<br><br><div class="gmail_quote">On Mon, May 21, 2012 at 7:29 AM, Matthew <span dir="ltr"><<a href="mailto:simontek@gmail.com" target="_blank">simontek@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Atm that is the environment I am in. Some machines I have the root<br>
password to, some I don't, some I have to ssh 127.0.0.1 as root. My<br>
PDE I have to wait a bit to get root access, for my job its ironic, I<br>
have to use my work computer to do it, vs my govt provided one.<br>
<div><div class="h5"><br>
On 5/21/12, Jim Kinney <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>> wrote:<br>
> In a multi-admin server environment, selinux and auditd can fully track who<br>
> did what. Each admin logs in remotely and then can su to root, do their<br>
> work and log out. Even though they can use su - to fully change to the root<br>
> user with full environment, auditd tracks every command issued with both<br>
> effective ID and original ID. So root from Fred is different from root from<br>
> Sally.<br>
><br>
> The addition of rootsh to the system as the only shell for root will<br>
> provide a full log of keyboard entry and return data. That log can be on a<br>
> remote machine.<br>
><br>
> On Mon, May 21, 2012 at 3:01 AM, Brian Mathis <<br>
> <a href="mailto:brian.mathis%2Bale@betteradmin.com">brian.mathis+ale@betteradmin.com</a>> wrote:<br>
><br>
>> By "desktop" I mean a computer that sits on your desk either at home<br>
>> or work, as opposed to servers that run in a data center. I think<br>
>> most people who don't see the difference between using 'su' vs 'sudo'<br>
>> think that way because they are only playing with Linux on their home<br>
>> desktop so it doesn't really matter. However, in a server environment<br>
>> where you need to manage resources, it does.<br>
>><br>
>> I don't think anyone is using "desktop" to refer to using a GUI<br>
>> instead of a shell prompt; at least that doesn't make sense in the<br>
>> context of this discussion.<br>
>><br>
>><br>
>> ❧ Brian Mathis<br>
>><br>
>><br>
>> On Mon, May 21, 2012 at 2:48 AM, Matthew <<a href="mailto:simontek@gmail.com">simontek@gmail.com</a>> wrote:<br>
>> > I don't usually work in a desktop environment. Even though our project<br>
>> > is using kde, I still do everything from command line.<br>
>> ><br>
>> > On 5/21/12, Brian Mathis <<a href="mailto:brian.mathis%2Bale@betteradmin.com">brian.mathis+ale@betteradmin.com</a>> wrote:<br>
>> >> There is an ENORMOUS difference between using "su" and "sudo -i", and<br>
>> >> it's big enough that any old codgers out there should learn this new<br>
>> >> trick:<br>
>> >><br>
>> >> To use 'su' you need the ROOT password.<br>
>> >> To use 'sudo', you need YOUR password.<br>
>> >><br>
>> >> In any environment outside of your personal desktop, this is a huge<br>
>> >> difference. Securely distributing the root password to any number of<br>
>> >> sysadmins, keeping track of who has it, and changing it every time<br>
>> >> someone leaves (and redistributing the changed password) is a<br>
>> >> nightmare, and it also violates most accepted rules of good security<br>
>> >> (using shared passwords).<br>
>> >><br>
>> >> If you grant root access through sudo, even if admins use 'sudo -i',<br>
>> >> you only need to manage the sudoers file and you can forget about the<br>
>> >> root password issue. You still need to keep track of the root<br>
>> >> password, but now you can set it to some long random string and keep<br>
>> >> it locked in a safe somewhere. You also get an audit trail of who's<br>
>> >> logging in and switching to root, even if you don't get a full audit<br>
>> >> of every command they run.<br>
>> >><br>
>> >><br>
>> >> ❧ Brian Mathis<br>
>> >><br>
>> >><br>
>> >> On Sun, May 20, 2012 at 9:30 PM, matt <<a href="mailto:ur.matt@gmail.com">ur.matt@gmail.com</a>> wrote:<br>
>> >>> Why not just log in as root and stomp around if you're going to use<br>
>> sudo<br>
>> >>> -i?<br>
>> >>><br>
>> >>> On Sun, May 20, 2012 at 6:27 PM, matt <<a href="mailto:ur.matt@gmail.com">ur.matt@gmail.com</a>> wrote:<br>
>> >>>> sudo -i is definitely bad practice, it completely negates the<br>
>> >>>> purpose<br>
>> of<br>
>> >>>> using sudo in the first place.<br>
>> >>>><br>
>> >>>> On Sun, May 20, 2012 at 6:19 PM, Brian Stanaland<br>
>> >>>> <<a href="mailto:brian@stanaland.org">brian@stanaland.org</a><br>
>> ><br>
>> >>>> wrote:<br>
>> >>>>> I use 'sudo su -' which gets you the complete root experience.<br>
>> >>>>><br>
>> >>>>> -- Brian<br>
>> >>>>><br>
>> >>>>> On Sun, May 20, 2012 at 9:10 PM, Mike Harrison <<a href="mailto:cluon@geeklabs.com">cluon@geeklabs.com</a>><br>
>> >>>>> wrote:<br>
>> >>>>>><br>
>> >>>>>> On Sun, 20 May 2012, Jim Lynch wrote:<br>
>> >>>>>> > If that's current thinking, then it's changed. I've been<br>
