On Tuesday 10 August 2010 03:18:05 William Hubbs wrote:
> On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:
> > On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com>
wrote:
> > > On 08/09/2010 01:08 PM, Robert Bridge wrote:
> > > > On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com>
wrote:
> > > >> There have been discussions on this list why sudo is a bad idea and
> > > >> sudo
> > >
> > > on
> > >
> > > >> *any* command is an even worse idea. You might as well be running
> > >
> > > everything
> > >
> > > >> as root, right?
> > > >
> > > > sudo normally logs the command executed, and the account which
> > > > executes it, so while not relevant for single user systems, it STILL
> > > > has benefits over running as root.
> > >
> > > ...excepting, of course, "sudo bash -l" which means you've given away
> > > the keys to the kingdom.
> > >
> > > I actually prefer "sudo su -" -- as long as I'm giving it away! )
>
> Afaik, there is no reason for "sudo su -" It should be either
>
> su -
>
> or, if you are using sudo,
>
> sudo -i

So what is the difference between "sudo -i" and "sudo su -" then? Please be
precise.


> The disadvantage of "su -" is that it requires the user to know the root
> password. But, "sudo -i" does the same thing without requiring the user
> to know the root password.

You seem to have confused ideas about authentication and authorization. They
are not the same thing and harder is not always better.

I have 100+ machines (all distinctly different) that my team runs and sudo is
on all of them. They all have a root password but no-one knows it anymore,
it's tucked away nice in the safe just in case the whole team dies in a plane
crash.

Meanwhile, we know each user is authenticated - ssh let them in with the right
key, which they managed to unlock. To run a command as root, they must re-
authenticate with their password (unused till this point) and then they can do
their jobs. We also know that they are authorized - this is the entire point
of /etc/sudoers and it has no other purpose than authorizing users to do
things what, when and where.

Knowing a root password is simply a second factor of authentication. It might
as well be their own password. Well-known root password opens a security can
of worms anyway and you don;t want to do where that leads.

So tell me again why sudo su - is inherently bad? Other than three extra
keystrokes that is? And what about sudo implementations that don't support -i?



--
alan dot mckinnon at gmail dot com

On Mon, Aug 9, 2010 at 6:18 PM, William Hubbs <williamh@gentoo.org> wrote:

On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:

> On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com> wrote:

> > I actually prefer "sudo su -" -- as long as I'm giving it away! *)



Afaik, there is no reason for "sudo su -" *It should be either



su -



or, if you are using sudo,



sudo -i



The disadvantage of "su -" is that it requires the user to know the root

password. *But, "sudo -i" does the same thing without requiring the user

to know the root password.


You either didn't think or didn't actually try it. * "sudo su -" needs a password, but it's the
user password.* Running su as root never needs a password.* Accordingly, this works on

a stock Ubuntu with no root password.

"su -" requires the root password unless you're already root, and the root password may or may not exist.

I didn't know about "sudo -i" (thanks), but when I tried "sudo -i" it immediately asked for a password, for which

the user password was sufficient.* So it's entirely equivalent to but slightly shorter than my version.* I'll stick with
mine because it's made of parts I already know and won't forget.


I think that if sudoers don't need to enter passwords, they're still equivalent, but I have* not tried this.

--
Kevin O'Gorman, PhD

Another idea to help with your forensics would be to bring a netstat and lsof

binary over to your machine and run them to see which actors are running and

trying to get out. *That could help you detect what is running on that machine

and google your way from there.
If your kernel has been subverted then userland is irrelevant, a kit can simply hook the system calls those binaries use and return whatever it wants you to know.

--

Kyle

On Tuesday 10 August 2010 15:03:19 Kevin O'Gorman wrote:
> On Mon, Aug 9, 2010 at 6:18 PM, William Hubbs <williamh@gentoo.org> wrote:
> > On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:
> > > On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com>
> >
> > wrote:
> > > > I actually prefer "sudo su -" -- as long as I'm giving it away! )
> >
> > Afaik, there is no reason for "sudo su -" It should be either
> >
> > su -
> >
> > or, if you are using sudo,
> >
> > sudo -i
> >
> > The disadvantage of "su -" is that it requires the user to know the root
> > password. But, "sudo -i" does the same thing without requiring the user
> > to know the root password.
> >
> > You either didn't think or didn't actually try it. "sudo su -" needs a
>
> password, but it's the
> user password. Running su as root never needs a password. Accordingly,
> this works on
> a stock Ubuntu with no root password.
>
> "su -" requires the root password unless you're already root, and the root
> password may or may not exist.
>
> I didn't know about "sudo -i" (thanks), but when I tried "sudo -i" it
> immediately asked for a password, for which
> the user password was sufficient. So it's entirely equivalent to but
> slightly shorter than my version. I'll stick with
> mine because it's made of parts I already know and won't forget.
>
> I think that if sudoers don't need to enter passwords, they're still
> equivalent, but I have not tried this.

Sounds to me like he's whinging about sudo and not much else. I find this to
be common and far too many people advancing the idea can't define to me basic
security concepts. I have also yet to meet someone with a beef against sudo
that can show a fundamental weakness with it, and I'm not talking about an
isolated case of buffer overflow either - that can happen with any software. I
mean a weakness in the methodology of sudo itself.

Many people have a stuck idea in their heads that the root password is a magic
security bullet. In fact, it's no such thing. Like any other password it is
simply something you need to prove you know in order to to authenticate
yourself. The major threat by analysis on a workstation is stepping away for a
leak and forgetting to lock the screen. sudo is adequate protection against
this as long as more than 5 minutes have elapsed since the last sudo was run -
the prankster may have access to the machine but still does not know any
password, including yours. A major threat to finding passwords is shoulder
surfing. If one frequently enters the root password, it is equally easy for a
shoulder surfer to find it as to find the user's password. Note that if you
leave your workstation unlocked with a root session open, there is no such
timeout as what one has with sudo.

Additionally, on a shared machine (i.e. server at work), the root password has
to be shared which is a huge hole in itself due to the difficulty of
communicating the new password when it is changed. It is trivially easy to
communicate a single password for a single user and guarantee it stays secure
(major advances in cryptanalysis excepted).


--
alan dot mckinnon at gmail dot com

On Tue, Aug 10, 2010 at 2:50 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:

On Tuesday 10 August 2010 15:03:19 Kevin O'Gorman wrote:

> On Mon, Aug 9, 2010 at 6:18 PM, William Hubbs <williamh@gentoo.org> wrote:

> > On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:

> > > On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com>

> >

> > wrote:

> > > > I actually prefer "sudo su -" -- as long as I'm giving it away! *)

> >

> > Afaik, there is no reason for "sudo su -" *It should be either

> >

> > su -

> >

> > or, if you are using sudo,

> >

> > sudo -i

> >

> > The disadvantage of "su -" is that it requires the user to know the root

> > password. *But, "sudo -i" does the same thing without requiring the user

> > to know the root password.

> >

> > You either didn't think or didn't actually try it. * "sudo su -" needs a

>

> password, but it's the

> user password. *Running su as root never needs a password. *Accordingly,

> this works on

> a stock Ubuntu with no root password.

>

> "su -" requires the root password unless you're already root, and the root

> password may or may not exist.

>

> I didn't know about "sudo -i" (thanks), but when I tried "sudo -i" it

> immediately asked for a password, for which

> the user password was sufficient. *So it's entirely equivalent to but

> slightly shorter than my version. *I'll stick with

> mine because it's made of parts I already know and won't forget.

>

> I think that if sudoers don't need to enter passwords, they're still

> equivalent, but I have *not tried this.



Sounds to me like he's whinging about sudo and not much else. I find this to

be common and far too *many people advancing the idea can't define to me basic

security concepts. I have also yet to meet someone with a beef against sudo

that can show a fundamental weakness with it, and I'm not talking about an

isolated case of buffer overflow either - that can happen with any software. I

mean a weakness in the methodology of sudo itself.



Many people have a stuck idea in their heads that the root password is a magic

security bullet. In fact, it's no such thing. Like any other password it is

simply something you need to prove you know in order to to authenticate

yourself. The major threat by analysis on a workstation is stepping away for a

leak and forgetting to lock the screen. sudo is adequate protection against

this as long as more than 5 minutes have elapsed since the last sudo was run -

the prankster may have access to the machine but still does not know any

password, including yours. A major threat to finding passwords is shoulder

surfing. If one frequently enters the root password, it is equally easy for a

shoulder surfer to find it as to find the user's password. Note that if you

leave your workstation unlocked with a root session open, there is no such

timeout as what one has with sudo.



Additionally, on a shared machine (i.e. server at work), the root password has

to be shared which is a huge hole in itself due to the difficulty of

communicating the new password when it is changed. It is trivially easy to

communicate a single password for a single user and guarantee it stays secure

(major advances in cryptanalysis excepted).





--

alan dot mckinnon at gmail dot com



Good Luck getting people to change them frequently and haveing your techs and it departments meeting complexity and length policy.

Remeber the only secure system is off and disconnected.


If you are willing to use it you must apriase the community of the risk of failure; and plan for said risk.

Most projects I've enjoyed had various password books usually encrypted with a "God" key for each department and it's respective responsbile area.


Then those keys become an issue in and of themselfs; then it's a matter of procedural control. When the admin or admins leave, change them.

Sounds simple, but far too rarely as it happens in pratice that I've headed to a client I haven't visited in a decade or so and find the same password I once used by guessing.


Wich always rings true for me as a means to ensure disclosure is to those that I trust; or would trust.

The discretionary access model in Gentoo is nice and to be expected; what I'd really like is a way to have my groups integrate from whichever directory service I'm using to meet the DAC mappings required on the local machine so I can enable RBAC or some other Lattice based control with local admins and limit their functions to thier jobs in an EASY fashon.


Regards,
--
Hazen Valliant-Saunders

On Tuesday 10 August 2010 20:22:13 Hazen Valliant-Saunders wrote:
> Good Luck getting people to change them frequently and haveing your
> techs and it departments meeting complexity and length policy.
>
> Remeber the only secure system is off and disconnected.

I hope you know whom you're talking to here.

--
Rgds
Peter. Linux Counter 5290, 1994-04-23.

On Tue, Aug 10, 2010 at 04:14:41AM +0200, Frank Steinmetzger wrote
> Am Dienstag, 10. August 2010 schrieb Paul Hartman:
>
> > Typing that long password into sudo every time I ran a command was a
> > hassle
>
> I???ve never used sudo, and never really liked the idea of it. In
> fact I???m always amused and slightly annoyed by the sheer amount
> of sudo one can find in your typical ubuntu howto. ;-)

There are some things that have to be done as root, but are needed by
a regular user. E.g. I have a backup dialup account with 295.ca (guess
how much they charge per month <G>). When using it, I not only have to
run "pon", but I also have to copy over the correct ssmtp.conf settings
for my dialup ISP. My ~/bin/udialup (USB dialup) script reads like so...

#!/bin/bash
/usr/bin/sudo /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
/usr/bin/sudo /usr/sbin/pon u295.ca

When I exit, I have to copy back the ssmtp.conf that points to my
broadband ISP's MTU. My ~/bin/dialdown script reads like so...

#!/bin/bash
/usr/bin/sudo /usr/sbin/poff
/usr/bin/sudo /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf

This is after I figured out how to use "metric" in my network config
so that ppp0 and eth0 could co-exist side by side. ppp0 can talk to the
outside world via the dialup modem, while eth0 *SIMULTANEOUSLY* talks to
my other machines on 192.168.123.248/29 (aka 192.168.123.240 netmask
255.255.255.240). Before that, my udialup script had to tear down eth0,
and dialdown had to restart it. Here are some of the entries in
/etc/sudoers on my machine "i3"...

waltdnes i3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
waltdnes i3 = (root) NOPASSWD: /usr/sbin/pon 295.ca
waltdnes i3 = (root) NOPASSWD: /usr/sbin/poff
waltdnes i3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf
waltdnes i3 = (root) NOPASSWD: /sbin/poweroff
waltdnes i3 = (root) NOPASSWD: /usr/bin/rdate time.nrc.ca -s
waltdnes i3 = (root) NOPASSWD: /sbin/hwclock --systohc
waltdnes i3 = (root) NOPASSWD: /usr/sbin/hibernate

This gives me the power to do specific root-level stuff as a regular
user, without giving away the keys to the kingdom. Note that none of
the entries accepts any parameters, let alone $*. Also. specifying the
path prevents running the wrong executable with root-level privileges.

