On Sat, Dec 14, 2013 at 10:25 AM, Gian Uberto Lauri
wrote:
>> On 14/dic/2013, at 09:09, Nemeth Gyorgy wrote:
>> 2013-12-13 17:22 keltezéssel, John Hasler írta:
...must have successfully authenticated
to execute a sudo command once
>>>
>>> Within the last 15 minutes.
>>
>> ... from
On Mon, Dec 16, 2013 at 7:40 PM, Gian Uberto Lauri wrote:
> Joel Rees writes:
> > On Wed, Dec 11, 2013 at 5:39 PM, Gian Uberto Lauri wrote:
> > > [...]
> > > Maybe I failed expressing that I am not completely against sudo, there
> > > are several good sudo usages and even "caching" the authen
On Wed, Dec 11, 2013 at 8:28 PM, Chris Bannister
wrote:
> On Tue, Dec 10, 2013 at 11:50:00PM +0100, Gian Uberto Lauri wrote:
>>
>> What makes root special is not the name but the numerical user id and group
>> id, bot set to zero. See /etc/passwd.
>
> Don't you have to be logged in to do that?
S
Joel Rees writes:
> On Wed, Dec 11, 2013 at 5:39 PM, Gian Uberto Lauri wrote:
> > [...]
> > Maybe I failed expressing that I am not completely against sudo, there
> > are several good sudo usages and even "caching" the authentication has
> > its very legitimate uses, and the -k and -K flags h
On Wed, Dec 11, 2013 at 5:39 PM, Gian Uberto Lauri wrote:
> [...]
> Maybe I failed expressing that I am not completely against sudo, there
> are several good sudo usages and even "caching" the authentication has
> its very legitimate uses, and the -k and -K flags help a lot in this,
> even if some
The same terminal or the same shell?
--
Gian Uberto Lauri
Messaggio inviato da un tablet
> On 14/dic/2013, at 09:09, Nemeth Gyorgy wrote:
>
> 2013-12-13 17:22 keltezéssel, John Hasler írta:
>>> ...must have successfully authenticated
>>> to execute a sudo command once
>>
>> Within the last 15
2013-12-13 17:22 keltezéssel, John Hasler írta:
>> ...must have successfully authenticated
>> to execute a sudo command once
>
> Within the last 15 minutes.
... from the same terminal. Don't forget this criteria because it is
important.
--
--- Friczy ---
'Death is not a bug, it's a feature'
Tom H writes:
> On Thu, Dec 12, 2013 at 9:40 AM, Gian Uberto Lauri wrote:
> > Bob Proulx writes:
> >>
> >> Right. Because normal users can't change the system time.
> >
> > Sorry, wrong. With 'folk ALL=(ALL) ALL', user folk can run as root ANY
> > program including 'date -s'. Or at least '
Tom H writes:
> ...must have successfully authenticated
> to execute a sudo command once
Within the last 15 minutes.
> ...and it must be possible for users to modify the system time without
> entering a password."
Which is, of course, not the case on Debian.
--
John Hasler
jhas...@newsguy.com
On Thu, Dec 12, 2013 at 9:40 AM, Gian Uberto Lauri wrote:
> Bob Proulx writes:
>>
>> Right. Because normal users can't change the system time.
>
> Sorry, wrong. With 'folk ALL=(ALL) ALL', user folk can run as root ANY
> program including 'date -s'. Or at least 'sudo bash', and then live
> happy w
On Wed, Dec 11, 2013 at 10:56 PM, Ralf Mardorf
wrote:
>
> http://www.paritynews.com/2013/03/05/762/sudo-authentication-bypass-vulnerability-emerges/
>
> But note! The Chaos Computer Club does publish howtos using sudo on
> Linux: http://muc.ccc.de/uberbus:ubd
>
> I don't think the Chaos Computer C
Bob Proulx writes:
> Gian Uberto Lauri wrote:
> > Bob Proulx writes:
> > > How would this be accomplished? (Answer cannot contain a use of sudo!
> > > No circular logic please.)
> > > ...
> > > Right. Because normal users can't change the system time.
> >
> > Sorry, wrong. With 'folk A
Gian Uberto Lauri wrote:
> Bob Proulx writes:
> > How would this be accomplished? (Answer cannot contain a use of sudo!
> > No circular logic please.)
> > ...
> > Right. Because normal users can't change the system time.
>
> Sorry, wrong. With 'folk ALL=(ALL) ALL', user folk can run as root AN
On 12/12/13 11:43, Gian Uberto Lauri wrote:
Iain M Conochie writes:
> > I got it about 20 years ago. Is it enough?
> Mayeb - just maybe ;)
Indeed, never be sure! :)
> > You say it. It is not bullet proof. The bullet has already pierced the
> > target once. Therefore it may happen again
Iain M Conochie writes:
> > I got it about 20 years ago. Is it enough?
> Mayeb - just maybe ;)
Indeed, never be sure! :)
> > You say it. It is not bullet proof. The bullet has already pierced the
> > target once. Therefore it may happen again.
> May - but not assured.
Indeed. You usually p
On 12/12/13 08:20, Gian Uberto Lauri wrote:
Iain M Conochie writes:
> On 11/12/13 08:01, Gian Uberto Lauri wrote:
> > > Encrypt your hard disk.
> >
> > Hoping that the encryption you use has no backdoor.
> You do understand what the peer review process is right?
I got it about 20 yea
On Thu, 2013-12-12 at 10:40 +0100, Gian Uberto Lauri wrote:
> sudo date 2101
>
> and feel younger ;)
That's a shoddy trick. I always wonder about that man:
"Foreman said he had no plans to resume his career as a boxer, but then
announced in February 2004 that he was training for one more com
Bob Proulx writes:
> Right. Because normal users can't change the system time.
Sorry, wrong. With 'folk ALL=(ALL) ALL', user folk can run as root ANY
program including 'date -s'. Or at least 'sudo bash', and then live
happy with a shell executed with the root id.
If your /etc/sudoers contains
Ralf Mardorf writes:
> http://www.paritynews.com/2013/03/05/762/sudo-authentication-bypass-vulnerability-emerges/
The attack described in the post is the kind of hijack I thought
about.
> But note! The Chaos Computer Club does publish howtos using sudo on
> Linux: http://muc.ccc.de/uberbus:ubd
Iain M Conochie writes:
> On 11/12/13 08:01, Gian Uberto Lauri wrote:
> > > Encrypt your hard disk.
> >
> > Hoping that the encryption you use has no backdoor.
> You do understand what the peer review process is right?
I got it about 20 years ago. Is it enough?
> Although not a
> magic
Ralf Mardorf writes:
> On Wed, 2013-12-11 at 15:33 +0100, Gian Uberto Lauri wrote:
> > > You need to inform yourself, to know that there's a callback for
> > > the danger to life baby bottle.
> >
> > Ouch, InsufficentEnglishSkillException! Could you help me please :)
>
> Assumed a bab
Ralf Mardorf wrote:
> http://www.paritynews.com/2013/03/05/762/sudo-authentication-bypass-vulnerability-emerges/
In the article:
... it must be possible for users to modify the system time without
entering a password.
How would this be accomplished? (Answer cannot contain a use of sudo!
No
http://www.paritynews.com/2013/03/05/762/sudo-authentication-bypass-vulnerability-emerges/
But note! The Chaos Computer Club does publish howtos using sudo on
Linux: http://muc.ccc.de/uberbus:ubd
I don't think the Chaos Computer Club folks would write a howto using
sudo, if sudo would be a securi
On Wed 11 Dec 2013 at 21:04:48 +0100, Gian Uberto Lauri wrote:
> Gentleman, the exploits are unknown to you, not to the black market
> that supplies those investing in "not perfectly legitimate software".
> Should I quote stuxnet one more time or you took the time to read how
> it reached it's not
On 11/12/13 08:01, Gian Uberto Lauri wrote:
> Encrypt your hard disk.
Hoping that the encryption you use has no backdoor.
You do understand what the peer review process is right? Although not a
magic bullet, it can help weed this out.
Choose a *very* good password.
For the encryption, I
Gentleman, the exploits are unknown to you, not to the black market that
supplies
those investing in "not perfectly legitimate software". Should I quote stuxnet
one more time or you took the time to read how it reached it's
not-network-connected intended targets?