>> >>>>>> > administrating<br>
>> >>>>>> > Unix systems for about 25 years. Sudo didn't exist and you<br>
>> needed to<br>
>> >>>>>> > su<br>
>> >>>>>> > in order to do admin tasks. It was accepted and expected. You<br>
>> >>>>>> > couldn't<br>
>> >>>>>> > install SunOS, HPUX, UNICOS or Irix without it. I'm afraid this<br>
>> old<br>
>> >>>>>> > dog<br>
>> >>>>>> > isn't learning new tricks, I use sudo -s or sudo -i on a regular<br>
>> >>>>>> > basis<br>
>> >>>>>> > when I don't have su enabled.<br>
>> >>>>>><br>
>> >>>>>> I use sudo -s on my desktop when I need to do root things. Saves a<br>
>> lot<br>
>> >>>>>> of<br>
>> >>>>>> time and typing over "sudo foo" for every command. On a desktop,<br>
>> normal<br>
>> >>>>>> user system.. it seems to be the "right way". Be a user for user<br>
>> >>>>>> things,<br>
>> >>>>>> become almost root for doing admin stuff on my box.<br>
>> >>>>>><br>
>> >>>>>> On a server.. there is only root for most sysadmin tasks. I've<br>
>> >>>>>> only<br>
>> >>>>>> been<br>
>> >>>>>> running Linux since 94.. but have also worked on DG Nova's, SCO<br>
>> unix,<br>
>> >>>>>> Slowlaris, etc.. but it seems to be the right way to admin a<br>
>> >>>>>> server.<br>
>> >>>>>> If you can't handle SSHing in/logging in as root.. you should not<br>
>> be.<br>
>> >>>> --<br>
>> >>>> Matt Urbanski | <a href="http://iflowfor8hours.info" target="_blank">iflowfor8hours.info</a> | @iflowfor8hours<br>
>> >>> --<br>
>> >>> Matt Urbanski | <a href="http://iflowfor8hours.info" target="_blank">iflowfor8hours.info</a> | @iflowfor8hours<br>
>> >><br>
>> >> _______________________________________________<br>
>> >> Ale mailing list<br>
>> >> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> >> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> >> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>> >><br>
>> ><br>
>> > --<br>
>> > Sent from my mobile device<br>
>> ><br>
>> > SimonTek<br>
>> > <a href="tel:912-398-6704" value="+19123986704">912-398-6704</a><br>
>> ><br>
>> > _______________________________________________<br>
>> > Ale mailing list<br>
>> > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> > <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> > <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>><br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>><br>
><br>
><br>
><br>
> --<br>
> --<br>
> James P. Kinney III<br>
><br>
> As long as the general population is passive, apathetic, diverted to<br>
> consumerism or hatred of the vulnerable, then the powerful can do as they<br>
> please, and those who survive will be left to contemplate the outcome.<br>
</div></div>> - *2011 Noam Chomsky<br>
><br>
> <a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
<div class="HOEnZb"><div class="h5">> *<br>
><br>
<br>
--<br>
Sent from my mobile device<br>
<br>
SimonTek<br>
<a href="tel:912-398-6704" value="+19123986704">912-398-6704</a><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all">Our general practice is to use sudo and do a few things under the timer. There are install sessions that require changing to user env of 3 different users, all essentially system users, to whose accts, I have the passwords, but it is far quicker to sudo su - or sudo -i and then su - into the other two accts from root, which requires no password to get into the accounts. The system user passwords, and also the system root user passwords can then be different from machine to machine, and my work is not slowed down while I get the notebooks with all passwords to search for this or that machine and user.<br>
Those notebooks would be the holy skeleton keys for the entire network (and a huge security vulnerability), but are in a safe buried under 20 feet of concrete, as all any of the admins have to have is their own password to do any of the admin tasks they are permitted to do on any of the machines.<br>
Sudo can be very granular, allowing some but not all admin tasks. This isn't all that apparent for new users of Ubuntu (which has root login disabled by default in the gui Runlevel 5 login screen (GDM)).<br><br>-Wolf<br>
<br>PS In the most recent Ubuntu release, the automated update-manager behaviour is to allow updates and safe-upgrades without a password entry, but you still need a password to run aptitude or the Ubuntu software center application.<br>
<br>-- <br>This Apt Has Super Cow Powers - <a href="http://sourcefreedom.com" target="_blank">http://sourcefreedom.com</a><br>Open-Source Software in Libraries - <a href="http://FOSS4Lib.org" target="_blank">http://FOSS4Lib.org</a><br>
Advancing Libraries Together - <a href="http://LYRASIS.org" target="_blank">http://LYRASIS.org</a><br>Apache Open Office Developer <a href="mailto:wolfhalton@apache.org" target="_blank">wolfhalton@apache.org</a><br><br>