On 6/28/24 19:46, Ryan Petris wrote:
I didn't say that you *were* trolling, I said it *felt* like you were trolling.
There's a small but non-insignificant difference there.
True, and apologies for taking it as a near-attack ;-)
Also, I'm not one to care for how credentialed someone may be -- so called
professionals are wrong all the time. Nobody is perfect.
True as well, but I feel like if you've been around, and seen my
postings (rare though they may be), and knew a bit more about me maybe
you might not have even FELT like I was trolling. Oh, well.
So let me expand on what I said earlier with a bit less sarcasm:
Yes, I was unable to get past the sarcasm....
There are many different ways that something might end up executing on your
computer that you didn't intend, especially with how advanced browsers are
today. While most/all browsers today employ sandboxes, there have been and will
be vulnerabilities to break out of said sandbox resulting in the ability to
execute arbitrary code on your machine.
There have also been several supply-chain exploits within the last few years
with npm and other package managers that are typically used by developers. One
in particular targeted users in Russia and deleted files from their machines. I
forget the details, but there was also something that happened with the
acroread package in the Arch AUR a few years ago where a malicious actor took
over the orphaned package and put something malicious in the PKGBUILD.
In all of those cases, while your data may have been affected, you could be
certain that unless you typed in your password or that some other privilege
escalation bug was employed, your system is safe, because the exploits would
have been running with the context of your user. If you had passwordless
escalation to root, however, then it's possible that said exploit did something
to your system itself rather than just your home directory.
You could say that your data is more important than the system itself, and
therefore it doesn't matter, and that's true for the data itself, but there's
not really a way to secure your data without a secure system. So, to secure
your data, you need to have a secure system, which is contrary to passwordless
privilege escapation.
Now, the opinion above is passwordless sudo *in general for running arbitrary
commands*. I agree that there are some commands you can give users access to
that are otherwise benign yet need root permission to run. However, if an
application is keeping up with the times, there are other ways to handle
privilege escalation for just the things needed rather than running the entire
application as root.
And you might find it incredible that I agree, passwordless sudo is,
except in VERY small and totally contained situations, beyond foolish.
As is running as root. (As are a LOT of things we won't 'rabbit hole'
on right now ;-)
However, that is absolutely NOT the only use for sudo, and I'm amazed
that is, apparently, what people think its for. (In fact, I'm almost
speechless that this appears to be the assumed use of sudo.)
IMO, passwordless use of sudo is absolutely not the primary purpose (not
even a very good purpose). The primary purpose for sudo is to allow the
owners of a computer to have extremely fine control over who can do what
administrative tasks, AND to allow simple, trivial, and much easier
securing of a system when you fire the jerk... er, I mean the bad
administrator ;-) Assuming you are using some sort of centralized
credential system, just disable that user and viola - all their
passwords quit working, so they can not log in to your computers and
they no longer have a password that gets them root. Now, the truly
paranoid (well, actually, the truly wise) would also immediately
distribute a new sudoers file with that newly unemployeed admin removed
from it.
Compare that with the situation when you give the admin the root
password for the machine(s) they are administering. Not only do you
have to disable the user, you have to change the root password on EVERY
MACHINE they knew the password for, AND you have to distribute those new
root passwords to all your admins! And they call THAT more secure than
sudo? I don't get it.... But on the other hand, if people have been
framing the argument as 'passwordless sudo' versus 'su only', then....
Ok, now I'll REALLY (try much harder to) shut up about this dead horse :-)
On Fri, Jun 28, 2024, at 6:43 PM, Rusty Carruth wrote:
(Deep breath. Calm...)
I can't figure out how to respond rationally to the below, so all I'm
going to say is - before you call troll, you might want to research the
author, and read a bit more carefully what they wrote. I don't believe
I recommended any of the crazy things you suggest. And I certainly
didn't intend to imply any of that.
On the other hand, it may not have been clear, so I'll just say "Sorry
that what I wrote wasn't clear, but english isn't my first language.
Unfortunately its the only one I know".
And on that note, I'll shut up.
On 6/26/24 15:05, Ryan Petris wrote:
I feel like you're trolling so I'm not going to spend very much time on this.
It's been a generally good security practice for at least the last 25+ years to
not regularly run as a privileged user, requiring some sort of escalation to do
administrative-type tasks. By using passwordless sudo, you're taking away that
escalation. Why not just run as root? Then you don't need sudo at all. In fact,
why even have a password at all? Why encrypt? Why don't you just put all your
data on a publicly accessible FTP server and just grab stuff when you need it?
The NSA has all your data anyway and you don't have anything to hide so why not
just leave it out there for the world to see?
As for something malicious needing to be written to use sudo, why wouldn't it?
sudo is ubiquitous on unix systems; if it didn't at least try then that seams
like a pretty dumb malicious script to me.
You also don't necessarily need to open/run something for it to run. IIRC there
was a recent image vulnerability in Gnome's tracker-miner application which
indexes files in your home directory. And before you say that wouldn't happen
in KDE, it too has a similar program, I believe called Baloo.
There also exists the recent doas program and the systemd replacement run0 to
do the same.
On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via PLUG-discuss wrote:
Actually, I'd like to start a bit of a discussion on this.
First, I know that for some reason RedHat seems to think that sudo is
bad/insecure.
I'd like to know the logic there, as I think the argument FOR using sudo
is MUCH stronger than any argument I've heard (which, admittedly, is
pretty close to zero) AGAINST it. Here's my thinking:
Allowing users to become root via sudo gives you:
- VERY fine control over what programs a user can use as root
- The ability to remove admin privs (ability to run as root) from an
individual WITHOUT having to change root password everywhere.
Now, remember, RH is supposedly 'corporate friendly'. As a corporation,
that 2nd feature is well worth the price of admission, PLUS I can only
allow certain admins to run certain programs? Very nice.
So, for example, at my last place I allowed the 'tester' user to run
fdisk as root, because they needed to partition the disk under test. In
my case, and since the network that we ran on was totally isolated from
the corporate network, I let fdisk be run without needing a password.
Oh, and if they messed up and fdisk'ed the boot partition, it was no big
deal - I could recreate the machine from scratch (minus whatever data
hadn't been copied off yet - which would only be their most recent run),
in 10 minutes (which was about 2 minutes of my time, and 8 minutes of
scripted 'dd' ;-) However, if the test user wanted to become root using
su, they had to enter the test user password.
So, back to the original question - setting sudo to not require a
password. We should have asked, what program do you want to run as root
without requiring a password? How secure is your system? What else do
you use it for? Who has access? etc, etc, etc.
There's one other minor objection I have to the 'zero defense' statement
below - the malicious thing you downloaded (and, I assume ran) has to be
written to USE sudo in its attempt to break in, I believe, or it
wouldn't matter HOW open your sudo was. (simply saying 'su - myscript'
won't do it).
And, if you're truly paranoid about stuff you download, you should:
1 - NEVER download something you don't have an excellent reason to
believe is 'safe', and ALWAYS make sure you actually downloaded it from
where you thought you did.
2 - For the TRULY paranoid, have a machine you use to download and test
software on, which you can totally disconnect from your network (not
JUST the internet), and which has NO confidential info, and which you
can erase and rebuild without caring. Run the downloaded stuff there,
for a long time, until you're pretty sure it won't bite you.
3 - For the REALLY REALLY paranoid, don't download anything from
anywhere, disconnect from the internet permanently, get high-tech locks
for your doors, and wrap your house in a faraday cage!
And probably don't leave the house....
The point of number 3 is that there is always a risk, even with
'well-known' software, and as someone else said - they're watching you
anyway. The question is how 'safe' do you want to be? And how paranoid
are you, really?
Wow, talk about rabbit hole! ;-)
'Let the flames begin!' :-)
On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
wanted sudo not to require a password.
Please reconsider this... This is VERY BAD security practice. There's basically
zero defense if you happen to download/run something malicious.
On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:
then I remember that a PLUG member mentioned ChatGPT being good at
troubleshooting so I figured I'd give it a go. I sprint about half an hour
asking it the wrong question but after that it took 2 minutes. I wanted sudo
not to require a password. it is wonderful! now I don't have to bug you guys.
so it looks like this is the end of the user group unless you want to talk
about OT stuff.
--
:-)~MIKE~(-:
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
