:: Re: [DNG] New behaviour under Devua…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Miroslav Rovis
Date:  
À: Edward Bartolo, Didier Kryn
CC: dng
Sujet: Re: [DNG] New behaviour under Devuan.
(Also replying to Didier Kryn, because it is related to my question put
following Edward email below, however, too much Edward's text missing in
Didier's reply.)

On 170923-09:15+0200, Edward Bartolo wrote:
> Quote: "He's actually right: the least the superuser's password is
> used, the better
> and the safer."
>
> Granted, but sudo as configured in Ubuntu makes the use of a superuser
> password pointless. Sudo is configured to be a wide wide open door
> leading to any part of a computer's 'household'. In other words, sudo
> with the infamous 'user ALL=(ALL)' in /etc/sudoers makes root
> practically like any other user.


I do have it (that exact section of my /etc/sudoers follows):

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
Defaults targetpw
mr      ALL=(ALL:ALL) ALL


Does the "Defaults targetpw", and a really strong password still keep me safe,
sudo-wise (not talking other measures: iptables, grsecurity, just sudo-wise)?

I am (as user mr) both:

# cat /etc/group | grep sudo
sudo:x:27:mr
#

member of group sudo, and have those lines under "Defaults targetpw". Really
interested about opinions/advice: safe, as far as sudo goes?

> Sudo does have its benefits but it must be used to control user
> privileges. Granting all commands to every user is the opposite of
> what security means.


As above, the targetpw helps against that...

And I don't get what Didier means. Citation below is manually pasted in.
On 170923-11:10+0200, Didier Kryn wrote:
> Le 23/09/2017 à 08:49, Alessandro Selli a écrit :
> >    He's actually right: the least the superuser's password is used, the better
> > and the safer.

>
>     Yep, you can invoke 'sudo su -l'; that's su without the root password.
> It helps you forget the root password.

>
>     Didier


Whatever do you mean that command above "helps you forget the root password"?

Let me use grsecurity-kernel's exec_logging and audit chdir features of my
(miniply github repo) grsecurity-hardened kernel to explain my query. It was
originally 44 lines, and 44 lines of quick truth, but I reduced it to
20-something lines, as some of it is not relevant to here, and I deliberately
modified some info, where not relevant only. But, I wrapped all the lines for
email web, and inserted space btwn lines. Here:

The first 8 lines is me starting an xterm to test that Didier's command:

Sep 23 14:12:35 gdOv kernel: [471743.404689] grsec: exec of /usr/bin/xterm
(xterm -g 110x35+0+154 -fn
-misc-fixed-medium-r-normal--13-120-75-75-c-70-iso10646-1 ) by
/usr/bin/xterm[bash:5257] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:4315] uid/euid:1000/1000 gid/egid:1000/1000

Sep 23 14:12:35 gdOv kernel: [471743.516776] grsec: exec of
/usr/lib/x86_64-linux-gnu/utempter/utempter
(/usr/lib/x86_64-linux-gnu/utempter/utempter add :0 ) by
/usr/lib/x86_64-linux-gnu/utempter/utempter[xterm:5258] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/xterm[xterm:5257] uid/euid:1000/1000
gid/egid:1000/1000

Sep 23 14:12:35 gdOv kernel: [471743.523902] grsec: exec of /bin/bash (bash )
by /bin/bash[xterm:5259] uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/xterm[xterm:5257] uid/euid:1000/1000 gid/egid:1000/1000

Sep 23 14:12:35 gdOv kernel: [471743.531515] grsec: exec of /usr/bin/tput (tput
setaf 1 ) by /usr/bin/tput[bash:5260] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:5259] uid/euid:1000/1000 gid/egid:1000/1000

Sep 23 14:12:35 gdOv kernel: [471743.535058] grsec: exec of /usr/bin/dircolors
(dircolors -b ) by /usr/bin/dircolors[bash:5262] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:5261] uid/euid:1000/1000
gid/egid:1000/1000

Sep 23 14:12:35 gdOv kernel: [471743.561333] grsec: exec of /bin/ls (ls
/etc/bash_completion.d ) by /bin/ls[bash:5264] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:5263] uid/euid:1000/1000
gid/egid:1000/1000

Sep 23 14:12:35 gdOv kernel: [471743.577900] grsec: exec of /usr/bin/xset (xset
r rate 220 70 ) by /usr/bin/xset[bash:5265] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:5259] uid/euid:1000/1000
gid/egid:1000/1000

Sep 23 14:12:35 gdOv kernel: [471743.585045] grsec: exec of /usr/bin/tty (tty )
by /usr/bin/tty[bash:5267] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:5266] uid/euid:1000/1000 gid/egid:1000/1000


And this is pasting that command straight from Didier's email or so:

Sep 23 14:12:38 gdOv kernel: [471746.636753] grsec: exec of /usr/bin/sudo (sudo
su -l ) by /usr/bin/sudo[bash:5268] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:5259] uid/euid:1000/1000 gid/egid:1000/1000

My password is not trivial, it takes me a few seconds (7 seconds here, btwn the
above and the execution):

Sep 23 14:12:45 gdOv kernel: [471752.948437] grsec: exec of /bin/su (su -l ) by
/bin/su[sudo:5269] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sudo[sudo:5268]
uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471752.976075] grsec: chdir to /root by
/bin/su[su:5270] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:5269]
uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471752.976381] grsec: exec of /bin/bash (-su ) by
/bin/bash[su:5270] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:5269]
uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471752.983247] grsec: exec of /usr/bin/id (id -u
) by /usr/bin/id[bash:5272] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5271] uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471753.007333] grsec: exec of /bin/ls (ls
/etc/bash_completion.d ) by /bin/ls[bash:5274] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:5273] uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471753.027574] grsec: exec of /usr/bin/dircolors
(dircolors ) by /usr/bin/dircolors[bash:5276] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5275] uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471753.033984] grsec: exec of /usr/bin/dircolors
(dircolors -b ) by /usr/bin/dircolors[bash:5278] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:5277] uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471753.038948] grsec: exec of /usr/bin/xset (xset
r rate 220 70 ) by /usr/bin/xset[bash:5279] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471753.042488] grsec: exec of /usr/bin/setxkbmap
(setxkbmap fr ) by /usr/bin/setxkbmap[bash:5280] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471753.057277] grsec: exec of /bin/dash (sh -c
"/usr/bin/xkbcomp" -w 1 "-R/usr/share/X11/xkb" -xkm "-" -em1 "The XKEYBOARD
keymap compiler (xkbcomp) reports:" -emp "> " ) by /bin/dash[Xorg:5281]
uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib/xorg/Xorg[Xorg:4131]
uid/euid:1000/0 gid/egid:1000/0

Sep 23 14:12:45 gdOv kernel: [471753.071382] grsec: exec of /usr/bin/xkbcomp
(/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 The XKEYBOARD keymap
compiler (xkbcomp) reports: -emp > -eml Errors from) by
/usr/bin/xkbcomp[sh:5282] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/dash[sh:5281] uid/euid:1000/1000 gid/egid:1000/1000

Sep 23 14:12:45 gdOv kernel: [471753.072665] grsec: chdir to /usr/share/X11/xkb
by /usr/bin/xkbcomp[xkbcomp:5282] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/dash[sh:5281] uid/euid:1000/1000 gid/egid:1000/1000

Sep 23 14:12:45 gdOv kernel: [471753.095838] grsec: exec of /usr/bin/xset (xset
b off ) by /usr/bin/xset[bash:5283] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0

Sep 23 14:12:45 gdOv kernel: [471753.109265] grsec: exec of /usr/bin/mesg (mesg
n ) by /usr/bin/mesg[bash:5284] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0

[...]

Sep 23 14:15:09 gdOv kernel: [471897.458734] grsec: exec of /bin/date (date
+%y%m%d_%H%M%S ) by /bin/date[bash:5317] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5316] uid/euid:0/0 gid/egid:0/0

Sep 23 14:15:09 gdOv kernel: [471897.458774] grsec: exec of /bin/cat (cat
/var/log/kern.log ) by /bin/cat[bash:5315] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:4382] uid/euid:0/0 gid/egid:0/0

Sep 23 14:15:09 gdOv kernel: [471897.463625] grsec: exec of /bin/hostname
(hostname ) by /bin/hostname[bash:5318] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5316] uid/euid:0/0 gid/egid:0/0

Sep 23 14:15:09 gdOv kernel: [471897.466904] grsec: exec of /bin/grep (grep -aE
-A23000 471743.404689 ) by /bin/grep[bash:5316] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:4382] uid/euid:0/0 gid/egid:0/0


I decided to keep the last lines, because it's how I got those logs. The command was:

# cat /var/log/kern.log | grep -aE -A23000 471743.404689 \
    > kern.log_$(date +%y%m%d_%H%M%S)_$(hostname)


(where 471743.404689 was taken from the terminal in bottom left where only
"tail -f /var/log/kern.log" is running)

So what about and how that command "helps you forget the root password"? I did
have to type my root password right before I became "uid/euid:0/0 gid/egid:0/0"
having started as only "uid/euid:1000/1000 gid/egid:1000/1000"...

Regards?

--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr