[ale] bash commands
Lightner, Jeff
JLightner at water.com
Mon May 21 08:44:38 EDT 2012
I disagree with the purpose of sudo stated previously. It was not designed to prevent System Admins from getting root access. It was designed to allow NON-system admins to access only those few things they need as root without giving them the root password and full root access.
Over time PHBs have somehow decided that even System Admins shouldn’t have root which is why you see abominations like “sudo” only distros. System Admins do spend a lot of their time as root no matter how much hand wringing is done by people that like to claim it isn’t secure.
The sad thing about sudo is how many admins do not seem to understand what they’re giving to users with it. The first place I saw it they gave users “sudo vi”. I had to show them what “:!/bin/sh” did in such a session. I also had to explain to them why sudo access to shell scripts that were not writable only by root in a directory only accessible by root was a bad idea.
I’ve only worked one place where I thought they handled sudo for Admins correctly. They had syslog traffic going to a server NOT controlled by the Admins and any time you used sudo you had to put in a reason why and be prepared for a query from management because they got emails when you did it. You could hide what you did after becoming root but not the fact that you HAD become root.
We use sudo extensively here mainly for its (IMHO) original purpose. One great use of it is to get rid of purely administrative accounts for applications where everyone knows the password. By requiring users that need access to such administrative accounts to do “sudo su - <account>” you can log which user became that administrative user right before everything went to hell in a handbasket.
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Wolf Halton
Sent: Monday, May 21, 2012 8:06 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] bash commands
On Mon, May 21, 2012 at 7:29 AM, Matthew <simontek at gmail.com<mailto:simontek at gmail.com>> wrote:
Atm that is the environment I am in. Some machines I have the root
password to, some I don't, some I have to ssh 127.0.0.1 as root. My
PDE I have to wait a bit to get root access, for my job its ironic, I
have to use my work computer to do it, vs my govt provided one.
On 5/21/12, Jim Kinney <jim.kinney at gmail.com<mailto:jim.kinney at gmail.com>> wrote:
> In a multi-admin server environment, selinux and auditd can fully track who
> did what. Each admin logs in remotely and then can su to root, do their
> work and log out. Even though they can use su - to fully change to the root
> user with full environment, auditd tracks every command issued with both
> effective ID and original ID. So root from Fred is different from root from
> Sally.
>
> The addition of rootsh to the system as the only shell for root will
> provide a full log of keyboard entry and return data. That log can be on a
> remote machine.
>
> On Mon, May 21, 2012 at 3:01 AM, Brian Mathis <
> brian.mathis+ale at betteradmin.com<mailto:brian.mathis%2Bale at betteradmin.com>> wrote:
>
>> By "desktop" I mean a computer that sits on your desk either at home
>> or work, as opposed to servers that run in a data center. I think
>> most people who don't see the difference between using 'su' vs 'sudo'
>> think that way because they are only playing with Linux on their home
>> desktop so it doesn't really matter. However, in a server environment
>> where you need to manage resources, it does.
>>
>> I don't think anyone is using "desktop" to refer to using a GUI
>> instead of a shell prompt; at least that doesn't make sense in the
>> context of this discussion.
>>
>>
>> ❧ Brian Mathis
>>
>>
>> On Mon, May 21, 2012 at 2:48 AM, Matthew <simontek at gmail.com<mailto:simontek at gmail.com>> wrote:
>> > I don't usually work in a desktop environment. Even though our project
>> > is using kde, I still do everything from command line.
>> >
>> > On 5/21/12, Brian Mathis <brian.mathis+ale at betteradmin.com<mailto:brian.mathis%2Bale at betteradmin.com>> wrote:
>> >> There is an ENORMOUS difference between using "su" and "sudo -i", and
>> >> it's big enough that any old codgers out there should learn this new
>> >> trick:
>> >>
>> >> To use 'su' you need the ROOT password.
>> >> To use 'sudo', you need YOUR password.
>> >>
>> >> In any environment outside of your personal desktop, this is a huge
>> >> difference. Securely distributing the root password to any number of
>> >> sysadmins, keeping track of who has it, and changing it every time
>> >> someone leaves (and redistributing the changed password) is a
>> >> nightmare, and it also violates most accepted rules of good security
>> >> (using shared passwords).
>> >>
>> >> If you grant root access through sudo, even if admins use 'sudo -i',
>> >> you only need to manage the sudoers file and you can forget about the
>> >> root password issue. You still need to keep track of the root
>> >> password, but now you can set it to some long random string and keep
>> >> it locked in a safe somewhere. You also get an audit trail of who's
>> >> logging in and switching to root, even if you don't get a full audit
>> >> of every command they run.
>> >>
>> >>
>> >> ❧ Brian Mathis
>> >>
>> >>
>> >> On Sun, May 20, 2012 at 9:30 PM, matt <ur.matt at gmail.com<mailto:ur.matt at gmail.com>> wrote:
>> >>> Why not just log in as root and stomp around if you're going to use
>> sudo
>> >>> -i?
>> >>>
>> >>> On Sun, May 20, 2012 at 6:27 PM, matt <ur.matt at gmail.com<mailto:ur.matt at gmail.com>> wrote:
>> >>>> sudo -i is definitely bad practice, it completely negates the
>> >>>> purpose
>> of
>> >>>> using sudo in the first place.
>> >>>>
>> >>>> On Sun, May 20, 2012 at 6:19 PM, Brian Stanaland
>> >>>> <brian at stanaland.org<mailto:brian at stanaland.org>
>> >
>> >>>> wrote:
>> >>>>> I use 'sudo su -' which gets you the complete root experience.
>> >>>>>
>> >>>>> -- Brian
>> >>>>>
>> >>>>> On Sun, May 20, 2012 at 9:10 PM, Mike Harrison <cluon at geeklabs.com<mailto:cluon at geeklabs.com>>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> On Sun, 20 May 2012, Jim Lynch wrote:
>> >>>>>> > If that's current thinking, then it's changed. I've been
>> >>>>>> > administrating
>> >>>>>> > Unix systems for about 25 years. Sudo didn't exist and you
>> needed to
>> >>>>>> > su
>> >>>>>> > in order to do admin tasks. It was accepted and expected. You
>> >>>>>> > couldn't
>> >>>>>> > install SunOS, HPUX, UNICOS or Irix without it. I'm afraid this
>> old
>> >>>>>> > dog
>> >>>>>> > isn't learning new tricks, I use sudo -s or sudo -i on a regular
>> >>>>>> > basis
>> >>>>>> > when I don't have su enabled.
>> >>>>>>
>> >>>>>> I use sudo -s on my desktop when I need to do root things. Saves a
>> lot
>> >>>>>> of
>> >>>>>> time and typing over "sudo foo" for every command. On a desktop,
>> normal
>> >>>>>> user system.. it seems to be the "right way". Be a user for user
>> >>>>>> things,
>> >>>>>> become almost root for doing admin stuff on my box.
>> >>>>>>
>> >>>>>> On a server.. there is only root for most sysadmin tasks. I've
>> >>>>>> only
>> >>>>>> been
>> >>>>>> running Linux since 94.. but have also worked on DG Nova's, SCO
>> unix,
>> >>>>>> Slowlaris, etc.. but it seems to be the right way to admin a
>> >>>>>> server.
>> >>>>>> If you can't handle SSHing in/logging in as root.. you should not
>> be.
>> >>>> --
>> >>>> Matt Urbanski | iflowfor8hours.info<http://iflowfor8hours.info> | @iflowfor8hours
>> >>> --
>> >>> Matt Urbanski | iflowfor8hours.info<http://iflowfor8hours.info> | @iflowfor8hours
>> >>
>> >>
_______________________________________________
>> >> Ale mailing list
>> >> Ale at ale.org<mailto:Ale at ale.org>
>> >> http://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> http://mail.ale.org/mailman/listinfo
>> >>
>> >
>> > --
>> > Sent from my mobile device
>> >
>> > SimonTek
>> > 912-398-6704<tel:912-398-6704>
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org<mailto:Ale at ale.org>
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org<mailto:Ale at ale.org>
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> --
> James P. Kinney III
>
> As long as the general population is passive, apathetic, diverted to
> consumerism or hatred of the vulnerable, then the powerful can do as they
> please, and those who survive will be left to contemplate the outcome.
> - *2011 Noam Chomsky
>
> http://heretothereideas.blogspot.com/
> *
>
--
Sent from my mobile device
SimonTek
912-398-6704<tel:912-398-6704>
_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org>
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Our general practice is to use sudo and do a few things under the timer. There are install sessions that require changing to user env of 3 different users, all essentially system users, to whose accts, I have the passwords, but it is far quicker to sudo su - or sudo -i and then su - into the other two accts from root, which requires no password to get into the accounts. The system user passwords, and also the system root user passwords can then be different from machine to machine, and my work is not slowed down while I get the notebooks with all passwords to search for this or that machine and user.
Those notebooks would be the holy skeleton keys for the entire network (and a huge security vulnerability), but are in a safe buried under 20 feet of concrete, as all any of the admins have to have is their own password to do any of the admin tasks they are permitted to do on any of the machines.
Sudo can be very granular, allowing some but not all admin tasks. This isn't all that apparent for new users of Ubuntu (which has root login disabled by default in the gui Runlevel 5 login screen (GDM)).
-Wolf
PS In the most recent Ubuntu release, the automated update-manager behaviour is to allow updates and safe-upgrades without a password entry, but you still need a password to run aptitude or the Ubuntu software center application.
--
This Apt Has Super Cow Powers - http://sourcefreedom.com
Open-Source Software in Libraries - http://FOSS4Lib.org
Advancing Libraries Together - http://LYRASIS.org
Apache Open Office Developer wolfhalton at apache.org<mailto:wolfhalton at apache.org>
Athena®, Created for the Cause™
Making a Difference in the Fight Against Breast Cancer
How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today!
---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120521/80a899fe/attachment-0001.html
More information about the Ale
mailing list