[ale] bash commands

Erik Mathis erik at mathists.com
Wed May 23 08:53:19 EDT 2012


This came across my inbox today, so I thought I'd throw this story
into the debate.

http://www.zdnet.com/blog/open-source/sudo-broken-sudo-fixed/11036

I for one agree that sudo is for risk mitigation. Also it has saved me
a number of time from doing something dumb like "rm -f
/tmp/somefile*" because I had that second chance to notice that extra
space.

-Erik-

On Tue, May 22, 2012 at 5:27 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
> Big +1
>
> sudo is not a tool for admins.
>
> On May 22, 2012 6:01 PM, "Lightner, Jeff" <JLightner at water.com> wrote:
>>
>> I disagree with the purpose of sudo stated previously.  It was not
>> designed to prevent System Admins from getting root access.  It was designed
>> to allow NON-system admins to access only those few things they need as root
>> without giving them the root password and full root access.
>>
>>
>>
>> Over time PHBs have somehow decided that even System Admins shouldn’t have
>> root which is why you see abominations like “sudo” only distros.   System
>> Admins do spend a lot of their time as root no matter how much hand wringing
>> is done by people that like to claim it isn’t secure.
>>
>>
>>
>> The sad thing about sudo is how many admins do not seem to understand what
>> they’re giving to users with it.   The first place I saw it they gave users
>> “sudo vi”.   I had to show them what “:!/bin/sh” did in such a session.   I
>> also had to explain to them why sudo access to shell scripts that were not
>> writable only by root in a directory only accessible by root was a bad idea.
>>
>>
>>
>> I’ve only worked one place where I thought they handled sudo for Admins
>> correctly.   They had syslog traffic going to a server NOT controlled by the
>> Admins and any time you used sudo you had to put in a reason why and be
>> prepared for a query from management because they got emails when you did
>> it.   You could hide what you did after becoming root but not the fact that
>> you HAD become root.
>>
>>
>>
>> We use sudo extensively here mainly for its (IMHO) original purpose.   One
>> great use of it is to get rid of purely administrative accounts for
>> applications where everyone knows the password.   By requiring users that
>> need access to such administrative accounts to do “sudo su - <account>” you
>> can log which user became that administrative user right before everything
>> went to hell in a handbasket.
>>
>>
>>
>> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Wolf
>> Halton
>> Sent: Monday, May 21, 2012 8:06 AM
>> To: Atlanta Linux Enthusiasts
>> Subject: Re: [ale] bash commands
>>
>>
>>
>>
>>
>> On Mon, May 21, 2012 at 7:29 AM, Matthew <simontek at gmail.com> wrote:
>>
>> Atm that is the environment I am in. Some machines I have the root
>> password to, some I don't, some I have to ssh 127.0.0.1 as root. My
>> PDE I have to wait a bit to get root access, for my job its ironic, I
>> have to use my work computer to do it, vs my govt provided one.
>>
>>
>> On 5/21/12, Jim Kinney <jim.kinney at gmail.com> wrote:
>> > In a multi-admin server environment, selinux and auditd can fully track
>> > who
>> > did what. Each admin logs in remotely and then can su to root, do their
>> > work and log out. Even though they can use su - to fully change to the
>> > root
>> > user with full environment, auditd tracks every command issued with both
>> > effective ID and original ID. So root from Fred is different from root
>> > from
>> > Sally.
>> >
>> > The addition of rootsh to the system as the only shell for root will
>> > provide a full log of keyboard entry and return data. That log can be on
>> > a
>> > remote machine.
>> >
>> > On Mon, May 21, 2012 at 3:01 AM, Brian Mathis <
>> > brian.mathis+ale at betteradmin.com> wrote:
>> >
>> >> By "desktop" I mean a computer that sits on your desk either at home
>> >> or work, as opposed to servers that run in a data center.  I think
>> >> most people who don't see the difference between using 'su' vs 'sudo'
>> >> think that way because they are only playing with Linux on their home
>> >> desktop so it doesn't really matter.  However, in a server environment
>> >> where you need to manage resources, it does.
>> >>
>> >> I don't think anyone is using "desktop" to refer to using a GUI
