FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 02-28-2010, 12:15 PM
Neil Bothwick
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

On Sun, 28 Feb 2010 18:48:56 +0800, ubiquitous1980 wrote:

> > The root account is hardly locked if you can log into it with sudo su
> > (or sudo screen) but sudo -s or sudo -i make more sense in this
> > situation.

> localhost ubiquitous1980 # passwd -l root
> Password changed.
> localhost ubiquitous1980 # exit
> exit
> ubiquitous1980@localhost ~ $ su
> Password:
> su: Authentication failure
> ubiquitous1980@localhost ~ $ sudo su
> Password:
> Your account has expired; please contact your system administrator
> su: User account has expired
> (Ignored)
> localhost ubiquitous1980 #

What's your point?


--
Neil Bothwick

Windoze95 Quote: Why is the Pentium 166 so fast? - Its for booting
faster, if Windows crashed again.
 
Old 02-28-2010, 01:03 PM
ubiquitous1980
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

Neil Bothwick wrote:
> On Sun, 28 Feb 2010 18:48:56 +0800, ubiquitous1980 wrote:
>
>
>>> The root account is hardly locked if you can log into it with sudo su
>>> (or sudo screen) but sudo -s or sudo -i make more sense in this
>>> situation.
>>>
>
>
>> localhost ubiquitous1980 # passwd -l root
>> Password changed.
>> localhost ubiquitous1980 # exit
>> exit
>> ubiquitous1980@localhost ~ $ su
>> Password:
>> su: Authentication failure
>> ubiquitous1980@localhost ~ $ sudo su
>> Password:
>> Your account has expired; please contact your system administrator
>> su: User account has expired
>> (Ignored)
>> localhost ubiquitous1980 #
>>
>
> What's your point?
>
>
>
That you stated that the root account was hardly locked if I can sudo su
into it. If you take me as truthful, then you can see that I have done
exactly that: locked the account and sudo su'ed into it. I think you
already knew that was possible, so I am countering the semantics of the
issue.
 
Old 02-28-2010, 01:23 PM
Neil Bothwick
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

On Sun, 28 Feb 2010 22:03:36 +0800, ubiquitous1980 wrote:

> That you stated that the root account was hardly locked if I can sudo su
> into it. If you take me as truthful, then you can see that I have done
> exactly that: locked the account and sudo su'ed into it. I think you
> already knew that was possible, so I am countering the semantics of the
> issue.

My point was that if you can get into it, it is not truly locked. You
have prevented one means of accessing it, but not totally locked it.

Anyway, sudo -i/s is a cleaner way of opening a root session IMO.


--
Neil Bothwick

Nothing is illegal if one hundred businessmen decide to do it.
 
Old 02-28-2010, 02:07 PM
walt
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

On 02/27/2010 08:32 PM, Dan Cowsill wrote:

On Sat, Feb 27, 2010 at 10:57 PM, ubiquitous1980<nixuser1980@gmail.com> wrote:

If I have logged in through sudo such as $ sudo su, when I then use man
pages, they are covered in "ESC". This does not occur when using normal
user accounts or the root account through su. Wondering what is going
on. Thanks.




Kind of curious about this myself. It has just been a minor annoyance
to me for the last couple of years, but it seems to show up only when
logged onto root.


There are several environment variables that affect the output of man,
e.g. PAGER, LESS, LESSCOLOR, LESSOPEN, LESSIGNORE, the contents of
~/.lessfilter and probably other things I can't remember.

Any of those might be different for root.
 
Old 02-28-2010, 08:27 PM
William Hubbs
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

On Sun, Feb 28, 2010 at 03:56:13PM -0500, stosss wrote:
> On Sun, Feb 28, 2010 at 7:28 AM, pk <peterk2@coolmail.se> wrote:
> > ubiquitous1980 wrote:
> >
> >>> http://lists.debian.org/debian-security/2006/07/msg00059.html
> >
> >> With "sudo su - " the man pages do not have ESC throughout. ?I have
> >> learned sudo su from my ubuntu days and I am only guessing that this is
> >> bad practice and that the correct command is $ sudo su -
> >
> > No need to guess. Messing with superuser privileges without a proper
> > superuser environment (paths etc.) is considered bad from a security
> > point of view; for instance, an malicious application could be installed
> > in your user home dir, prepend the path to this to your local user $PATH
> > and whenever you do "su" (without -) you could invoke this app with
> > superuser privileges...
> > So to summarize: The link above (debian.org) explains it quite well and
> > yes, I would say it's a bad habit to omit -. :-)
>
> 7 years ago a veteran Linux user taught me to always use su - for the
> very reason you stated.

Actually, you are safe with either "su -" (without sudo) or "sudo -i".
"sudo su -" is chaining "su -" on top of sudo, and is redundant because
"sudo -i" and "su -" do the same thing afaik.

William
 
Old 02-28-2010, 08:39 PM
Alan McKinnon
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

On Sunday 28 February 2010 07:06:43 ubiquitous1980 wrote:
> Nikos Chantziaras wrote:
> > On 02/28/2010 05:57 AM, ubiquitous1980 wrote:
> >> If I have logged in through sudo such as $ sudo su, when I then use man
> >> pages, they are covered in "ESC". This does not occur when using normal
> >> user accounts or the root account through su. Wondering what is going
> >> on. Thanks.
> >
> > Some ENV variables are unset by sudo.
> >
> > But anyway, "sudo su" makes zero sense :P
>
> sudo su makes sense if you want to use the root account while having the
> root account locked. Some, like Ubuntu, do it for security reasons.
> Not sure if they are valid, but I thought I would put this little
> problem out there for someone to make comment on.

I use "sudo su" a lot,a nd make it available to other root users on my
servers. It all makes perfect sense it the context of:

1. The password for the root account is secret. Changing it is a real ball-
ache, something not undertaken lightly.
2. The password is know to very very few persons, and ideally would be kept in
a locked safe needing signed CTO approval to open it.
3. I have a provisioning system that deploys user, their keys and password
hashes.
4. The person running "sudo su" is authorized to do so, so he gets root.
There's an audit trail too as not just anyone can get to my remote sysloggers.
5. When someone leaves, in the old days we had to manually change 100+ root
passwords, and of course always forget at least one. Now I run one command on
my user provisioning system and within 30 minutes that person's access is
gone, and I can guarantee a) it's gone everywhere b) there are no back doors
6. Not all OSes out there support sudo -i

So in the context of multi-admin servers, sudo su (or sudo -i if you will)
make perfect sense, and su far less so.


--
alan dot mckinnon at gmail dot com
 
Old 02-28-2010, 09:16 PM
Alan McKinnon
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

On Sunday 28 February 2010 23:27:57 William Hubbs wrote:
> > 7 years ago a veteran Linux user taught me to always use su - for the
> > very reason you stated.
>
>
> Actually, you are safe with either "su -" (without sudo) or "sudo -i".
> "sudo su -" is chaining "su -" on top of sudo, and is redundant because
> "sudo -i" and "su -" do the same thing afaik.

"sudo su" and "su" have a fundamental difference, vital in corporate networks:

The former uses the user's password for authentication and sudoers for
authorization. The latter uses knowledge of the root password for
authorization and authentication. See my other post in this thread.

On the work servers I enforce "sudo su"

OTOH, "sudo su" is indeed pretty pointless on a single-user machine. I never
bother with sudo on this gentoo notebook for instance.

--
alan dot mckinnon at gmail dot com
 
Old 02-28-2010, 09:57 PM
William Hubbs
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

On Mon, Mar 01, 2010 at 12:16:14AM +0200, Alan McKinnon wrote:
> "sudo su" and "su" have a fundamental difference, vital in corporate networks:
>
> The former uses the user's password for authentication and sudoers for
> authorization. The latter uses knowledge of the root password for
> authorization and authentication. See my other post in this thread.

Actually, what you just said about "sudo su" applies only to "sudo".
When you run "sudo su", what you are doing is running sudo then
authenticating to it, and running su, as root, after you authenticate
to sudo.

> On the work servers I enforce "sudo su"

Actually, you could just have people use "sudo -i" or "sudo -s" if they
want a shell with root access. If they want to run a program with root
privileges and the root environment, they can use "sudo -i command".

William
 
Old 02-28-2010, 10:07 PM
Alan McKinnon
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

On Monday 01 March 2010 00:57:17 William Hubbs wrote:
> On Mon, Mar 01, 2010 at 12:16:14AM +0200, Alan McKinnon wrote:
> > "sudo su" and "su" have a fundamental difference, vital in corporate
> > networks:
> >
> > The former uses the user's password for authentication and sudoers for
> > authorization. The latter uses knowledge of the root password for
> > authorization and authentication. See my other post in this thread.
>
> Actually, what you just said about "sudo su" applies only to "sudo".
> When you run "sudo su", what you are doing is running sudo then
> authenticating to it, and running su, as root, after you authenticate
> to sudo.

You misunderstand my intent. To get root via sudo, you authenticate using the
user's Unix account. The emphasis here is on what sudo does, not the intricate
subtleties of what it does with the subsequent su, or any other variation of
the same.

I don't want to start a pointless semantic argument on this, just realize it's
all about sudo and the following "su" is a mere example (other things could
have sufficed, I used that one)


>
> > On the work servers I enforce "sudo su"
>
> Actually, you could just have people use "sudo -i" or "sudo -s" if they
> want a shell with root access. If they want to run a program with root
> privileges and the root environment, they can use "sudo -i command".
>
> William


Don't read my post as literally meaning they must type the 7 characters "sudo
su". Read it more as "use any feature of sudo you feel like to get a root
shell, but you must use sudo. As opposed to using su alone".
--
alan dot mckinnon at gmail dot com
 
Old 03-01-2010, 12:47 AM
Neil Bothwick
 
Default Manual pages (man pages) have ESC all through them when having used sudo.

On Mon, 1 Mar 2010 01:07:21 +0200, Alan McKinnon wrote:

> Don't read my post as literally meaning they must type the 7 characters
> "sudo su". Read it more as "use any feature of sudo you feel like to
> get a root shell, but you must use sudo. As opposed to using su alone".

The problem with this in your situation is that you only get a log entry
when the user switches to root, not for whatever they do in that root
shell, whereas having them run each command with sudo logs every action
they take as root. Or do you have a way of auditing the commands run from
the root shell?


--
Neil Bothwick

Press button to test: release to detonate.
 

Thread Tools




All times are GMT. The time now is 01:39 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org