On Mon, Jan 22, 2007 at 01:14:53AM EST, Kevin Mark wrote:
> On Mon, Jan 22, 2007 at 12:53:04AM -0500, Roberto C. Sanchez wrote:
> > On Sun, Jan 21, 2007 at 11:36:15PM -0500, cga2000 wrote:
> > >
> > > What I had in mind was a flexible model where different actors of the
> > > system can be provide
On Mon, Jan 22, 2007 at 12:53:04AM -0500, Roberto C. Sanchez wrote:
> On Sun, Jan 21, 2007 at 11:36:15PM -0500, cga2000 wrote:
> >
> > What I had in mind was a flexible model where different actors of the
> > system can be provided with the privileges required to perform their
> > duties--no more
On Sun, Jan 21, 2007 at 11:36:15PM -0500, cga2000 wrote:
>
> What I had in mind was a flexible model where different actors of the
> system can be provided with the privileges required to perform their
> duties--no more .. no less.
>
You want selinux.
Regards,
-Roberto
--
Roberto C. Sanchez
h
On Fri, Jan 12, 2007 at 09:39:11AM EST, David Jardine wrote:
> On Thu, Jan 11, 2007 at 07:25:03PM -0500, cga2000 wrote:
Sorry, I didn't didn't mean to be rude. I was unable to check ML's for
most of last week and had so much cleaning up to do that I only saw your
reply last night.
> > So is mopp
On Sat, Jan 13, 2007 at 03:22:33PM +0100, Mertens Bram wrote:
>
> I agree that some things require a GUI but IMHO not much of these
> require root privileges.
>
> The Oracle installer indeed requires the use of it's GUI. However:
> the installation should not be performed as root! One of the fi
On Sat, Jan 13, 2007 at 11:27:11AM +0200, Andrei Popescu wrote:
>
> AFAIK cdrecord can be installed setuid (dpkg-reconfigure ...). Then add
> yourself to the cdrom group. While this is not the best solution it's
> still better than burning cdroms as root.
>
If you are in the cdrom group and the c
On Sat, Jan 13, 2007 at 09:39:07AM EST, Andrei Popescu wrote:
> On Sat, 13 Jan 2007 09:30:33 -0500
> cga2000 <[EMAIL PROTECTED]> wrote:
>
> [snip]
>
> [snip setuid arguments]
>
> You're probably right. I haven't thought of it that way. IIRC you said
> your setup is also not typical. Maybe you sh
On Sat, 13 Jan 2007 09:30:33 -0500
cga2000 <[EMAIL PROTECTED]> wrote:
[snip]
[snip setuid arguments]
You're probably right. I haven't thought of it that way. IIRC you said
your setup is also not typical. Maybe you should work on that.
Regards,
Andrei
--
If you can't explain it simply, you don'
On Sat, Jan 13, 2007 at 04:27:11AM EST, Andrei Popescu wrote:
> On Fri, 12 Jan 2007 21:28:50 -0500
> cga2000 <[EMAIL PROTECTED]> wrote:
>
> > first of all you have to remember that:
> >
> > # usermod -G adm myuser
> >
> > .. wipes out all your other groups .. so you have to try and figure
> >
On 2007-01-09, Roberto C. Sanchez wrote:
> Unfortunately, some things flat out require a GUI.
[...]
> Except that many apps are GUI apps and expect that you will already have
> elevated priviledges when you run them. The Oracle installer and the
> CrossOver Office configuration tool are two that c
On Fri, 12 Jan 2007 21:28:50 -0500
cga2000 <[EMAIL PROTECTED]> wrote:
> first of all you have to remember that:
>
> # usermod -G adm myuser
>
> .. wipes out all your other groups .. so you have to try and figure
> out what groups you were in (or restore from a backup) .. and then
> issue a:
>
On Fri, Jan 12, 2007 at 11:15:41AM EST, Roberto C. Sanchez wrote:
> On Fri, Jan 12, 2007 at 01:42:44AM -0500, cga2000 wrote:
> > · creating/burning iso images
>
> IIRC, the default on Debian systems is to have the cd burner owned by
> group CD-ROM and have the group writable attribute set. So, if
On Fri, Jan 12, 2007 at 08:51:58AM EST, Douglas Tutty wrote:
> On Fri, Jan 12, 2007 at 01:42:44AM -0500, cga2000 wrote:
Looks like our encodings do not play well with each other - see all the
question marks below.