>> >> instead of a shell prompt; at least that doesn't make sense in the
>> >> context of this discussion.
>> >>
>> >>
>> >> ❧ Brian Mathis
>> >>
>> >>
>> >> On Mon, May 21, 2012 at 2:48 AM, Matthew <simontek at gmail.com> wrote:
>> >> > I don't usually work in a desktop environment. Even though our
>> >> > project
>> >> > is using kde, I still do everything from command line.
>> >> >
>> >> > On 5/21/12, Brian Mathis <brian.mathis+ale at betteradmin.com> wrote:
>> >> >> There is an ENORMOUS difference between using "su" and "sudo -i",
>> >> >> and
>> >> >> it's big enough that any old codgers out there should learn this new
>> >> >> trick:
>> >> >>
>> >> >>     To use 'su' you need the ROOT password.
>> >> >>     To use 'sudo', you need YOUR password.
>> >> >>
>> >> >> In any environment outside of your personal desktop, this is a huge
>> >> >> difference.  Securely distributing the root password to any number
>> >> >> of
>> >> >> sysadmins, keeping track of who has it, and changing it every time
>> >> >> someone leaves (and redistributing the changed password) is a
>> >> >> nightmare, and it also violates most accepted rules of good security
>> >> >> (using shared passwords).
>> >> >>
>> >> >> If you grant root access through sudo, even if admins use 'sudo -i',
>> >> >> you only need to manage the sudoers file and you can forget about
>> >> >> the
>> >> >> root password issue.  You still need to keep track of the root
>> >> >> password, but now you can set it to some long random string and keep
>> >> >> it locked in a safe somewhere.  You also get an audit trail of who's
>> >> >> logging in and switching to root, even if you don't get a full audit
>> >> >> of every command they run.
>> >> >>
>> >> >>
>> >> >> ❧ Brian Mathis
>> >> >>
>> >> >>
>> >> >> On Sun, May 20, 2012 at 9:30 PM, matt <ur.matt at gmail.com> wrote:
>> >> >>> Why not just log in as root and stomp around if you're going to use
>> >> sudo
>> >> >>> -i?
>> >> >>>
>> >> >>> On Sun, May 20, 2012 at 6:27 PM, matt <ur.matt at gmail.com> wrote:
>> >> >>>> sudo -i is definitely bad practice, it completely negates the
>> >> >>>> purpose
>> >> of
>> >> >>>> using sudo in the first place.
>> >> >>>>
>> >> >>>> On Sun, May 20, 2012 at 6:19 PM, Brian Stanaland
>> >> >>>> <brian at stanaland.org
>> >> >
>> >> >>>> wrote:
>> >> >>>>> I use 'sudo su -' which gets you the complete root experience.
>> >> >>>>>
>> >> >>>>> -- Brian
>> >> >>>>>
>> >> >>>>> On Sun, May 20, 2012 at 9:10 PM, Mike Harrison
>> >> >>>>> <cluon at geeklabs.com>
>> >> >>>>> wrote:
>> >> >>>>>>
>> >> >>>>>> On Sun, 20 May 2012, Jim Lynch wrote:
>> >> >>>>>> > If that's current thinking, then it's changed.  I've been
>> >> >>>>>> > administrating
>> >> >>>>>> > Unix systems for about 25 years.  Sudo didn't exist and you
>> >> needed to
>> >> >>>>>> > su
>> >> >>>>>> > in order to do admin tasks.  It was accepted and expected.
>> >> >>>>>> >  You
>> >> >>>>>> > couldn't
>> >> >>>>>> > install SunOS, HPUX, UNICOS or Irix without it.  I'm afraid
>> >> >>>>>> > this
>> >> old
>> >> >>>>>> > dog
>> >> >>>>>> > isn't learning new tricks, I use sudo -s or sudo -i on a
>> >> >>>>>> > regular
>> >> >>>>>> > basis
>> >> >>>>>> > when I don't have su enabled.
>> >> >>>>>>
>> >> >>>>>> I use sudo -s on my desktop when I need to do root things. Saves
>> >> >>>>>> a
>> >> lot
>> >> >>>>>> of
>> >> >>>>>> time and typing over "sudo foo" for every command. On a desktop,
>> >> normal
>> >> >>>>>> user system.. it seems to be the "right way". Be a user for user
>> >> >>>>>> things,
>> >> >>>>>> become almost root for doing admin stuff on my box.
>> >> >>>>>>
>> >> >>>>>> On a server.. there is only root for most sysadmin tasks. I've
>> >> >>>>>> only
>> >> >>>>>> been
>> >> >>>>>> running Linux since 94.. but have also worked on DG Nova's, SCO
>> >> unix,
>> >> >>>>>> Slowlaris, etc.. but it seems to be the right way to admin a
>> >> >>>>>> server.
>> >> >>>>>> If you can't handle SSHing in/logging in as root..  you should
>> >> >>>>>> not
>> >> be.
>> >> >>>> --
>> >> >>>> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours
>> >> >>> --
>> >> >>> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours
>> >> >>
>> >> >>
>>
>>
>>
>>
>>
>> _______________________________________________
>> >> >> Ale mailing list
>> >> >> Ale at ale.org
>> >> >> http://mail.ale.org/mailman/listinfo/ale
>> >> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> >> http://mail.ale.org/mailman/listinfo
>> >> >>
>> >> >
>> >> > --
>> >> > Sent from my mobile device
>> >> >
>> >> > SimonTek
>> >> > 912-398-6704
>> >> >
>> >> > _______________________________________________
>> >> > Ale mailing list
>> >> > Ale at ale.org
>> >> > http://mail.ale.org/mailman/listinfo/ale
>> >> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> > http://mail.ale.org/mailman/listinfo
>> >>
>> >> _______________________________________________
>> >> Ale mailing list
>> >> Ale at ale.org
>> >> http://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> http://mail.ale.org/mailman/listinfo
>> >>
>> >
>> >
>> >
>> > --
>> > --
>> > James P. Kinney III
>> >
>> > As long as the general population is passive, apathetic, diverted to
>> > consumerism or hatred of the vulnerable, then the powerful can do as
>> > they
>> > please, and those who survive will be left to contemplate the outcome.
>>
>> > - *2011 Noam Chomsky
>> >
>> > http://heretothereideas.blogspot.com/
>>
>> > *
>> >
>>
>> --
>> Sent from my mobile device
>>
>> SimonTek
>> 912-398-6704
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>>
>> Our general practice is to use sudo and do a few things under the timer.
>> There are install sessions that require changing to user env of 3 different
>> users, all essentially system users, to whose accts, I have the passwords,
>> but it is far quicker to sudo su - or sudo -i and then su - into the other
>> two accts from root, which requires no password to get into the accounts..
>> The system user passwords, and also the system root user passwords can then
>> be different from machine to machine, and my work is not slowed down while I
>> get the notebooks with all passwords to search for this or that machine and
>> user.
>> Those notebooks would be the holy skeleton keys for the entire network
>> (and a huge security vulnerability), but are in a safe buried under 20 feet
>> of concrete, as all any of the admins have to have is their own password to
>> do any of the admin tasks they are permitted to do on any of the machines.
>> Sudo can be very granular, allowing some but not all admin tasks.  This
>> isn't all that apparent for new users of Ubuntu (which has root login
>> disabled by default in the gui Runlevel 5 login screen (GDM)).
>>
>> -Wolf
>>
>> PS In the most recent Ubuntu release, the automated update-manager
>> behaviour is to allow updates and safe-upgrades without a password entry,
>> but you still need a password to run aptitude or the Ubuntu software center
>> application.
>>
>> --
>> This Apt Has Super Cow Powers - http://sourcefreedom.com
>> Open-Source Software in Libraries - http://FOSS4Lib.org
>> Advancing Libraries Together - http://LYRASIS.org
>> Apache Open Office Developer wolfhalton at apache.org
>>
>>
>>
>>
>>
>> Athena®, Created for the Cause™
>>
>> Making a Difference in the Fight Against Breast Cancer
>>
>>
>>
>>
>>
>> How and Why I Should Support Bottled Water!
>> Do not relinquish your right to choose bottled water as a healthy
>> alternative to beverages that contain sugar, calories, etc. Your support of
>> bottled water will make a difference! Your signatures count! Go to
>> http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign
>> a petition to support your right to always choose bottled water. Help fight
>> federal and state issues, such as bottle deposits (or taxes) and
>> organizations that want to ban the sale of bottled water. Support community
>> curbside recycling programs. Support bottled water as a healthy way to
>> maintain proper hydration. Our goal is 50,000 signatures. Share this
>> petition with your friends and family today!
>>
>>
>>
>> ---------------------------------
>> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
>> information and is for the sole use of the intended recipient(s). If you are
>> not the intended recipient, any disclosure, copying, distribution, or use of
>> the contents of this information is prohibited and may be unlawful. If you
>> have received this electronic transmission in error, please reply
>> immediately to the sender that you have received the message in error, and
>> delete it. Thank you.
>> ----------------------------------
>>
>>
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



More information about the Ale mailing list