:: Re: [DNG] New behaviour under Devua…
Góra strony
Delete this message
Reply to this message
Autor: Didier Kryn
Data:  
Dla: dng@lists.dyne.org
Temat: Re: [DNG] New behaviour under Devuan.
Le 23/09/2017 à 16:54, Miroslav Rovis a écrit :
> (Also replying to Didier Kryn, because it is related to my question put
> following Edward email below, however, too much Edward's text missing in
> Didier's reply.)
>
> On 170923-09:15+0200, Edward Bartolo wrote:
>> Quote: "He's actually right: the least the superuser's password is
>> used, the better
>> and the safer."
>>
>> Granted, but sudo as configured in Ubuntu makes the use of a superuser
>> password pointless. Sudo is configured to be a wide wide open door
>> leading to any part of a computer's 'household'. In other words, sudo
>> with the infamous 'user ALL=(ALL)' in /etc/sudoers makes root
>> practically like any other user.
> I do have it (that exact section of my /etc/sudoers follows):
>
> # Allow members of group sudo to execute any command
> %sudo   ALL=(ALL:ALL) ALL
> Defaults targetpw
> mr      ALL=(ALL:ALL) ALL

>
> Does the "Defaults targetpw", and a really strong password still keep me safe,
> sudo-wise (not talking other measures: iptables, grsecurity, just sudo-wise)?
>
> I am (as user mr) both:
>
> # cat /etc/group | grep sudo
> sudo:x:27:mr
> #
>
> member of group sudo, and have those lines under "Defaults targetpw". Really
> interested about opinions/advice: safe, as far as sudo goes?


     I don't know what "Default targetpw" is. Never used that. Here are 
my only defaults:


Defaults        env_reset
Defaults        env_keep=EDITOR
Defaults 
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults editor = 
/usr/bin/nano:/usr/bin/vim:/usr/bin/vi:/usr/bin/emacs:/usr/bin/jed:/usr/bin/mg:/usr/bin/zile


You need to pass the user's editor for use with sudoedit and visudo,
but, for security, you must only allow known editors.

I don't give permissions to groups, only to some persons, based on
necessity and competence. For this I use "UserAlias" and "CmndAlias" and
I recommend it.


User_Alias      ELOGADMIN = gahs, kryn, kaneda, neff
User_Alias      PYTHONADM = kaneda
...
Cmnd_Alias      VIEW = /bin/more, /usr/bin/less, /bin/grep
Cmnd_Alias      HIDE = !/bin/more *shadow, !/usr/bin/less *shadow, 
!/bin/grep *shadow
...
ELOGADMIN THIS_HOST = (elog)                ALL
SYSADMIN  THIS_HOST = (root)      NOPASSWD: /bin/ls, VIEW, HIDE
SYSADMIN  THIS_HOST = (root) /usr/sbin/service, /bin/mount
SUPER     ALL       = (root)                ALL


>
>> Sudo does have its benefits but it must be used to control user
>> privileges. Granting all commands to every user is the opposite of
>> what security means.
> As above, the targetpw helps against that...
>
> And I don't get what Didier means. Citation below is manually pasted in.
> On 170923-11:10+0200, Didier Kryn wrote:
>> Le 23/09/2017 à 08:49, Alessandro Selli a écrit :
>>>     He's actually right: the least the superuser's password is used, the better
>>> and the safer.
>>      Yep, you can invoke 'sudo su -l'; that's su without the root password.
>> It helps you forget the root password.

>>
>>      Didier
> Whatever do you mean that command above "helps you forget the root password"?

     See at the bottom :-)

>
> Let me use grsecurity-kernel's exec_logging and audit chdir features ofmy
> (miniply github repo) grsecurity-hardened kernel to explain my query. It was
> originally 44 lines, and 44 lines of quick truth, but I reduced it to
> 20-something lines, as some of it is not relevant to here, and I deliberately
> modified some info, where not relevant only. But, I wrapped all the lines for
> email web, and inserted space btwn lines. Here:
>
> The first 8 lines is me starting an xterm to test that Didier's command:
>
> [...]
> So what about and how that command "helps you forget the root password"? I did
> have to type my root password right before I became "uid/euid:0/0 gid/egid:0/0"
> having started as only "uid/euid:1000/1000 gid/egid:1000/1000"...
>
> Regards?
>

     Sorry but I'm lost in all these logs. What I meant is:
1) if you allow yourself in the sudoers file to run 'su' as root, then 
you never need the root password anymore; you use yours instead.
2) if you never need the root password anymore then you might quickly 
forget it, unless you have written it somewhere. But, since you don't 
need it, one can argue it doesn't matter... I leave it to your apreciation.


     One nice thing with sudo is that it doesn't ask the password 
everytime you invoke it. Note that you can even give yourself the 
permission to run su without a password:


mr  all = (root)      NOPASSWD: /bin/su


     I wouldn't recommend it :-)


                 Didier