On Fri 05 Apr 2019 at 11:07:42 (+0100), mick crane wrote:
> On 2019-04-05 10:51, to...@tuxteam.de wrote:
> > On Fri, Apr 05, 2019 at 08:43:32AM +0100, mick crane wrote:
> > > On 2019-04-05 07:46, to...@tuxteam.de wrote:
> > > >On Fri, Apr 05, 2019 at 07:37:05AM +0100, mick crane wrote:
> > > >
> > > >[...]
> > > >
> > > >>Making you be root to download stuff off the internet never seemed
> > > >>like a good idea.
> > > >
> > > >And letting "you" (not root) install things in system directories
> > > >(/usr/bin et al) seems to be as bad an idea [...]
> >
> > [...]
> >
> > > what's the issue with
> > > seeing what's available as you,
> > > checking what you need as root,
> > > downloading as you,
> > > install as root.
>From this and other posts of yours, you seem to feel very vulnerable
when connected to anywhere outside your system, as if you're under
a man-in-the-middle attack all the time.
If your user account is compromised through, say, unwise browsing of
the web, then downloading packages/checksums as user will make for
far greater vulnerability, and root could end up installing all sorts
of bogus stuff.
> > Imagine some random javascript (running as you, the "normal" user
> > starts doing system things (browser sandboxing? nah!). At this point
> > I'd hope I get asked for my password, to get a chance to stop the
> > whole shenanigan. But that's just me...
>
> well normal user isn't supposed to do system things. Sudo makes me
> nervous.
Let's take a real scenario. You've sent some largish emails, and are
impatient to close down the machine. How do you find out whether your
emails have actually left your system? Two easy ways: see if material
is still queued, or check exim's log. Two problems: /var/spool/exim4
can't be read at all (Debian-exim required) and neither can
/var/log/exim4 (adm required).
You can fix the latter by being included in adm. Now you can see
which have left the machine, and you *might* notice emails that failed
if there's not too much traffic. OTOH you don't want to be included in
Debian-exim and be able to read/interfere with/delete emails, but need
to see the spool.
A solution is for root to add lines like:
Cmnd_Alias EMAILQUEUED = /bin/ls -lR /var/spool/exim4/
ME MYHOSTS = (EMAIL) EMAILQUEUED
## who where = (as_whom) what
to a file like /etc/sudoers.d/foo so that you (defined as ME) can
run that specific command as Debian-exim (EMAIL) on given hosts.
Now, a bash function can be defined to handle all the typing for
you (as user):
my-q ()
{
[ -n "$1" ] && printf '%s\n' "Usage: $FUNCNAME
checks the outbound mail queue." 1>&2 && return 1;
ps -p $(pgrep exim4);
sudo -u Debian-exim ls -lR /var/spool/exim4/
}
$ my-q
Cheers,
David.
