100809 Robert Bridge wrote:
> On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com> wrote:
>> There have been discussions on this list why sudo is a bad idea
>> and sudo on *any* command is an even worse idea.
>> You might as well be running everything as root, right?
> sudo normally logs the command executed and the account which executes it,
> so while not relevant for single user systems,
> it STILL has benefits over running as root.

I follow 2 simple rules:
(1) never start X as root -- I open in a raw terminal, then 'startx',
so it's ok to login there as root to get some system fixes done,
but of course logout again before starting X as user --
& (2) do all system stuff in a virtual root terminal on its own desktop,
where the prompt says 'root' in red letters & the background is black
(my user terminal has a white background): that's down in the basement,
where all the pipes & wires are & you need a hard hat & safety boots
& you need to unlock the basement door, whose key is the root password.

also, my user terminal says :

524: gx> which sudo
which: no sudo in (/sbin:/usr/sbin:/usr/local/sbin::/bin:/usr/bin:/usr/local/bin:/usr/kde/3.5/bin)

--
========================,,======================== ====================
SUPPORT ___________//___, Philip Webb
ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto
TRANSIT `-O----------O---' purslowatchassdotutorontodotca

On Monday 09 August 2010 21:25:37 Dale wrote:
> Robert Bridge wrote:
> > On Mon, Aug 9, 2010 at 8:09 PM, Mick<michaelkintzios@gmail.com> wrote:
> >> There have been discussions on this list why sudo is a bad idea and sudo
> >> on *any* command is an even worse idea. You might as well be running
> >> everything as root, right?
> >
> > sudo normally logs the command executed, and the account which
> > executes it, so while not relevant for single user systems, it STILL
> > has benefits over running as root.
> >
> > RobbieAB
>
> I don't use sudo here but I assume a admin would only know that a nasty
> command has been ran well after it was ran? Basically, after the damage
> has been done, you can go look at the logs and see the mess some hacker
> left behind. For me, that isn't a whole lot of help. You still got
> hacked, you still got to reinstall and check to make sure anything you
> copy over is not infected.
>
> Assuming that they can erase dmesg, /var/log/messages and other log
> files, whose to say the sudo logs aren't deleted too? Then you still
> have no records to look at.
>
> I agree with the other posters tho, re-install from scratch and re-think
> your security setup.

That's the problem with any compromise worth its salt, all logs will be
tampered to clear traces of interfering with your system. Monitoring network
traffic from a healthy machine is a good way to establish suspicious activity
on the compromised box and it also helps checking for open ports (nmap, or
netcat) to find out what's happening to the compromised box.

--
Regards,
Mick

Mick wrote:

On Monday 09 August 2010 21:25:37 Dale wrote:


Robert Bridge wrote:


On Mon, Aug 9, 2010 at 8:09 PM, Mick<michaelkintzios@gmail.com> wrote:


There have been discussions on this list why sudo is a bad idea and sudo
on *any* command is an even worse idea. You might as well be running
everything as root, right?


sudo normally logs the command executed, and the account which
executes it, so while not relevant for single user systems, it STILL
has benefits over running as root.

RobbieAB


I don't use sudo here but I assume a admin would only know that a nasty
command has been ran well after it was ran? Basically, after the damage
has been done, you can go look at the logs and see the mess some hacker
left behind. For me, that isn't a whole lot of help. You still got
hacked, you still got to reinstall and check to make sure anything you
copy over is not infected.

Assuming that they can erase dmesg, /var/log/messages and other log
files, whose to say the sudo logs aren't deleted too? Then you still
have no records to look at.

I agree with the other posters tho, re-install from scratch and re-think
your security setup.


That's the problem with any compromise worth its salt, all logs will be
tampered to clear traces of interfering with your system. Monitoring network
traffic from a healthy machine is a good way to establish suspicious activity
on the compromised box and it also helps checking for open ports (nmap, or
netcat) to find out what's happening to the compromised box.




Yep, cause when they are in the system, they can do what they want.
Once they get root privileges, nothing else matters after that. It's
just a matter of the clean up which from what I have always read is a
reinstall. It's not good to hear but it's the best way to know for sure
you are safe.


Me tho, I would start from scratch and not even chroot into the old
install. I might mount and try to read a log file or copy my world file
but that would be about it. I'm not sure I would trust anything else.
I just hope this never happens to me. :/


Dale

:-) :-)

On Mon, Aug 9, 2010 at 2:09 PM, Mick <michaelkintzios@gmail.com> wrote:
> On Monday 09 August 2010 17:25:56 Paul Hartman wrote:
>> My user account has sudo-without-password rights to any command.
>
> Ouch!
>

Having still not physically touched the machine yet, I don't know if
sudo had anything to do with it at all at this point. But I'll assume
for a moment that its use was perhaps involved...

> There have been discussions on this list why sudo is a bad idea and sudo on
> *any* command is an even worse idea. You might as well be running everything
> as root, right?

Essentially. I did not think it through from an internally-defensive
standpoint. I only thought of sudo as "I am deciding whether to run
this command as user or as root". Assuming *I* would be the only one
running a program on my computer. My thinking was clearly flawed
there... The idea of an attacker being in my system didn't really
enter my mind. Or an untrusted program shelling out and running "sudo
some-bad-stuff" without my knowing. Every sudo command is logged,
sure, but as Bill pointed out that only works for as long as it takes
someone to sudo himself into a root shell (or delete the logs). I
don't really audit the sudo logs regularly because of the stupid
assumption that I was the only one running any sudo commands.

> You have decided wisely to reinstall because you can't be sure of this OS
> anymore.

I'm most concerned about learning how this happened because I don't
want to reinstall everything only to be compromised again, and with
the hope that perhaps any info I find can help others avoid finding
themselves in this same situation. If I'm only going to re-create the
exact same set-up, I don't know if I can be sure of it then even after
reinstalling...

> Please keep us updated on what you find from the forensic analysis.

Sudo was one of the first things that popped into my head. sshd is
really the only service open to the outside. Some other ports are open
for specific apps, like bittorrent traffic, which is what I was
monitoring when I noticed the suspicious activity -- and I was
downloading a Linux ISO, I swear. My original plans for tonight were
to install Sabayon on an old laptop that is becoming unmanageable from
a Gentoo standpoint due to infrequent use and days-long update
sessions. I'll put that little project on hold for now...

My sshd setup is pubkey only, no root logins, and I use denyhosts to
block after 3 failed logins, and it syncs its blocklist from the
denyhosts master server many times a day. I use NX Server, but not
with the default key, and I don't think there have been any (publicly
disclosed) remotely-exploitable opensshd vulnerabilities that would
allow an attacker direct entry into a system. I haven't noticed
anything out of place on my system, no unusual files or missing items.
I take infrequent peeks at my ssh logs, w/who/last and network traffic
(as I did today when I discovered it), but I am not religious about
reading every log. Life has been quite busy lately and I haven't had
as much time to dedicate to that sort of stuff. I has been more like
log on, check my email, pay my bills, log off.

So, from that outside-entry standpoint I was certainly lulled into a
false sense of security about my system. My root account has a very
long and complicated password, and my user account was surely
"impenetrable" since I was using pubkey-only SSH logins, right... I
have encrypted partitions, but they are mounted when the system is up
and running, so they are really pointless against an "online"
attack...

Typing that long password into sudo every time I ran a command was a
hassle, and clearly I thought myself too intelligent to ever run a
malicious piece of code on my own computer. I mean, that's the kind of
thing I would never do. I'm careful. I usually look at things before I
run them, scan them with clamscan (not that I run outside
scripts/binaries very often at all). Right? And what if a
seemingly-safe program decided to download and run malware on its own?
What if there was a vulnerability that was exploited before it was
discovered & patched by the community (and my Gentoo update cycle)?
What if there was a rogue Firefox add-on stealing passwords or running
shell scripts? That would probably never happen, surely someone else
would have noticed it and put a stop to it before it got to me, or I
would have read a warning about it in the tech news someplace. Yeah,
I'm being a bit sarcastic here.

I do hope I can find some evidence that leads me to the point of
entry. It would set my mind at ease.

On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com> wrote:

On 08/09/2010 01:08 PM, Robert Bridge wrote:

> On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com> wrote:

>> There have been discussions on this list why sudo is a bad idea and sudo on

>> *any* command is an even worse idea. You might as well be running everything

>> as root, right?

>

> sudo normally logs the command executed, and the account which

> executes it, so while not relevant for single user systems, it STILL

> has benefits over running as root.



...excepting, of course, "sudo bash -l" which means you've given away

the keys to the kingdom.



I actually prefer "sudo su -" -- as long as I'm giving it away!* )

--
Kevin O'Gorman, PhD

On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:
> On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com> wrote:
>
> > On 08/09/2010 01:08 PM, Robert Bridge wrote:
> > > On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com> wrote:
> > >> There have been discussions on this list why sudo is a bad idea and sudo
> > on
> > >> *any* command is an even worse idea. You might as well be running
> > everything
> > >> as root, right?
> > >
> > > sudo normally logs the command executed, and the account which
> > > executes it, so while not relevant for single user systems, it STILL
> > > has benefits over running as root.
> >
> > ...excepting, of course, "sudo bash -l" which means you've given away
> > the keys to the kingdom.
> >
> > I actually prefer "sudo su -" -- as long as I'm giving it away! )

Afaik, there is no reason for "sudo su -" It should be either

su -

or, if you are using sudo,

sudo -i

The disadvantage of "su -" is that it requires the user to know the root
password. But, "sudo -i" does the same thing without requiring the user
to know the root password.

