On Sat, Jul 07, 2001 at 12:11:44AM -0600, Will Aoki wrote:
> On Sat, Jul 07, 2001 at 02:10:09AM +0100, Eric E Moore wrote:
> [cut]
> > I would be very shocked if you could compromise a system with a
> > sudoers entry of:
> > me hostname = (root) /bin/cat
>
> Depends on what's on the system. I've
On Sat, Jul 07, 2001 at 02:10:09AM +0100, Eric E Moore wrote:
[cut]
> I would be very shocked if you could compromise a system with a
> sudoers entry of:
> me hostname = (root) /bin/cat
Depends on what's on the system. I've thought of four similar ways.
1:
With Kerberos, you can steal someone'
On Fri, 06 Jul 2001, Juha J?ykk? <[EMAIL PROTECTED]> wrote...
: > > (Put the public key in the .authorized_keys file for the root user)
: > > TUrn on RSA/DSA authentication and 'allow root login'
: > One word of warning aboce would allow logging in using root password as well
:
: I distrust a
On Fri, Jul 06, 2001 at 03:24:56PM -0800, Ethan Benson wrote:
> On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote:
> >
> > OTOH if you restrict the user to a list of commands in /etc/sudoers,
> > it's wise to consider whether the user might be able to leverage one of
> > those comman
> "Ethan" == Ethan Benson <[EMAIL PROTECTED]> writes:
Ethan> or even seemingly innocuous things like less or even cat.
Less is a problem, yes, as is anything else with a shell escape.
Ethan> sudo less anything !/bin/sh whoami r00t!
Ethan> echo me ALL=ALL > s sudo 'cat s >> /etc/sudoers'
do
On Fri, Jul 06, 2001 at 03:24:56PM -0800, Ethan Benson wrote:
> On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote:
> >
> > OTOH if you restrict the user to a list of commands in /etc/sudoers,
> > it's wise to consider whether the user might be able to leverage one of
> > those comma
On Fri, Jul 06, 2001 at 06:15:43AM -0800, Ethan Benson wrote:
> the main reason i don't use sudo except for small things which cannot
> grant a root shell in any way is for the simple reason the sudo
> converts a normal unprivleged user password into another root
> password.
Any user account tha
You make a good point, even if one of your examples is flawed:
$ sudo 'cat s >> /etc/sudoers'
sudo: cat s >> /etc/sudoers: command not found
sudo is a very useful tool in the type of situation described in this
thread. Even if you give everyone ALL=(ALL) ALL, it's better than su
or even .ssh/auth
On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote:
>
> OTOH if you restrict the user to a list of commands in /etc/sudoers,
> it's wise to consider whether the user might be able to leverage one of
> those commands to edit /etc/sudoers (or any other file). If you're
> going to list
> "Ethan" == Ethan Benson <[EMAIL PROTECTED]> writes:
Ethan> or even seemingly innocuous things like less or even cat.
Less is a problem, yes, as is anything else with a shell escape.
Ethan> sudo less anything !/bin/sh whoami r00t!
Ethan> echo me ALL=ALL > s sudo 'cat s >> /etc/sudoers'
d
On Fri, Jul 06, 2001 at 06:15:43AM -0800, Ethan Benson wrote:
> the main reason i don't use sudo except for small things which cannot
> grant a root shell in any way is for the simple reason the sudo
> converts a normal unprivleged user password into another root
> password.
Any user account th
You make a good point, even if one of your examples is flawed:
$ sudo 'cat s >> /etc/sudoers'
sudo: cat s >> /etc/sudoers: command not found
sudo is a very useful tool in the type of situation described in this
thread. Even if you give everyone ALL=(ALL) ALL, it's better than su
or even .ssh/aut
On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote:
>
> OTOH if you restrict the user to a list of commands in /etc/sudoers,
> it's wise to consider whether the user might be able to leverage one of
> those commands to edit /etc/sudoers (or any other file). If you're
> going to list
At 994418143s since epoch (07/06/01 10:15:43 -0400 UTC), Ethan Benson wrote:
> On Fri, Jul 06, 2001 at 09:18:18AM -0400, Jason Healy wrote:
> > types of
> > passwords accepted to run root commands, etc).