--
Walter Dnes <waltdnes@waltdnes.org>

Walter Dnes wrote:

On Tue, Aug 10, 2010 at 04:14:41AM +0200, Frank Steinmetzger wrote


Am Dienstag, 10. August 2010 schrieb Paul Hartman:



Typing that long password into sudo every time I ran a command was a
hassle


I???ve never used sudo, and never really liked the idea of it. In
fact I???m always amused and slightly annoyed by the sheer amount
of sudo one can find in your typical ubuntu howto. ;-)


There are some things that have to be done as root, but are needed by
a regular user. E.g. I have a backup dialup account with 295.ca (guess
how much they charge per month<G>). When using it, I not only have to
run "pon", but I also have to copy over the correct ssmtp.conf settings
for my dialup ISP. My ~/bin/udialup (USB dialup) script reads like so...

#!/bin/bash
/usr/bin/sudo /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
/usr/bin/sudo /usr/sbin/pon u295.ca

When I exit, I have to copy back the ssmtp.conf that points to my
broadband ISP's MTU. My ~/bin/dialdown script reads like so...

#!/bin/bash
/usr/bin/sudo /usr/sbin/poff
/usr/bin/sudo /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf

This is after I figured out how to use "metric" in my network config
so that ppp0 and eth0 could co-exist side by side. ppp0 can talk to the
outside world via the dialup modem, while eth0 *SIMULTANEOUSLY* talks to
my other machines on 192.168.123.248/29 (aka 192.168.123.240 netmask
255.255.255.240). Before that, my udialup script had to tear down eth0,
and dialdown had to restart it. Here are some of the entries in
/etc/sudoers on my machine "i3"...

waltdnes i3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
waltdnes i3 = (root) NOPASSWD: /usr/sbin/pon 295.ca
waltdnes i3 = (root) NOPASSWD: /usr/sbin/poff
waltdnes i3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf
waltdnes i3 = (root) NOPASSWD: /sbin/poweroff
waltdnes i3 = (root) NOPASSWD: /usr/bin/rdate time.nrc.ca -s
waltdnes i3 = (root) NOPASSWD: /sbin/hwclock --systohc
waltdnes i3 = (root) NOPASSWD: /usr/sbin/hibernate

This gives me the power to do specific root-level stuff as a regular
user, without giving away the keys to the kingdom. Note that none of
the entries accepts any parameters, let alone $*. Also. specifying the
path prevents running the wrong executable with root-level privileges.





I used to use wvdial as well as pon and I don't recall having to be
root. I added myself the dial-up group if I recall correctly. It just
worked for me.


I also don't use sudo here either. ;-)

Dale

:-) :-)

On Tue, Aug 10, 2010 at 09:16:20PM -0500, Dale wrote

> I used to use wvdial as well as pon and I don't recall having to be
> root. I added myself the dial-up group if I recall correctly. It just
> worked for me.
>
> I also don't use sudo here either. ;-)

As I mentioned, I also have to copy a new ssmtp.conf. I'm aware of
the -C option for ssmtp, but then I'd have to muck around with mutt when
switching between ADSL and dialup. This way, mutt doesn't care. It
"just works".

--
Walter Dnes <waltdnes@waltdnes.org>

Walter Dnes wrote:

On Tue, Aug 10, 2010 at 09:16:20PM -0500, Dale wrote



I used to use wvdial as well as pon and I don't recall having to be
root. I added myself the dial-up group if I recall correctly. It just
worked for me.

I also don't use sudo here either. ;-)


As I mentioned, I also have to copy a new ssmtp.conf. I'm aware of
the -C option for ssmtp, but then I'd have to muck around with mutt when
switching between ADSL and dialup. This way, mutt doesn't care. It
"just works".




Ahhhh, so it's not pon that needs the permissions but another program.
That makes sense. Sort of had me confused for a minute.


Don't worry, I have those minutes a lot. lol They sometimes pass
pretty quick but some take a bit longer.


Dale

:-) :-)