use it. When I want root it's because I need to get something done and sudo just gets in my way and adds unnecessary typing w/o any benefit - if I'm going to make a typo or brain fart so bad as to blow up the box, sudo is not going to save me. Much better to actually have a # in your prompt and adhere to the old sysadmin adage of sitting on your hands for 5 seconds before hitting enter... The point being here, that while sudo does have it's place, it's not the magic bullet some would have us believe it is. Agreed. In general, my first and only command (as myself) after logging in, is: 'sudo -i'. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
Ken Gunderson wrote: Which is useful in environments where you have jr. sysadmins, backup operators, etc., i.e. different roles, not all of which you want/trust to have full root access, so tasks can be limited to only those necessary to fulfill that role. On a boxes where I, or one or two others I know and trust, are the only admin(s), I find sudo a complete pita and never use it. When I want root it's because I need to get something done and sudo just gets in my way and adds unnecessary typing w/o any benefit - if I'm going to make a typo or brain fart so bad as to blow up the box, sudo is not going to save me. Much better to actually have a # in your prompt and adhere to the old sysadmin adage of sitting on your hands for 5 seconds before hitting enter... The point being here, that while sudo does have it's place, it's not the magic bullet some would have us believe it is. Agreed. In general, my first and only command (as myself) after logging in, is: 'sudo -i'. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
On Tue, 2011-06-14 at 11:23 -0700, Alan Coopersmith wrote: > On 06/14/11 10:05 AM, Gabriele Bulfon wrote: > > Thanx for your reply, > > I understand the security issue. > > But, is it so much more secure when you can just sudo commands? > > Where is the difference? > > With sudo, you choose to only run commands that need extra privileges > with those privileges - most of the commands a normal user runs don't > need that, so why use it and run the risk of either operator error > or buggy software doing more damage than normal? > Which is useful in environments where you have jr. sysadmins, backup operators, etc., i.e. different roles, not all of which you want/trust to have full root access, so tasks can be limited to only those necessary to fulfill that role. On a boxes where I, or one or two others I know and trust, are the only admin(s), I find sudo a complete pita and never use it. When I want root it's because I need to get something done and sudo just gets in my way and adds unnecessary typing w/o any benefit - if I'm going to make a typo or brain fart so bad as to blow up the box, sudo is not going to save me. Much better to actually have a # in your prompt and adhere to the old sysadmin adage of sitting on your hands for 5 seconds before hitting enter... The point being here, that while sudo does have it's place, it's not the magic bullet some would have us believe it is. -- Regards-- Ken Gunderson ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
On 06/14/11 10:05 AM, Gabriele Bulfon wrote: > Thanx for your reply, > I understand the security issue. > But, is it so much more secure when you can just sudo commands? > Where is the difference? With sudo, you choose to only run commands that need extra privileges with those privileges - most of the commands a normal user runs don't need that, so why use it and run the risk of either operator error or buggy software doing more damage than normal? -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
On 6/14/11 1:10 PM, Ignacio Marambio Catán wrote: Sudo asks for a password even if it is the user's password Well, it *can*, but that's not universally true. You can have it prompt for a password or not. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
Sudo asks for a password even if it is the user's password On Tue, Jun 14, 2011 at 2:05 PM, Gabriele Bulfon wrote: > Thanx for your reply, > I understand the security issue. > But, is it so much more secure when you can just sudo commands? > Where is the difference? > Thanx > -- > Da: Ignacio Marambio Catán > A: Discussion list for OpenIndiana > Data: 14 giugno 2011 17.52.39 CEST > Oggetto: Re: [OpenIndiana-discuss] User roles and acting as root > give your user the Primary Administrator profile and then assign him a > profile shell like pfksh. > need i say this is insecure? > nacho > On Tue, Jun 14, 2011 at 12:49 PM, Gabriele Bulfon > wrote: > Hi, I was trying to figure out how to let the default install user (sonicle, > in my case) be able > to run commands as root completely, with no pfexec nor sudo. > The user has a root role, in the user_attr file. > If not possible, how can I enable root login normally? > I tried commenting out the "root" role from user_attr, but the system went > into maintenance mode > I had to put it back to have the machine normal again. > Gabriele. > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
Thanx for your reply, I understand the security issue. But, is it so much more secure when you can just sudo commands? Where is the difference? Thanx -- Da: Ignacio Marambio Catán A: Discussion list for OpenIndiana Data: 14 giugno 2011 17.52.39 CEST Oggetto: Re: [OpenIndiana-discuss] User roles and acting as root give your user the Primary Administrator profile and then assign him a profile shell like pfksh. need i say this is insecure? nacho On Tue, Jun 14, 2011 at 12:49 PM, Gabriele Bulfon wrote: Hi, I was trying to figure out how to let the default install user (sonicle, in my case) be able to run commands as root completely, with no pfexec nor sudo. The user has a root role, in the user_attr file. If not possible, how can I enable root login normally? I tried commenting out the "root" role from user_attr, but the system went into maintenance mode I had to put it back to have the machine normal again. Gabriele. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
give your user the Primary Administrator profile and then assign him a profile shell like pfksh. need i say this is insecure? nacho On Tue, Jun 14, 2011 at 12:49 PM, Gabriele Bulfon wrote: > Hi, I was trying to figure out how to let the default install user (sonicle, > in my case) be able > to run commands as root completely, with no pfexec nor sudo. > The user has a root role, in the user_attr file. > If not possible, how can I enable root login normally? > I tried commenting out the "root" role from user_attr, but the system went > into maintenance mode > I had to put it back to have the machine normal again. > Gabriele. > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] User roles and acting as root
Hi, I was trying to figure out how to let the default install user (sonicle, in my case) be able to run commands as root completely, with no pfexec nor sudo. The user has a root role, in the user_attr file. If not possible, how can I enable root login normally? I tried commenting out the "root" role from user_attr, but the system went into maintenance mode I had to put it back to have the machine normal again. Gabriele. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss