(Also replying to Didier Kryn, because it is related to my question put
following Edward email below, however, too much Edward's text missing in
Didier's reply.)
On 170923-09:15+0200, Edward Bartolo wrote:
> Quote: "He's actually right: the least the superuser's password is
> used, the better
> and the safer."
>
> Granted, but sudo as configured in Ubuntu makes the use of a superuser
> password pointless. Sudo is configured to be a wide wide open door
> leading to any part of a computer's 'household'. In other words, sudo
> with the infamous 'user ALL=(ALL)' in /etc/sudoers makes root
> practically like any other user.
I do have it (that exact section of my /etc/sudoers follows):
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Defaults targetpw
mr ALL=(ALL:ALL) ALL
Does the "Defaults targetpw", and a really strong password still keep me safe,
sudo-wise (not talking other measures: iptables, grsecurity, just sudo-wise)?
I am (as user mr) both:
# cat /etc/group | grep sudo
sudo:x:27:mr
#
member of group sudo, and have those lines under "Defaults targetpw". Really
interested about opinions/advice: safe, as far as sudo goes?
> Sudo does have its benefits but it must be used to control user
> privileges. Granting all commands to every user is the opposite of
> what security means.
As above, the targetpw helps against that...
And I don't get what Didier means. Citation below is manually pasted in.
On 170923-11:10+0200, Didier Kryn wrote:
> Le 23/09/2017 à 08:49, Alessandro Selli a écrit :
> > He's actually right: the least the superuser's password is used, the better
> > and the safer.
>
> Yep, you can invoke 'sudo su -l'; that's su without the root password.
> It helps you forget the root password.
>
> Didier
Whatever do you mean that command above "helps you forget the root password"?
Let me use grsecurity-kernel's exec_logging and audit chdir features of my
(miniply github repo) grsecurity-hardened kernel to explain my query. It was
originally 44 lines, and 44 lines of quick truth, but I reduced it to
20-something lines, as some of it is not relevant to here, and I deliberately
modified some info, where not relevant only. But, I wrapped all the lines for
email web, and inserted space btwn lines. Here:
The first 8 lines is me starting an xterm to test that Didier's command:
Sep 23 14:12:35 gdOv kernel: [471743.404689] grsec: exec of /usr/bin/xterm
(xterm -g 110x35+0+154 -fn
-misc-fixed-medium-r-normal--13-120-75-75-c-70-iso10646-1 ) by
/usr/bin/xterm[bash:5257] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:4315] uid/euid:1000/1000 gid/egid:1000/1000
Sep 23 14:12:35 gdOv kernel: [471743.516776] grsec: exec of
/usr/lib/x86_64-linux-gnu/utempter/utempter
(/usr/lib/x86_64-linux-gnu/utempter/utempter add :0 ) by
/usr/lib/x86_64-linux-gnu/utempter/utempter[xterm:5258] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/xterm[xterm:5257] uid/euid:1000/1000
gid/egid:1000/1000
Sep 23 14:12:35 gdOv kernel: [471743.523902] grsec: exec of /bin/bash (bash )
by /bin/bash[xterm:5259] uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/xterm[xterm:5257] uid/euid:1000/1000 gid/egid:1000/1000
Sep 23 14:12:35 gdOv kernel: [471743.531515] grsec: exec of /usr/bin/tput (tput
setaf 1 ) by /usr/bin/tput[bash:5260] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:5259] uid/euid:1000/1000 gid/egid:1000/1000
Sep 23 14:12:35 gdOv kernel: [471743.535058] grsec: exec of /usr/bin/dircolors
(dircolors -b ) by /usr/bin/dircolors[bash:5262] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:5261] uid/euid:1000/1000
gid/egid:1000/1000
Sep 23 14:12:35 gdOv kernel: [471743.561333] grsec: exec of /bin/ls (ls
/etc/bash_completion.d ) by /bin/ls[bash:5264] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:5263] uid/euid:1000/1000
gid/egid:1000/1000
Sep 23 14:12:35 gdOv kernel: [471743.577900] grsec: exec of /usr/bin/xset (xset
r rate 220 70 ) by /usr/bin/xset[bash:5265] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:5259] uid/euid:1000/1000
gid/egid:1000/1000
Sep 23 14:12:35 gdOv kernel: [471743.585045] grsec: exec of /usr/bin/tty (tty )
by /usr/bin/tty[bash:5267] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:5266] uid/euid:1000/1000 gid/egid:1000/1000
And this is pasting that command straight from Didier's email or so:
Sep 23 14:12:38 gdOv kernel: [471746.636753] grsec: exec of /usr/bin/sudo (sudo
su -l ) by /usr/bin/sudo[bash:5268] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:5259] uid/euid:1000/1000 gid/egid:1000/1000