>
> elaborate.
>
> the main reason i don't use sudo except for small things which cannot
> gr
Juha Jäykkä <[EMAIL PROTECTED]> writes:
> Any other ideas? Or is it really safe to allow root logins to sshd?
> It is just an old rule of thumb that root must never log on over the
> wire but that may be old news from times of telnet - never had any
> need of root logins over the wire until perh
Hello, I am a new debian user and someone still learning linux. I have a
small problem. In my company ( which is a microsoft developer ) I insisted on
using a firewall created with Ipchains of 3
zones ( dmz - local - internet ) on a Intel Pentium Pro processor machine
running Debian 2.2r3 on i
At 994418143s since epoch (07/06/01 10:15:43 -0400 UTC), Ethan Benson wrote:
> On Fri, Jul 06, 2001 at 09:18:18AM -0400, Jason Healy wrote:
> > types of
> > passwords accepted to run root commands, etc).
>
> elaborate.
>
> the main reason i don't use sudo except for small things which cannot
> g
Juha Jäykkä <[EMAIL PROTECTED]> writes:
> Any other ideas? Or is it really safe to allow root logins to sshd?
> It is just an old rule of thumb that root must never log on over the
> wire but that may be old news from times of telnet - never had any
> need of root logins over the wire until per
I got the following from snort :
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jul 6 07:48:19 canopus snort[3884]: spp_http_decode: IIS Unicode
attack detected: 128.95.75.153:1647 -> 208.52.11.121:80
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jul 6 05:36:39 canopus snort[
On Fri, Jul 06, 2001 at 09:29:54AM -0700, Robert L. Yelvington wrote:
> admittedly, i am not very familiar with sudo because i have never seen the
> practical advantages of making su'ing more of a hassle by having to manage
> another set of conf files and keeping track of who's a sudoer and,
> ther
"Robert L. Yelvington" <[EMAIL PROTECTED]> writes:
> what's to stop a person, once they've sudo'd, from editing /etc/sudoers and
> giving themselves more privs?
sudo is to stop them, perhaps?
~Tim
--
15:40:15 up 9 days, 23:50, 12 users, load average: 0.19, 0.04, 0.01
[EMAIL PROTECTED] |The
admittedly, i am not very familiar with sudo because i have never seen the
practical advantages of making su'ing more of a hassle by having to manage
another set of conf files and keeping track of who's a sudoer and,
therefore, have chosen not to use it.
what's to stop a person, once they've sudo'
On Fri, Jul 06, 2001 at 09:18:18AM -0400, Jason Healy wrote:
> types of
> passwords accepted to run root commands, etc).
elaborate.
the main reason i don't use sudo except for small things which cannot
grant a root shell in any way is for the simple reason the sudo
converts a normal unprivleged u
On 06-Jul-01, 05:34 (CDT), Patrice Neff <[EMAIL PROTECTED]> wrote:
> What you want to accomplish might be possible with sudo. Install sudo
> and thenn add the following line to the configuration
> file. (/etc/sudoers on my machine)
> ALL=(ALL) ALL
>
> this will allow you to execute any c
At 994443564s since epoch (07/06/01 06:19:24 -0400 UTC), Juha J?ykk? wrote:
> I distrust allowing root logins from anywhere but local console(s)
> or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
> Any other ideas? Or is it really safe to allow root logins to sshd?
> It is
Hello, I am a new debian user and someone still learning linux. I have a
small problem. In my company ( which is a microsoft developer ) I insisted on using a
firewall created with Ipchains of 3
zones ( dmz - local - internet ) on a Intel Pentium Pro processor machine
running Debian 2.2r3
I got the following from snort :
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jul 6 07:48:19 canopus snort[3884]: spp_http_decode: IIS Unicode
attack detected: 128.95.75.153:1647 -> 208.52.11.121:80
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jul 6 05:36:39 canopus snort
On Fri, Jul 06, 2001 at 09:29:54AM -0700, Robert L. Yelvington wrote:
> admittedly, i am not very familiar with sudo because i have never seen the
> practical advantages of making su'ing more of a hassle by having to manage
> another set of conf files and keeping track of who's a sudoer and,
> the
"Robert L. Yelvington" <[EMAIL PROTECTED]> writes:
> what's to stop a person, once they've sudo'd, from editing /etc/sudoers and
> giving themselves more privs?
sudo is to stop them, perhaps?
~Tim
--
15:40:15 up 9 days, 23:50, 12 users, load average: 0.19, 0.04, 0.01
[EMAIL PROTECTED] |The
admittedly, i am not very familiar with sudo because i have never seen the
practical advantages of making su'ing more of a hassle by having to manage
another set of conf files and keeping track of who's a sudoer and,
therefore, have chosen not to use it.
what's to stop a person, once they've sudo
On Fri, Jul 06, 2001 at 09:18:18AM -0400, Jason Healy wrote:
> types of
> passwords accepted to run root commands, etc).
elaborate.
the main reason i don't use sudo except for small things which cannot
grant a root shell in any way is for the simple reason the sudo
converts a normal unprivleged
On 06-Jul-01, 05:34 (CDT), Patrice Neff <[EMAIL PROTECTED]> wrote:
> What you want to accomplish might be possible with sudo. Install sudo
> and thenn add the following line to the configuration
> file. (/etc/sudoers on my machine)
> ALL=(ALL) ALL
>
> this will allow you to execute any
At 994443564s since epoch (07/06/01 06:19:24 -0400 UTC), Juha J?ykk? wrote:
> I distrust allowing root logins from anywhere but local console(s)
> or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
> Any other ideas? Or is it really safe to allow root logins to sshd?
> It i
Juha Jäykkä <[EMAIL PROTECTED]> writes:
> How can that _safely_ be accomplished? There are versions of su,
> sudo etc) that do not ask passwords, there are suid binaries but
> which is _THE_ way of accomplishing this?
I've never been in a situation like yours. But I can tell how I do it
at home.
Just a friendly Jedi Knight wrote:
On Fri, Jul 06, 2001 at 01:19:24PM +0300, Juha Jäykkä wrote:
I distrust allowing root logins from anywhere but local console(s)
or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
umm do You want to run in circles from one machine to an
Am Freitag, 6. Juli 2001 12:19 schrieb Juha Jäykkä:
> > > (Put the public key in the .authorized_keys file for the root user)
> > > TUrn on RSA/DSA authentication and 'allow root login'
> >
> > One word of warning aboce would allow logging in using root password as
> > well
>
> I distrust allowi
On Fri, Jul 06, 2001 at 01:19:24PM +0300, Juha Jäykkä wrote:
> I distrust allowing root logins from anywhere but local console(s)
> or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
umm do You want to run in circles from one machine to another? ;o))
if not than You need to
> > (Put the public key in the .authorized_keys file for the root user)
> > TUrn on RSA/DSA authentication and 'allow root login'
> One word of warning aboce would allow logging in using root password as well
I distrust allowing root logins from anywhere but local console(s)
or non-modem gettys
On Fri, Jul 06, 2001 at 11:35:16AM +0200, Mark Janssen wrote:
>
> (Put the public key in the .authorized_keys file for the root user)
> TUrn on RSA/DSA authentication and 'allow root login'
One word of warning aboce would allow logging in using root password as well
which might not be the best s
> On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
>
> > I have a bit of a situation: I have a handful of linux machines
> > (almost all with different distributions and kernels and software -
> > one hell to keep secure) and all the machines have different roots.