--
Gian Uberto Lauri
Messaggi
On Wed, 2013-12-11 at 15:33 +0100, Gian Uberto Lauri wrote:
> > You need to inform yourself, to know that there's a callback for
> > the danger to life baby bottle.
>
> Ouch, InsufficentEnglishSkillException! Could you help me please :)
Assumed a baby bottle does poison the milk, because the
On Wed 11 Dec 2013 at 09:11:56 +0100, Gian Uberto Lauri wrote:
> Brian writes:
>
> > We do not worry about serious, unpublicised exploits. Their existance is
> > of little consquence for your argument as your "attackers" would not
> > know about them.
>
> Are you kidding?
About attackers bei
Ralf Mardorf writes:
> On Wed, 2013-12-11 at 14:07 +0100, Gian Uberto Lauri wrote:
> > It happens that appliances are called back by manufacturers due safety
> > issues.
>
> Debian and other distros provide security updates _and_ much more
> important, analog to a product callback, homepages
On Wed, 2013-12-11 at 14:07 +0100, Gian Uberto Lauri wrote:
> It happens that appliances are called back by manufacturers due safety
> issues.
Debian and other distros provide security updates _and_ much more
important, analog to a product callback, homepages with news about the
distro. You need t
Ralf Mardorf writes:
> On Wed, 2013-12-11 at 09:39 +0100, Gian Uberto Lauri wrote:
> > Let's suppose that Debian+Ubuntu get the largest share of the
> > installed end user desktops.
>
> The tendency is that seemingly newbies start using pre-build Linux
> environments and use Linux as they wo
Chris Bannister writes:
> On Tue, Dec 10, 2013 at 11:50:00PM +0100, Gian Uberto Lauri wrote:
> >
> > What makes root special is not the name but the numerical user id and
> > group id, bot set to zero. See /etc/passwd.
>
> Don't you have to be logged in to do that?
Gentleman???
I was si
On Wed, 2013-12-11 at 09:39 +0100, Gian Uberto Lauri wrote:
> Let's suppose that Debian+Ubuntu get the largest share of the
> installed end user desktops.
The tendency is that seemingly newbies start using pre-build Linux
environments and use Linux as they would use Windows, IOW without
self-respo
On Tue, Dec 10, 2013 at 11:50:00PM +0100, Gian Uberto Lauri wrote:
>
> What makes root special is not the name but the numerical user id and group
> id, bot set to zero. See /etc/passwd.
Don't you have to be logged in to do that?
The issue was that there would be only one exploitable account, i
Ralf Mardorf writes:
> On Di, 2013-12-10 at 23:54 +0100, Gian Uberto Lauri wrote:
> > Clever attacks manifest themselves a long time after the "infection" in
> > order
> > to poison backups. And backup media may fail when they are most needed.
> > That's an effect of Murphy's law :).
>
> R
Brian writes:
> We do not worry about serious, unpublicised exploits. Their existance is
> of little consquence for your argument as your "attackers" would not
> know about them.
Are you kidding?
> If what you are referring to is what I think it is then no machines were
> ever harmed. Not
> Encrypt your hard disk.
Hoping that the encryption you use has no backdoor.
> Choose a *very* good password.
For the encryption, I suppose. That once one has his hands on the
hardware there is no user/prom/bios password stopping his intrusion.
> Unless they are a honey trap - and then you
On Di, 2013-12-10 at 23:54 +0100, Gian Uberto Lauri wrote:
> Clever attacks manifest themselves a long time after the "infection" in order
> to poison backups. And backup media may fail when they are most needed.
> That's an effect of Murphy's law :).
Read about my backup strategy below. Only one
On Tue 10 Dec 2013 at 23:50:00 +0100, Gian Uberto Lauri wrote:
>
>
> > On 10/dic/2013, at 20:46, Brian wrote:
>
> > Quite possibly this is a technique which is tried but, in a default
> > install, Debian does not provide any faulty services.
> >
>
> You are never sure about not-yet publicize
On Tuesday, December 10, 2013 05:56:24 PM Lisi Reisz wrote:
> On Tuesday 10 December 2013 16:50:54 Nate Bargmann wrote:
> > I presume that entering a password in those fields results in root
> > having its own password and the first user account not being a
> > member of the sudo group.
>
> That i
Clever attacks manifest themselves a long time after the "infection" in order
to poison backups. And backup media may fail when they are most needed.
That's an effect of Murphy's law :).
--
Gian Uberto Lauri
Messaggio inviato da un tablet
> On 10/dic/2013, at 21:54, Ralf Mardorf wrote:
>
>> On
> On 10/dic/2013, at 20:46, Brian wrote:
> Quite possibly this is a technique which is tried but, in a default
> install, Debian does not provide any faulty services.
>
You are never sure about not-yet publicized exploits.
And some time ago there was a problem with sone ssh code that
should
On Tuesday 10 December 2013 16:50:54 Nate Bargmann wrote:
> I presume that entering a password in those fields results in root
> having its own password and the first user account not being a
> member of the sudo group.
That is what I assumed, but as a result of this thread I just tested.
I have
On Di, 2013-12-10 at 21:44 +, Brian wrote:
> On Tue 10 Dec 2013 at 15:32:57 -0600, Nate Bargmann wrote:
>
> > I was guessing that it refered to Display 0:0 of the X server as the
> > discussion centered on running X as root at one point.
>
> May I withdraw my "More than likely"? There has to
On Tue 10 Dec 2013 at 15:32:57 -0600, Nate Bargmann wrote:
> I was guessing that it refered to Display 0:0 of the X server as the
> discussion centered on running X as root at one point.
May I withdraw my "More than likely"? There has to be a time when the
guessing has to cease,
--
To UNSUBSCR
I was guessing that it refered to Display 0:0 of the X server as the
discussion centered on running X as root at one point.
- Nate
--
"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."
Ham radio, Linux, bikes, and more: http://www.n0nb.
On Tue 10 Dec 2013 at 22:04:00 +0100, Ralf Mardorf wrote:
> On Di, 2013-12-10 at 19:46 +, Brian wrote:
> > The English is fine but I wish I understood the implications of 0:0.
>
> root:root?
More than likely; but its significance in the contaxt it was given still
escapes me. (Probably becaus
On Di, 2013-12-10 at 19:46 +, Brian wrote:
> The English is fine but I wish I understood the implications of 0:0.
root:root?
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://list
On Di, 2013-12-10 at 17:56 +0100, Gian Uberto Lauri wrote:
> I would not trust backups as an absolute safety
You don't trust backups? Why?
Regards,
Ralf
PS: I make complete backups, IOW I backup everything, don't sync, but
make complete new backups nearly daily. At the end of a month I delete
so
On Tue 10 Dec 2013 at 11:18:17 -0600, y...@marupa.net wrote:
> On Tuesday, December 10, 2013 11:15:26 AM John Hasler wrote:
> > Gian Uberto Lauri writes:
> > > Some of your argument seems to suggest that the Debian installer should
> > > not offer the option of leaving the root password blank
> >
On Tue 10 Dec 2013 at 18:23:21 +0100, Gian Uberto Lauri wrote:
> y...@marupa.net writes:
>
> > Not only that, but now whoever seeks to compromise your account has the
> added
> > challenge of figuring out just what, exactly, the name of the
> > account is.
>
> Usually attackers first try to
On 10/12/13 16:56, Gian Uberto Lauri wrote:
Physical security is indeed an issue. When attackers can put their
greedy hands on a computer there is nothing to stop them :)
Encrypt your hard disk. Choose a *very* good password. That will slow
them down, if not halt them. But it depends on *who*
Nate Bargmann writes:
> * On 2013 10 Dec 11:01 -0600, Gian Uberto Lauri wrote:
> > Nate Bargmann writes:
> > > I did a Wheezy install on Sunday and, yes, leaving the root password
> > > fields empty in the installer results in the first user account being in
> > > the sudo group.
> >
> >
y...@marupa.net writes:
> Not only that, but now whoever seeks to compromise your account has the
> added
> challenge of figuring out just what, exactly, the name of the
> account is.
Usually attackers first try to enter -possibly using a faulty
service-, then to exploit some vulnerability.
John Hasler writes:
> It *disables* the root account. Thus there is only one "vulnerable"
> account.
Phew :)
--
/\ ___Ubuntu: ancient
/___/\_|_|\_|__|___Gian Uberto Lauri_ African word
//--\| | \| | Integralista GNUslamico
* On 2013 10 Dec 11:01 -0600, Gian Uberto Lauri wrote:
> Nate Bargmann writes:
> > I did a Wheezy install on Sunday and, yes, leaving the root password
> > fields empty in the installer results in the first user account being in
> > the sudo group.
>
> Uh, really does it leave root account pass
Gian Uberto Lauri writes:
> Uh, really does it leave root account password-less? Or disables
> logging in as root ?
It disables the root account.
--
John Hasler
jhas...@newsguy.com
Elmwood, WI USA
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe
On Tuesday, December 10, 2013 11:15:26 AM John Hasler wrote:
> Gian Uberto Lauri writes:
> > Some of your argument seems to suggest that the Debian installer should
> > not offer the option of leaving the root password blank
>
> Gian Uberto Lauri
>
> > IT DOES? AAARGH!
>
> It *disables*
Gian Uberto Lauri writes:
> Some of your argument seems to suggest that the Debian installer should
> not offer the option of leaving the root password blank
Gian Uberto Lauri
> IT DOES? AAARGH!
It *disables* the root account. Thus there is only one "vulnerable"
account.
--
John Hasler
Nate Bargmann writes:
> I did a Wheezy install on Sunday and, yes, leaving the root password
> fields empty in the installer results in the first user account being in
> the sudo group.
Uh, really does it leave root account password-less? Or disables
logging in as root ?
--
/\ ___
Ralf Mardorf writes:
> bad luck, but not for me. If somebody would
> break my Linux, I would restore it from a backup.
I would not stay on this "not my problem" stance[*], and I would not
trust backups as an absolute safety.
> I don't understand why sudo should be less save.
Because its stand
* On 2013 10 Dec 10:12 -0600, Gian Uberto Lauri wrote:
> Nate Bargmann writes:
> > * On 2013 10 Dec 08:32 -0600, Gian Uberto Lauri wrote:
> >
> > > > If your complaint is simply that Debian even allows the option of a
> > > > single user account with sudo enabled rather than forcing separat
Nate Bargmann writes:
> * On 2013 10 Dec 08:32 -0600, Gian Uberto Lauri wrote:
>
> > > If your complaint is simply that Debian even allows the option of a
> > > single user account with sudo enabled rather than forcing separate root
> > > and user accounts, then even I would resist the re
* On 2013 10 Dec 08:32 -0600, Gian Uberto Lauri wrote:
> > If your complaint is simply that Debian even allows the option of a
> > single user account with sudo enabled rather than forcing separate root
> > and user accounts, then even I would resist the removal of the option.
> >
>
> Forgi
Nate Bargmann writes:
> * On 2013 10 Dec 05:10 -0600, Gian Uberto Lauri wrote:
> Have you filed a wishlist bug report against the sudo package explaining
> your concerns about the defaults and suggesting better defaults? It's
> not likely that the sudo package maintainer is reading this list
* On 2013 10 Dec 05:10 -0600, Gian Uberto Lauri wrote:
> That's the point. Current sudo default configuration is "bad". That
> 4does not means that the whole sudo program is bad (except that for
> Italian speakers it smells(*) :)). Does not add security but adds
> potential harms.
Have you filed a
On Tue, 2013-12-10 at 12:08 +0100, Gian Uberto Lauri wrote:
> Or not, at least until someone else wants your cpu-power, and in that
> case you could find yourself left with no other option that "cutting
> the cables" and reinstall.
It's not CPU power I would notice or that would cause issues. Many
Ralf Mardorf writes:
> On Tue, 2013-12-10 at 08:47 +0100, Gian Uberto Lauri wrote:
> > Ralf Mardorf writes:
> > > I know they hack servers, but was the Linux home PC of anybody on this
> > > list ever hacked?
> >
> > How could you detect? Are you sure you have the skills to detect this?
>
On Tue, 2013-12-10 at 08:47 +0100, Gian Uberto Lauri wrote:
> Ralf Mardorf writes:
> > I know they hack servers, but was the Linux home PC of anybody on this
> > list ever hacked?
>
> How could you detect? Are you sure you have the skills to detect this?
It's possible to e.g. monitor network tr
69 matches
Mail list logo