> > This is what root's recently been up to on my laptop:
> >
> > ? manually adjus
On Fri, Jan 12, 2007 at 01:42:44AM -0500, cga2000 wrote:
> · creating/burning iso images
IIRC, the default on Debian systems is to have the cd burner owned by
group CD-ROM and have the group writable attribute set. So, if you add
your users to the cdrom group, you should be able to let them burn
On Thu, Jan 11, 2007 at 07:25:03PM -0500, cga2000 wrote:
> On Thu, Jan 11, 2007 at 04:06:01PM EST, Andrei Popescu wrote:
> > Upgrading those binaries is a potential security
> > problem ..
>
> So is mopping up the floors in a timely manner.. Doesn't mean you want
> the janitor
On Fri, Jan 12, 2007 at 01:42:44AM -0500, cga2000 wrote:
> This is what root's recently been up to on my laptop:
>
> ? manually adjusting the system & hardware clock
Look at chrony. If you don't want it to sync to an NTP server over the
net, it still has the capablility to take your watch time
On Thu, Jan 11, 2007 at 05:15:19PM EST, Douglas Tutty wrote:
> On Thu, Jan 11, 2007 at 03:15:51PM -0500, cga2000 wrote:
> > yes .. but what I'm really not too comfortable with is mostly the
> > non-granularity of privileges .. I'll have to play with groups a bit
> > and see if this might provi
On Thu, Jan 11, 2007 at 04:06:01PM EST, Andrei Popescu wrote:
> On Thu, 11 Jan 2007 14:01:55 -0500
> cga2000 <[EMAIL PROTECTED]> wrote:
>
> > Well .. the malware could be the installer itself, no..? It _is_
> > software after all. If I was up to no good that's exactly where I'd
> > stick my mal-
On Thu, Jan 11, 2007 at 03:15:51PM -0500, cga2000 wrote:
>
> > That's one of the things I like about Linux. It encourages good
> > security practices by not making it too difficult to do privileged
> > tasks from within a user account.
>
> yes .. but what I'm really not too comfortable with is m
On Thu, Jan 11, 2007 at 11:41:45AM -0800, Paul Johnson wrote:
> Douglas Tutty wrote:
> > On Wed, Jan 10, 2007 at 11:25:51PM -0500, Roberto C. Sanchez wrote:
> >> On Wed, Jan 10, 2007 at 11:00:48PM -0500, Douglas Tutty wrote:
> >> >
> >> > I can buy that. Hard to watch a DVD or use a full-featured
On Thu, 11 Jan 2007 15:15:51 -0500
cga2000 <[EMAIL PROTECTED]> wrote:
> I'll have to install synaptic and take a look. I understand it
> prompts you for the root password as relevant, right?
Actually I have no idea. I use only aptitude in command-line and
sometimes interactive. AFAICT aptitude (
On Thu, 11 Jan 2007 14:01:55 -0500
cga2000 <[EMAIL PROTECTED]> wrote:
> Well .. the malware could be the installer itself, no..? It _is_
> software after all. If I was up to no good that's exactly where I'd
> stick my mal-code.. only runs once .. under root, usually .. does
> its stuff .. remo
On Thu, Jan 11, 2007 at 11:41:45AM -0800, Paul Johnson wrote:
> Douglas Tutty wrote:
>
> > On Wed, Jan 10, 2007 at 11:25:51PM -0500, Roberto C. Sanchez wrote:
> >> On Wed, Jan 10, 2007 at 11:00:48PM -0500, Douglas Tutty wrote:
> >> >
> >> > Hi Roberto
> >> >
> >> > I can buy that. Hard to watch
Please don't quote in backwards order; this is a high traffic list and it
makes things harder to follow if we have to jump through hoops to get
context.
http://wiki.ursine.ca/Best_Online_Quoting_Practices
Vladimir Kozlov wrote:
> Paul Johnson wrote:
>> Roberto C. Sanchez wrote:
>>
>>> Of course,
On Thu, Jan 11, 2007 at 03:06:33AM EST, Andrei Popescu wrote:
> On Wed, 10 Jan 2007 17:52:18 -0500
> cga2000 <[EMAIL PROTECTED]> wrote:
< snip part I - already replied >
Sorry Andrei .. had to run out for something and I must have
accidentally deleted the rest of your reply below ..
> > But I wa
Douglas Tutty wrote:
> On Wed, Jan 10, 2007 at 11:25:51PM -0500, Roberto C. Sanchez wrote:
>> On Wed, Jan 10, 2007 at 11:00:48PM -0500, Douglas Tutty wrote:
>> >
>> > Hi Roberto
>> >
>> > I can buy that. Hard to watch a DVD or use a full-featured
>> > web-browser, or read a pdf with diagrams wi
On Thu, Jan 11, 2007 at 03:06:33AM EST, Andrei Popescu wrote:
> On Wed, 10 Jan 2007 17:52:18 -0500
> cga2000 <[EMAIL PROTECTED]> wrote:
>
> > Mind you, and this is not directly related to the above, I sometimes
> > have this bizarre feeling that much of this awkwardness we have to
> > deal with --
On Thu, 11 Jan 2007 09:29:44 -0500
[EMAIL PROTECTED] wrote:
> On Thu, Jan 11, 2007 at 10:06:33AM +0200, Andrei Popescu wrote:
> > On Wed, 10 Jan 2007 17:52:18 -0500
> > cga2000 <[EMAIL PROTECTED]> wrote:
> >
> > > Mind you, and this is not directly related to the above, I
> > > sometimes have thi
On Thu, Jan 11, 2007 at 10:06:33AM +0200, Andrei Popescu wrote:
> On Wed, 10 Jan 2007 17:52:18 -0500
> cga2000 <[EMAIL PROTECTED]> wrote:
>
> > Mind you, and this is not directly related to the above, I sometimes
> > have this bizarre feeling that much of this awkwardness we have to
> > deal with
cga2000 wrote:
>> Root gets the "failsafe" option for X by default? xterm is mandatory in
>> an X install, IIRC.
>
> Please refer to what Roberto has to say about pointy-head activity in
> the enterprise. In the enterprise world there is no guarantee that some
> dude will not decide at some poi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
E.g. when I tried to use KVpnc to import the OpenVPN config file
donwloaded from my vpn server (IPCop), I've got the "Wrong password"
message. Not so informative, isn't it?
After a long digging I've found that there is a problem with file
permissions -
Roberto C. Sanchez wrote:
> On Wed, Jan 10, 2007 at 11:31:32AM -0800, Paul Johnson wrote:
>>
>> Yes, this is the right word. GUIs frequently sacrifice security,
>> flexibility and functionality in favor of being relatively drool-proof.
>> Sacrificing security at the root level is never the brigh
On Wed, 10 Jan 2007 17:52:18 -0500
cga2000 <[EMAIL PROTECTED]> wrote:
> Mind you, and this is not directly related to the above, I sometimes
> have this bizarre feeling that much of this awkwardness we have to
> deal with -- in X certainly .. but from the linux console as well,
> albeit to a lesse
On Wed, Jan 10, 2007 at 11:57:25PM EST, Douglas Tutty wrote:
.. forgot to mention that elinks not only supports frames but also
tabbed browsing...!
uploaded a screenshot featuring the dillo home page for your review:
http://www.geocities.com/cga/pic00/dillo1.png
It features two tabs -- see
On Wed, Jan 10, 2007 at 11:57:25PM EST, Douglas Tutty wrote:
> I haven't looked at mplayer. Do you mean that I can watch a DVD on a
> serial console? I use lynx when I don't need frames or images and dillo
> when I do. I only use firefox when I need java or images + https. I've
> tried some ot
On Wed, Jan 10, 2007 at 11:57:25PM -0500, Douglas Tutty wrote:
>
> I haven't looked at mplayer. Do you mean that I can watch a DVD on a
> serial console? I use lynx when I don't need frames or images and dillo
I'm not sure about a serial console, but definitely a VT on the machine.