> > These guys want
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha J?ykk? wrote:
> I have a bit of a situation: I have a handful of linux machines
> (almost all with different distributions and kernels and software -
..
> time (we all know keeping up security is a fulltime job). Obviously to
> install patches etc I,
On Fri, Jul 06, 2001 at 12:25:20PM +0300, Saku Ytti wrote:
> On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
>
> Make multiple root-accounts. We for example have normal users
> accounts and 3-5 root-accounts depending on machine. Just give
> UID/GID to new user.
Insert 0 where approp
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
Make multiple root-accounts. We for example have normal users
accounts and 3-5 root-accounts depending on machine. Just give
UID/GID to new user.
> I have a bit of a situation: I have a handful of linux machines
> (almost all with dif
I have a bit of a situation: I have a handful of linux machines
(almost all with different distributions and kernels and software -
one hell to keep secure) and all the machines have different roots.
These guys want to keep their root passwords (or at least the root
privileges) so they can update
Juha Jäykkä <[EMAIL PROTECTED]> writes:
> How can that _safely_ be accomplished? There are versions of su,
> sudo etc) that do not ask passwords, there are suid binaries but
> which is _THE_ way of accomplishing this?
I've never been in a situation like yours. But I can tell how I do it
at home.
Just a friendly Jedi Knight wrote:
> On Fri, Jul 06, 2001 at 01:19:24PM +0300, Juha Jäykkä wrote:
>
>> I distrust allowing root logins from anywhere but local console(s)
>>or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
>>
> umm do You want to run in circles from one mac
Am Freitag, 6. Juli 2001 12:19 schrieb Juha Jäykkä:
> > > (Put the public key in the .authorized_keys file for the root user)
> > > TUrn on RSA/DSA authentication and 'allow root login'
> >
> > One word of warning aboce would allow logging in using root password as
> > well
>
> I distrust allow
On Fri, Jul 06, 2001 at 01:19:24PM +0300, Juha Jäykkä wrote:
> I distrust allowing root logins from anywhere but local console(s)
> or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
umm do You want to run in circles from one machine to another? ;o))
if not than You need to
> > (Put the public key in the .authorized_keys file for the root user)
> > TUrn on RSA/DSA authentication and 'allow root login'
> One word of warning aboce would allow logging in using root password as well
I distrust allowing root logins from anywhere but local console(s)
or non-modem getty
On Fri, Jul 06, 2001 at 11:35:16AM +0200, Mark Janssen wrote:
>
> (Put the public key in the .authorized_keys file for the root user)
> TUrn on RSA/DSA authentication and 'allow root login'
One word of warning aboce would allow logging in using root password as well
which might not be the best
> On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
>
> > I have a bit of a situation: I have a handful of linux machines
> > (almost all with different distributions and kernels and software -
> > one hell to keep secure) and all the machines have different roots.
> > These guys wan
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha J?ykk? wrote:
> I have a bit of a situation: I have a handful of linux machines
> (almost all with different distributions and kernels and software -
..
> time (we all know keeping up security is a fulltime job). Obviously to
> install patches etc I
On Fri, Jul 06, 2001 at 12:25:20PM +0300, Saku Ytti wrote:
> On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
>
> Make multiple root-accounts. We for example have normal users
> accounts and 3-5 root-accounts depending on machine. Just give
> UID/GID to new user.
Insert 0 where appro
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
Make multiple root-accounts. We for example have normal users
accounts and 3-5 root-accounts depending on machine. Just give
UID/GID to new user.
> I have a bit of a situation: I have a handful of linux machines
> (almost all with di
I have a bit of a situation: I have a handful of linux machines
(almost all with different distributions and kernels and software -
one hell to keep secure) and all the machines have different roots.
These guys want to keep their root passwords (or at least the root
privileges) so they can updat
55 matches
Mail list logo
