[ale] bash commands
Matthew
simontek at gmail.com
Mon May 21 07:29:48 EDT 2012
Atm that is the environment I am in. Some machines I have the root
password to, some I don't, some I have to ssh 127.0.0.1 as root. My
PDE I have to wait a bit to get root access, for my job its ironic, I
have to use my work computer to do it, vs my govt provided one.
On 5/21/12, Jim Kinney <jim.kinney at gmail.com> wrote:
> In a multi-admin server environment, selinux and auditd can fully track who
> did what. Each admin logs in remotely and then can su to root, do their
> work and log out. Even though they can use su - to fully change to the root
> user with full environment, auditd tracks every command issued with both
> effective ID and original ID. So root from Fred is different from root from
> Sally.
>
> The addition of rootsh to the system as the only shell for root will
> provide a full log of keyboard entry and return data. That log can be on a
> remote machine.
>
> On Mon, May 21, 2012 at 3:01 AM, Brian Mathis <
> brian.mathis+ale at betteradmin.com> wrote:
>
>> By "desktop" I mean a computer that sits on your desk either at home
>> or work, as opposed to servers that run in a data center. I think
>> most people who don't see the difference between using 'su' vs 'sudo'
>> think that way because they are only playing with Linux on their home
>> desktop so it doesn't really matter. However, in a server environment
>> where you need to manage resources, it does.
>>
>> I don't think anyone is using "desktop" to refer to using a GUI
>> instead of a shell prompt; at least that doesn't make sense in the
>> context of this discussion.
>>
>>
>> ❧ Brian Mathis
>>
>>
>> On Mon, May 21, 2012 at 2:48 AM, Matthew <simontek at gmail.com> wrote:
>> > I don't usually work in a desktop environment. Even though our project
>> > is using kde, I still do everything from command line.
>> >
>> > On 5/21/12, Brian Mathis <brian.mathis+ale at betteradmin.com> wrote:
>> >> There is an ENORMOUS difference between using "su" and "sudo -i", and
>> >> it's big enough that any old codgers out there should learn this new
>> >> trick:
>> >>
>> >> To use 'su' you need the ROOT password.
>> >> To use 'sudo', you need YOUR password.
>> >>
>> >> In any environment outside of your personal desktop, this is a huge
>> >> difference. Securely distributing the root password to any number of
>> >> sysadmins, keeping track of who has it, and changing it every time
>> >> someone leaves (and redistributing the changed password) is a
>> >> nightmare, and it also violates most accepted rules of good security
>> >> (using shared passwords).
>> >>
>> >> If you grant root access through sudo, even if admins use 'sudo -i',
>> >> you only need to manage the sudoers file and you can forget about the
>> >> root password issue. You still need to keep track of the root
>> >> password, but now you can set it to some long random string and keep
>> >> it locked in a safe somewhere. You also get an audit trail of who's
>> >> logging in and switching to root, even if you don't get a full audit
>> >> of every command they run.
>> >>
>> >>
>> >> ❧ Brian Mathis
>> >>
>> >>
>> >> On Sun, May 20, 2012 at 9:30 PM, matt <ur.matt at gmail.com> wrote:
>> >>> Why not just log in as root and stomp around if you're going to use
>> sudo
>> >>> -i?
>> >>>
>> >>> On Sun, May 20, 2012 at 6:27 PM, matt <ur.matt at gmail.com> wrote:
>> >>>> sudo -i is definitely bad practice, it completely negates the
>> >>>> purpose
>> of
>> >>>> using sudo in the first place.
>> >>>>
>> >>>> On Sun, May 20, 2012 at 6:19 PM, Brian Stanaland
>> >>>> <brian at stanaland.org
>> >
>> >>>> wrote:
>> >>>>> I use 'sudo su -' which gets you the complete root experience.
>> >>>>>
>> >>>>> -- Brian
>> >>>>>
>> >>>>> On Sun, May 20, 2012 at 9:10 PM, Mike Harrison <cluon at geeklabs.com>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> On Sun, 20 May 2012, Jim Lynch wrote:
>> >>>>>> > If that's current thinking, then it's changed. I've been
>> >>>>>> > administrating
>> >>>>>> > Unix systems for about 25 years. Sudo didn't exist and you
>> needed to
>> >>>>>> > su
>> >>>>>> > in order to do admin tasks. It was accepted and expected. You
>> >>>>>> > couldn't
>> >>>>>> > install SunOS, HPUX, UNICOS or Irix without it. I'm afraid this
>> old
>> >>>>>> > dog
>> >>>>>> > isn't learning new tricks, I use sudo -s or sudo -i on a regular
>> >>>>>> > basis
>> >>>>>> > when I don't have su enabled.
>> >>>>>>
>> >>>>>> I use sudo -s on my desktop when I need to do root things. Saves a
>> lot
>> >>>>>> of
>> >>>>>> time and typing over "sudo foo" for every command. On a desktop,
>> normal
>> >>>>>> user system.. it seems to be the "right way". Be a user for user
>> >>>>>> things,
>> >>>>>> become almost root for doing admin stuff on my box.
>> >>>>>>
>> >>>>>> On a server.. there is only root for most sysadmin tasks. I've
>> >>>>>> only
>> >>>>>> been
>> >>>>>> running Linux since 94.. but have also worked on DG Nova's, SCO
>> unix,
>> >>>>>> Slowlaris, etc.. but it seems to be the right way to admin a
>> >>>>>> server.
>> >>>>>> If you can't handle SSHing in/logging in as root.. you should not
>> be.
>> >>>> --
>> >>>> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours
>> >>> --
>> >>> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours
>> >>
>> >> _______________________________________________
>> >> Ale mailing list
>> >> Ale at ale.org
>> >> http://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> http://mail.ale.org/mailman/listinfo
>> >>
>> >
>> > --
>> > Sent from my mobile device
>> >
>> > SimonTek
>> > 912-398-6704
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> --
> James P. Kinney III
>
> As long as the general population is passive, apathetic, diverted to
> consumerism or hatred of the vulnerable, then the powerful can do as they
> please, and those who survive will be left to contemplate the outcome.
> - *2011 Noam Chomsky
>
> http://heretothereideas.blogspot.com/
> *
>
--
Sent from my mobile device
SimonTek
912-398-6704
More information about the Ale
mailing list