It uses the
On Wed, Jan 10, 2007 at 11:25:51PM -0500, Roberto C. Sanchez wrote:
> On Wed, Jan 10, 2007 at 11:00:48PM -0500, Douglas Tutty wrote:
> >
> > Hi Roberto
> >
> > I can buy that. Hard to watch a DVD or use a full-featured web-browser,
> > or read a pdf with diagrams without X.
> >
> Except that wa
On Wed, Jan 10, 2007 at 11:00:48PM -0500, Douglas Tutty wrote:
>
> Hi Roberto
>
> I can buy that. Hard to watch a DVD or use a full-featured web-browser,
> or read a pdf with diagrams without X.
>
Except that watching a DVD with 'mplayer -vo aa dvd://1' is quite the
console-based experience. A
On Wed, Jan 10, 2007 at 09:57:54PM -0500, Roberto C. Sanchez wrote:
> On Wed, Jan 10, 2007 at 07:10:25PM -0500, Douglas Tutty wrote:
> > On Wed, Jan 10, 2007 at 10:52:11PM +, Wulfy wrote:
> > > Roberto C. Sanchez wrote:
> >
> > > >Of course, some things simply cannot be done without a GUI.
On Wed, Jan 10, 2007 at 07:10:25PM -0500, Douglas Tutty wrote:
> On Wed, Jan 10, 2007 at 10:52:11PM +, Wulfy wrote:
> > Roberto C. Sanchez wrote:
>
> > >Of course, some things simply cannot be done without a GUI. Or at least
> > >they cannot be done efficiently.
>
> > I've seen people
On Wed, Jan 10, 2007 at 10:52:11PM +, Wulfy wrote:
> Roberto C. Sanchez wrote:
> >On Wed, Jan 10, 2007 at 11:31:32AM -0800, Paul Johnson wrote:
> >Of course, some things simply cannot be done without a GUI. Or at least
> >they cannot be done efficiently.
> I've seen people before say t
Roberto C. Sanchez wrote:
On Wed, Jan 10, 2007 at 11:31:32AM -0800, Paul Johnson wrote:
Yes, this is the right word. GUIs frequently sacrifice security,
flexibility and functionality in favor of being relatively drool-proof.
Sacrificing security at the root level is never the brightest idea
On Wed, Jan 10, 2007 at 02:31:32PM EST, Paul Johnson wrote:
> cga2000 wrote:
>
> > On Tue, Jan 09, 2007 at 06:37:01PM EST, Roberto C. Sanchez wrote:
> >> On Tue, Jan 09, 2007 at 06:28:05PM -0500, cga2000 wrote:
> >> > >
> >> > > Pardon my ignorance .. I do my best to stay away from gui apps ..
>
On Wed, Jan 10, 2007 at 11:31:32AM -0800, Paul Johnson wrote:
>
> Yes, this is the right word. GUIs frequently sacrifice security,
> flexibility and functionality in favor of being relatively drool-proof.
> Sacrificing security at the root level is never the brightest idea around.
>
Of course,
cga2000 wrote:
> On Tue, Jan 09, 2007 at 06:37:01PM EST, Roberto C. Sanchez wrote:
>> On Tue, Jan 09, 2007 at 06:28:05PM -0500, cga2000 wrote:
>> > >
>> > > Pardon my ignorance .. I do my best to stay away from gui apps ..
>> > >
>> Unfortunately, some things flat out require a GUI.
>
> Unfortu
On Wed, Jan 10, 2007 at 11:01:06AM EST, Rob Sims wrote:
> On Tue, Jan 09, 2007 at 02:12:33PM -0800, Paul Johnson wrote:
> > > Now, please explain how I can use sudo to tranfer X credentials ..
> >
> > It does this automatically.
> >
> > sudo
>
> It does not:
> $ sudo xlogo
> Password:
> X11 co
On Tue, Jan 09, 2007 at 02:12:33PM -0800, Paul Johnson wrote:
> > Now, please explain how I can use sudo to tranfer X credentials ..
>
> It does this automatically.
>
> sudo
It does not:
$ sudo xlogo
Password:
X11 connection rejected because of wrong authentication.
It might work if the X app
On Wed, Jan 10, 2007 at 12:49:04AM EST, Roberto C. Sanchez wrote:
> On Wed, Jan 10, 2007 at 12:42:22AM -0500, cga2000 wrote:
< snip -- merits of sudo vs. su >
> > How's stuff like that supposed to work in a "strict" proof of concept
> > GUI environment with no *term available -- ie. all you are
On Tue, Jan 09, 2007 at 07:40:46PM EST, Casey T. Deccio wrote:
> On Tue, 2007-01-09 at 18:17 -0500, cga2000 wrote:
> > Pardon my ignorance .. I do my best to stay away from gui apps ..
> >
> > And I don't use sudo either.
> >
> > Mind you, I have thought about it and I have come with the conclus
On Wed, Jan 10, 2007 at 12:42:22AM -0500, cga2000 wrote:
> > > >
> > However, in a situation with multiple admins it is nice to have the
> > logging of sudo so that you know who did what/when.
>
> yes .. see above.
>
> otherwise it sounds like unnecessary overhead .. making things a bit more
> c
On Tue, Jan 09, 2007 at 06:37:01PM EST, Roberto C. Sanchez wrote:
> On Tue, Jan 09, 2007 at 06:28:05PM -0500, cga2000 wrote:
> > >
> > > Pardon my ignorance .. I do my best to stay away from gui apps ..
> > >
> Unfortunately, some things flat out require a GUI.
Unfortunately?
:-)
> > > And I
cga2000 wrote:
> On Mon, Jan 08, 2007 at 12:33:32AM EST, Roberto C. Sanchez wrote:
>> On Mon, Jan 08, 2007 at 12:29:02AM -0500, cga2000 wrote:
>> >
>> > Quick hack from a bash prompt:
>> >
>>
>>
>> Please investigate sudo and sux. If used properly, they are more secure
>> and certainly more s
On Tue, Jan 09, 2007 at 07:46:16PM -0500, Douglas Tutty wrote:
>
> I switched from RH to Debian for two reasons:
>
You are preaching to the converted, as they say.
> The RH GUIs kept crashing
>
Hmm. Never experienced this.
> RH compiled their then new version to need a pentium and
On Tue, Jan 09, 2007 at 07:46:16PM -0500, Douglas Tutty wrote:
> On Tue, Jan 09, 2007 at 07:23:29PM -0500, Roberto C. Sanchez wrote:
> > On Tue, Jan 09, 2007 at 07:08:58PM -0500, Douglas Tutty wrote:
> > >
> > > For me, if something flat out requires a GUI I go and find a different
> > > way. My
On Tue, Jan 09, 2007 at 07:23:29PM -0500, Roberto C. Sanchez wrote:
> On Tue, Jan 09, 2007 at 07:08:58PM -0500, Douglas Tutty wrote:
> >
> > For me, if something flat out requires a GUI I go and find a different
> > way. My firewall box for example has no gui apps at all, no X files at
> > all...
On Tue, 2007-01-09 at 18:17 -0500, cga2000 wrote:
> Pardon my ignorance .. I do my best to stay away from gui apps ..
>
> And I don't use sudo either.
>
> Mind you, I have thought about it and I have come with the conclusion
> that it is just not worth the trouble setting up sudo in a desktop
>
On Tue, Jan 09, 2007 at 07:08:58PM -0500, Douglas Tutty wrote:
>
> For me, if something flat out requires a GUI I go and find a different
> way. My firewall box for example has no gui apps at all, no X files at
> all... Its a command-line only box.
>
> I use su. Its only me; I'd need an exta a
On Tue, Jan 09, 2007 at 06:37:01PM -0500, Roberto C. Sanchez wrote:
> On Tue, Jan 09, 2007 at 06:28:05PM -0500, cga2000 wrote:
> > >
> Unfortunately, some things flat out require a GUI.
>
> > > I'll stick with plain /bin/su.
> > >
> However, in a situation with multiple admins it is nice to ha
On Tue, Jan 09, 2007 at 06:28:05PM -0500, cga2000 wrote:
> >
> > Pardon my ignorance .. I do my best to stay away from gui apps ..
> >
Unfortunately, some things flat out require a GUI.
> > And I don't use sudo either.
> >
> > Mind you, I have thought about it and I have come with the conclusi
On Tue, Jan 09, 2007 at 06:17:31PM EST, cga2000 wrote:
> On Tue, Jan 09, 2007 at 03:21:05PM EST, Casey T. Deccio wrote:
> > On Tue, 2007-01-09 at 14:50 -0500, cga2000 wrote:
> > > > Please investigate sudo and sux. If used properly, they are more secure
> > > > and certainly more standard than yo
On Tue, 2007-01-09 at 14:50 -0500, cga2000 wrote:
> > Please investigate sudo and sux. If used properly, they are more secure
> > and certainly more standard than your hack.
>
> Done..! :-)
>
> Now, please explain how I can use sudo to tranfer X credentials ..
>
sudo does not transfer X cre
cga2000 wrote:
> On Sun, Jan 07, 2007 at 09:22:38PM EST, Roberto C. Sanchez wrote:
>> On Mon, Jan 08, 2007 at 03:19:56AM +0100, Danesh Daroui wrote:
>> > Actually I had tried it before and I couldn't. It is cool since Debian
>> > increases security like this, but I modified login settings in login
On Mon, Jan 08, 2007 at 12:33:32AM EST, Roberto C. Sanchez wrote:
> On Mon, Jan 08, 2007 at 12:29:02AM -0500, cga2000 wrote:
> >
> > Quick hack from a bash prompt:
> >
>
>
> Please investigate sudo and sux. If used properly, they are more secure
> and certainly more standard than your hack.
D
http://wiki.ursine.ca/Top_posting
Danesh Daroui wrote:
> Actually I had tried it before and I couldn't. It is cool since Debian
> increases security like this, but I modified login settings in login
> page to allow "root" to login and now it works.
Don't do this. Leave the defaults alone and ju
On Mon, Jan 08, 2007 at 12:29:02AM -0500, cga2000 wrote:
>
> Quick hack from a bash prompt:
>
Please investigate sudo and sux. If used properly, they are more secure
and certainly more standard than your hack.
Regards,
-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http
On Sun, Jan 07, 2007 at 09:22:38PM EST, Roberto C. Sanchez wrote:
> On Mon, Jan 08, 2007 at 03:19:56AM +0100, Danesh Daroui wrote:
> > Actually I had tried it before and I couldn't. It is cool since Debian
> > increases security like this, but I modified login settings in login
> > page to allow
On Mon, Jan 08, 2007 at 03:19:56AM +0100, Danesh Daroui wrote:
> Actually I had tried it before and I couldn't. It is cool since Debian
> increases security like this, but I modified login settings in login
> page to allow "root" to login and now it works.
>
I will reiterate the sentiments that
Actually I had tried it before and I couldn't. It is cool since Debian
increases security like this, but I modified login settings in login
page to allow "root" to login and now it works.
Guillermo Garron wrote:
On 1/7/07, Danesh Daroui <[EMAIL PROTECTED]> wrote:
How can I have root privileg
68 matches
Mail list logo