William

Am Dienstag, 10. August 2010 schrieb Paul Hartman:

> Typing that long password into sudo every time I ran a command was a
> hassle

I’ve never used sudo, and never really liked the idea of it. In fact I’m
always amused and slightly annoyed by the sheer amount of sudo one can find in
your typical ubuntu howto. ;-)

It’s one reason why I abstained from installing Truecrypt 6, because it
requires sudo (Yes I know, in default setup you can’t do much with it. It is
but an issue of principle). However, because I need root commands regularly
(for example to initiate the VPN to my uni’s WiFi), I usually have one tab in
Yakuake where I do a normal su once after login.

And for more safety on my part, I also use different prompts: red hostname for
root console, green user@hostname for nonroot.
--
Gruß | Greetings | Qapla'
What’s right is right, otherwise it’d be wrong.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 10/08/2010, at 11:44 AM, Frank Steinmetzger wrote:

> Am Dienstag, 10. August 2010 schrieb Paul Hartman:
>
>> Typing that long password into sudo every time I ran a command was a
>> hassle
>
> I’ve never used sudo, and never really liked the idea of it. In fact I’m
> always amused and slightly annoyed by the sheer amount of sudo one can find in
> your typical ubuntu howto. ;-)
>
> It’s one reason why I abstained from installing Truecrypt 6, because it
> requires sudo (Yes I know, in default setup you can’t do much with it. It is
> but an issue of principle). However, because I need root commands regularly
> (for example to initiate the VPN to my uni’s WiFi), I usually have one tab in
> Yakuake where I do a normal su once after login.
>
> And for more safety on my part, I also use different prompts: red hostname for
> root console, green user@hostname for nonroot.
> --
> Gruß | Greetings | Qapla'
> What’s right is right, otherwise it’d be wrong.

I hope you realise the use of "sudo -i" will give you a root shell just like su. The reason sudo is preferred is that it means between multiple administrators, you can eliminate the need for a shared password. sudo can also control who and what groups can access sudo, and even subsets of commands.

sudo also has a "grace timer" in which once you prove your identity with your password once, you can use sudo without a password for a period of time after that. This can also be canceled with sudo -k

In terms of system administration best practices, sudo is the way to go. You will see it used in all server administration tasks to escalate privileges, in a secure manner.

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iQIcBAEBAgAGBQJMYLhgAAoJEHF16AnLoz6JhJ8QAL5SO5DRmc Q3wXLdtMZooACu
WT4qyfKBnfMqakLJlSWYOH6tuIoK/mVYpeCpQmjpTuKaE90tnLnngCOVnG7puyqG
LkPBNew3iOsO0JJcNzCcMiwWQ1C7d2hkSyNl48FVwBwaVgbPmW L6flPLxwHxdbU1
O2Kke8ku2dAVRTg9NdnPnTcc7y1h2/VYLwqSY10ybHS4I6a7YuhEIeGZtCqfEZ6d
0WkbUaU2IJFEVskR2pRV3Oh8FOgjW1XpYPzGrzQgpByghVgDxa lFpC89g3xVw2ue
bbRZNcn6NfZnfS/ltsCLr0mzSkV9xUXtYJkSQWN2jZbXM5rr+5gQXk1CqYLeDkjS
4HFST6bFfUUl7KMlo/mfH7PSD3Coa1J/DwcZFM9xkMx/sTy/TDsQhG1Qgb5jSn4u
/TVYRwkvNj/KXBolDPcEQkZ6h35R8h9gGFRaW9u1+O2YyLC8uOyFUhd0iHNo0 +s0
r4Q0wiwnY7I5CI2ZQ5h2blbYzqyvgSa43rYp3rho9cp4LktDKO 2qfoIW/CV/0Q6r
NmWcuzaU17QTAQn8VL2SUfG0zqXgCI4NlQcU8iNnYFRGUTvdx4 crjzrgIqYm2rc+
PbpFuLl4Uz000hsQYXWfy9hwIMbxilT4F9AOpKmyU392GZ/22WUvoMk2uhzt8aCf
w44gvZvW1e44buFM2L/z
=AR4J
-----END PGP SIGNATURE-----

On Mon, 9 Aug 2010 18:07:15 -0500
Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:

> I do hope I can find some evidence that leads me to the point of
> entry. It would set my mind at ease.

Please let us know. I'm really curious about this also. I hope it
wasn't a trojaned package in portage.

--
-- ------------------------------
Keith Dart
=================================

Alternatively I was running vulnerable/compromised software. My box

has sshd running, root login in ssh is not allowed, and pubkey only

logins (no passwords). It is behind a wireless router but port 22 is

open and pointing to this box, and a few others needed by other

applications. So I will check out which keys exist on the compromised

machine and make sure I recognize them all. I'll also need to check

the status of any other computer my key is stored on (a mix of linux &

windows, and my mobile phone). Sigh...

Since you're sshd setup is pretty secure i'd look at other network services. What else was running, and were there any servers that were only available from the local net (or were less protected from connections from the local net) than the Internet? That's the only case where a router compromise would assist in attacking your gentoo box.


There have been some web browser based attacks that have come out against routers recently. They run the attack on your browser (cross site scripting IIRC) to get access to the web interface of the router because that is typically not available via the Internet side interface. Then then run a password guessing attack. Did your router have a strong password?