FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 02-09-2009, 03:36 AM
Stroller
 
Default Permissions of /etc/sudoers

Hi there,

I'm just in the process of setting up my lovely new system , in the
very first post-install steps.


I install sudo, give my user wide sudo rights and then set
"PermitRootLogin no" in /etc/ssh/sshd_config.

(Critique of this measure welcomed).

Anyway, as root I started to edit /etc/sudoers and vim complained
"editing a read-only file".


Sure enough, /etc/sudoers has permissions 440, so I had to `chmod 640 /
etc/sudoers` before editing it & changing it back.


I am sure I did not have to do this last time I installed a system,
although that would have been at least a couple of years ago.


Obviously /etc/sudoers is a security-critical file and one wishes to
prevent attackers from editing it, but surely if a file belongs to
root there's not much point (??) in preventing root from writing to
it, because root can always change the permissions and edit the file,
just as I have done.


I see from some Googling that sudo complains if the permissions on
this file are greater than 4xx - can anyone explain why, please?


I'm sure there is something I am not understanding, but my naive
analysis suggests the only reason for this behaviour is to
inconvenience administrators!


Stroller.
 
Old 02-09-2009, 05:43 AM
Michael Hentsch
 
Default Permissions of /etc/sudoers

Stroller schrieb:

Hi there,

I'm just in the process of setting up my lovely new system , in the
very first post-install steps.


I install sudo, give my user wide sudo rights and then set
"PermitRootLogin no" in /etc/ssh/sshd_config.

(Critique of this measure welcomed).

Anyway, as root I started to edit /etc/sudoers and vim complained
"editing a read-only file".
The file /etc/sudoers should always be edited with visudo. visudo uses
file locking, provides basic sanity checks and checks for parse errors.




Sure enough, /etc/sudoers has permissions 440, so I had to `chmod 640
/etc/sudoers` before editing it & changing it back.


440 is ok.


I am sure I did not have to do this last time I installed a system,
although that would have been at least a couple of years ago.


Obviously /etc/sudoers is a security-critical file and one wishes to
prevent attackers from editing it, but surely if a file belongs to
root there's not much point (??) in preventing root from writing to
it, because root can always change the permissions and edit the file,
just as I have done.


I see from some Googling that sudo complains if the permissions on
this file are greater than 4xx - can anyone explain why, please?


I'm sure there is something I am not understanding, but my naive
analysis suggests the only reason for this behaviour is to
inconvenience administrators!


Stroller.
 
Old 02-09-2009, 11:37 AM
Nikos Chantziaras
 
Default Permissions of /etc/sudoers

Stroller wrote:
I install sudo, give my user wide sudo rights and then set
"PermitRootLogin no" in /etc/ssh/sshd_config.

(Critique of this measure welcomed).


Since Hung already answered about the other problem, I'll just comment
on this.


It's a bad idea if the machine is open to the Internet, especially since
it's easy to simply "su -" or "sudo" as a normal user.
 
Old 02-09-2009, 12:05 PM
Heiko Wundram
 
Default Permissions of /etc/sudoers

Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras:
> Stroller wrote:
> > I install sudo, give my user wide sudo rights and then set
> > "PermitRootLogin no" in /etc/ssh/sshd_config.
> > (Critique of this measure welcomed).
>
> Since Hung already answered about the other problem, I'll just comment
> on this.
>
> It's a bad idea if the machine is open to the Internet, especially since
> it's easy to simply "su -" or "sudo" as a normal user.

Sorry, but I consider that to be BS advice (at least concerning that you want
to leave password-authentication open).

I'd always recommend disabling root login for ssh (as soon as that is
possible, i.e. you have an unpriviledged account who is in group wheel who you
can use to access the machine in question), because root is a "well-known"
user (and thus lends itself well to a [possibly distributed] ssh brute force).

When someone wants to "hack" your machine, he's always going to try known
usernames before going on to guess what "additional" (unpriviledged) usernames
might have been set up on your system. And, even when he gets access to one of
your user accounts (who happen to be in group wheel), he still has to guess
the root password (when doing su -) to be able to become root, and hopefully
this buys you the time to see in your logs that someone tried local "su" with
invalid passwords, which should always be a high priority alert.

YMMV, but I've felt pretty safe (safer than leaving root open for password-
authentication) like this so far.

--
Heiko Wundram
Gehrkens.IT GmbH

FON 0511-59027953 | http://www.gehrkens.it
FAX 0511-59027957 | http://www.xencon.net

Gehrkens.IT GmbH
Strasse der Nationen 5
30539 Hannover

Registergericht: Amtsgericht Hannover, HRB 200551
Geschäftsführer: Harald Gehrkens, Daniel Netzer
 
Old 02-09-2009, 12:15 PM
Nikos Chantziaras
 
Default Permissions of /etc/sudoers

Heiko Wundram wrote:

Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras:

Stroller wrote:

I install sudo, give my user wide sudo rights and then set
"PermitRootLogin no" in /etc/ssh/sshd_config.
(Critique of this measure welcomed).

Since Hung already answered about the other problem, I'll just comment
on this.

It's a bad idea if the machine is open to the Internet, especially since
it's easy to simply "su -" or "sudo" as a normal user.


Sorry, but I consider that to be BS advice (at least concerning that you want
to leave password-authentication open).


I'd always recommend disabling root login for ssh (as soon as that is
possible, i.e. you have an unpriviledged account who is in group wheel who you
can use to access the machine in question), because root is a "well-known"
user (and thus lends itself well to a [possibly distributed] ssh brute force).


Er, didn't I actually say the same? If other people have network access
to the machine, disable root. You misunderstood something.
 
Old 02-09-2009, 01:20 PM
Saphirus Sage
 
Default Permissions of /etc/sudoers

On Feb 9, 2009, at 8:15 AM, Nikos Chantziaras <realnc@arcor.de> wrote:


Heiko Wundram wrote:

Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras:

Stroller wrote:

I install sudo, give my user wide sudo rights and then set
"PermitRootLogin no" in /etc/ssh/sshd_config.
(Critique of this measure welcomed).
Since Hung already answered about the other problem, I'll just
comment

on this.

It's a bad idea if the machine is open to the Internet, especially
since

it's easy to simply "su -" or "sudo" as a normal user.
Sorry, but I consider that to be BS advice (at least concerning
that you want to leave password-authentication open).
I'd always recommend disabling root login for ssh (as soon as that
is possible, i.e. you have an unpriviledged account who is in group
wheel who you can use to access the machine in question), because
root is a "well-known" user (and thus lends itself well to a
[possibly distributed] ssh brute force).


Er, didn't I actually say the same? If other people have network
access to the machine, disable root. You misunderstood something.


I'd just as soon leave the root account able to be logged in over SSH
and remove password authentication in preference of a 2048-bit RSA
key. Just use a script to add failed logins to a deny list.
 
Old 02-09-2009, 01:25 PM
Nikos Chantziaras
 
Default Permissions of /etc/sudoers

Saphirus Sage wrote:
I'd just as soon leave the root account able to be logged in over SSH
and remove password authentication in preference of a 2048-bit RSA key.
Just use a script to add failed logins to a deny list.


I tend to forget that this isn't Debian, so yeah, that'll work ;D
 
Old 02-09-2009, 04:02 PM
Stroller
 
Default Permissions of /etc/sudoers

On 9 Feb 2009, at 13:05, Heiko Wundram wrote:

... even when he gets access to one of
your user accounts (who happen to be in group wheel), he still has
to guess
the root password (when doing su -) to be able to become root, and
hopefully
this buys you the time to see in your logs that someone tried local
"su" with

invalid passwords, which should always be a high priority alert.


I have been using `sudo` over `su` for a long time because I felt it
reduces the risk of staying too long logged in as root, doing
something daft and damaging the system.


However I have now many times found myself typing `sudo` commands
automatically & sometimes inattentively, so that would seem to
undermine that argument.


Your point is very persuasive. I guess my remaining objection is that
I have my .bashrc & .bash_profile just the way I like them, and using
root would seem to require me to make any changes in two places.


Stroller.
 
Old 02-09-2009, 05:26 PM
Nikos Chantziaras
 
Default Permissions of /etc/sudoers

Stroller wrote:


On 9 Feb 2009, at 13:05, Heiko Wundram wrote:

... even when he gets access to one of
your user accounts (who happen to be in group wheel), he still has to
guess
the root password (when doing su -) to be able to become root, and
hopefully
this buys you the time to see in your logs that someone tried local
"su" with

invalid passwords, which should always be a high priority alert.


I have been using `sudo` over `su` for a long time because I felt it
reduces the risk of staying too long logged in as root, doing something
daft and damaging the system.


However I have now many times found myself typing `sudo` commands
automatically & sometimes inattentively, so that would seem to undermine
that argument.


Your point is very persuasive. I guess my remaining objection is that I
have my .bashrc & .bash_profile just the way I like them, and using root
would seem to require me to make any changes in two places.


You can instruct sudo to ask for the target user's password instead of
your own. In this case, you can make to ask for root's password. Look
up "targetpw" in sudo's docs. To make sudo ask for the target user's
password by default, put this in /etc/sudoers:


Defaults targetpw
 
Old 02-10-2009, 07:21 AM
Heiko Wundram
 
Default Permissions of /etc/sudoers

Am Montag 09 Februar 2009 14:15:35 schrieb Nikos Chantziaras:
> Heiko Wundram wrote:
> > Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras:
> >> Stroller wrote:
> >>> I install sudo, give my user wide sudo rights and then set
> >>> "PermitRootLogin no" in /etc/ssh/sshd_config.
> >>> (Critique of this measure welcomed).
> >>
> >> Since Hung already answered about the other problem, I'll just comment
> >> on this.
> >>
> >> It's a bad idea if the machine is open to the Internet, especially since
> >> it's easy to simply "su -" or "sudo" as a normal user.
> ...
> Er, didn't I actually say the same? If other people have network access
> to the machine, disable root. You misunderstood something.

Err, no, you didn't say the same, at least not considering your quote (I
didn't read the OP):

Reading the above, you said that "PermitRootLogin no" is a bad idea (i.e.,
disabling root login via SSH is a bad idea), whereas I said the exact opposite
(and you meant the exact opposite).

But, as you meant the same as me, forget what I said or just take my rant as a
clarification of your point. ;-)

--
Heiko Wundram
Gehrkens.IT GmbH

FON 0511-59027953 | http://www.gehrkens.it
FAX 0511-59027957 | http://www.xencon.net

Gehrkens.IT GmbH
Strasse der Nationen 5
30539 Hannover

Registergericht: Amtsgericht Hannover, HRB 200551
Geschäftsführer: Harald Gehrkens, Daniel Netzer
 

Thread Tools




All times are GMT. The time now is 10:36 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org