My password is not trivial, it takes me a few seconds (7 seconds here, btwn the
above and the execution):
Sep 23 14:12:45 gdOv kernel: [471752.948437] grsec: exec of /bin/su (su -l ) by
/bin/su[sudo:5269] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sudo[sudo:5268]
uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471752.976075] grsec: chdir to /root by
/bin/su[su:5270] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:5269]
uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471752.976381] grsec: exec of /bin/bash (-su ) by
/bin/bash[su:5270] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:5269]
uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471752.983247] grsec: exec of /usr/bin/id (id -u
) by /usr/bin/id[bash:5272] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5271] uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471753.007333] grsec: exec of /bin/ls (ls
/etc/bash_completion.d ) by /bin/ls[bash:5274] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:5273] uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471753.027574] grsec: exec of /usr/bin/dircolors
(dircolors ) by /usr/bin/dircolors[bash:5276] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5275] uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471753.033984] grsec: exec of /usr/bin/dircolors
(dircolors -b ) by /usr/bin/dircolors[bash:5278] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:5277] uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471753.038948] grsec: exec of /usr/bin/xset (xset
r rate 220 70 ) by /usr/bin/xset[bash:5279] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471753.042488] grsec: exec of /usr/bin/setxkbmap
(setxkbmap fr ) by /usr/bin/setxkbmap[bash:5280] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471753.057277] grsec: exec of /bin/dash (sh -c
"/usr/bin/xkbcomp" -w 1 "-R/usr/share/X11/xkb" -xkm "-" -em1 "The XKEYBOARD
keymap compiler (xkbcomp) reports:" -emp "> " ) by /bin/dash[Xorg:5281]
uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib/xorg/Xorg[Xorg:4131]
uid/euid:1000/0 gid/egid:1000/0
Sep 23 14:12:45 gdOv kernel: [471753.071382] grsec: exec of /usr/bin/xkbcomp
(/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 The XKEYBOARD keymap
compiler (xkbcomp) reports: -emp > -eml Errors from) by
/usr/bin/xkbcomp[sh:5282] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/dash[sh:5281] uid/euid:1000/1000 gid/egid:1000/1000
Sep 23 14:12:45 gdOv kernel: [471753.072665] grsec: chdir to /usr/share/X11/xkb
by /usr/bin/xkbcomp[xkbcomp:5282] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/dash[sh:5281] uid/euid:1000/1000 gid/egid:1000/1000
Sep 23 14:12:45 gdOv kernel: [471753.095838] grsec: exec of /usr/bin/xset (xset
b off ) by /usr/bin/xset[bash:5283] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0
Sep 23 14:12:45 gdOv kernel: [471753.109265] grsec: exec of /usr/bin/mesg (mesg
n ) by /usr/bin/mesg[bash:5284] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0
[...]
Sep 23 14:15:09 gdOv kernel: [471897.458734] grsec: exec of /bin/date (date
+%y%m%d_%H%M%S ) by /bin/date[bash:5317] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5316] uid/euid:0/0 gid/egid:0/0
Sep 23 14:15:09 gdOv kernel: [471897.458774] grsec: exec of /bin/cat (cat
/var/log/kern.log ) by /bin/cat[bash:5315] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:4382] uid/euid:0/0 gid/egid:0/0
Sep 23 14:15:09 gdOv kernel: [471897.463625] grsec: exec of /bin/hostname
(hostname ) by /bin/hostname[bash:5318] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5316] uid/euid:0/0 gid/egid:0/0
Sep 23 14:15:09 gdOv kernel: [471897.466904] grsec: exec of /bin/grep (grep -aE
-A23000 471743.404689 ) by /bin/grep[bash:5316] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:4382] uid/euid:0/0 gid/egid:0/0
I decided to keep the last lines, because it's how I got those logs. The command was:
# cat /var/log/kern.log | grep -aE -A23000 471743.404689 \
> kern.log_$(date +%y%m%d_%H%M%S)_$(hostname)
(where 471743.404689 was taken from the terminal in bottom left where only
"tail -f /var/log/kern.log" is running)
So what about and how that command "helps you forget the root password"? I did
have to type my root password right before I became "uid/euid:0/0 gid/egid:0/0"
having started as only "uid/euid:1000/1000 gid/egid:1000/1000"...
Regards?
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr