:: Re: [DNG] New behaviour under Devua…
Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Miroslav Rovis
Ημερομηνία:  
Προς: Didier Kryn, Renaud (Ron) OLGIATI
Υ/ο: dng@lists.dyne.org
Αντικείμενο: Re: [DNG] New behaviour under Devuan.
Also a reply by Renaud, further in bottom (with the color codes! :-) )

On 170923-18:50+0200, Didier Kryn wrote:
> Le 23/09/2017 à 16:54, Miroslav Rovis a écrit :


The targetpw, three lines below is key to understanding my query that I posted
regarding the ability to forget the root password when issuing the "sudo su -l"
command, as Didier wrote in a previous email.
> >
> > # Allow members of group sudo to execute any command
> > %sudo   ALL=(ALL:ALL) ALL
> > Defaults targetpw
> > mr      ALL=(ALL:ALL) ALL

> >

...
>
>     I don't know what "Default targetpw" is. Never used that.


From "man sudoers":
     targetpw          If set, sudo will prompt for the password of the user
                       specified by the -u option (defaults to root) instead of
                       the password of the invoking user when running a command
                       or editing a file.  Note that this flag precludes the
                       use of a uid not listed in the passwd database as an
                       argument to the -u option.  This flag is off by default.


So, no forgetting of the root password when becoming root via sudo is
impossible in my configuration!

> Here are my
> only defaults:
>
> Defaults        env_reset
> Defaults        env_keep=EDITOR
> Defaults
> secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
> Defaults editor = /usr/bin/nano:/usr/bin/vim:/usr/bin/vi:/usr/bin/emacs:/usr/bin/jed:/usr/bin/mg:/usr/bin/zile

>
> You need to pass the user's editor for use with sudoedit and visudo, but,
> for security, you must only allow known editors.
>
> I don't give permissions to groups, only to some persons, based on necessity
> and competence. For this I use "UserAlias" and "CmndAlias" and I recommend
> it.
>
>
> User_Alias      ELOGADMIN = gahs, kryn, kaneda, neff
> User_Alias      PYTHONADM = kaneda
> ...
> Cmnd_Alias      VIEW = /bin/more, /usr/bin/less, /bin/grep
> Cmnd_Alias      HIDE = !/bin/more *shadow, !/usr/bin/less *shadow,
> !/bin/grep *shadow
> ...
> ELOGADMIN THIS_HOST = (elog)                ALL
> SYSADMIN  THIS_HOST = (root)      NOPASSWD: /bin/ls, VIEW, HIDE
> SYSADMIN  THIS_HOST = (root) /usr/sbin/service, /bin/mount
> SUPER     ALL       = (root)                ALL

>
> >
> > > Sudo does have its benefits but it must be used to control user
> > > privileges. Granting all commands to every user is the opposite of
> > > what security means.
> > As above, the targetpw helps against that...
> >
> > And I don't get what Didier means. Citation below is manually pasted in.
> > On 170923-11:10+0200, Didier Kryn wrote:
> > > Le 23/09/2017 à 08:49, Alessandro Selli a écrit :
> > > >     He's actually right: the least the superuser's password is used, the better
> > > > and the safer.


This is what I surely would never understand, because in my configuration it
could never happen:
> > >      Yep, you can invoke 'sudo su -l'; that's su without the root password.
> > > It helps you forget the root password.

> > >
> > >      Didier
> > Whatever do you mean that command above "helps you forget the root password"?
>     See at the bottom :-)

> >
> > Let me use grsecurity-kernel's exec_logging and audit chdir features ofmy
> > (miniply github repo) grsecurity-hardened kernel to explain my query. It was
> > originally 44 lines, and 44 lines of quick truth, but I reduced it to
> > 20-something lines, as some of it is not relevant to here, and I deliberately
> > modified some info, where not relevant only. But, I wrapped all the lines for
> > email web, and inserted space btwn lines. Here:
> >
> > The first 8 lines is me starting an xterm to test that Didier's command:
> >
> > [...]
> > So what about and how that command "helps you forget the root password"? I did
> > have to type my root password right before I became "uid/euid:0/0 gid/egid:0/0"
> > having started as only "uid/euid:1000/1000 gid/egid:1000/1000"...
> >
> > Regards?
> >
>     Sorry but I'm lost in all these logs. What I meant is:

I figured out what you meant, as you can read above.

However, those logs --readers see my previous email-- demonstrate, and kind of
with forensical certainty, that I switched to root, while previously having
been only user mr, and all the events around it, because that grsecurity
feature logs all exec's and chdir's in a system. Occasionally that is a superb
feature you could only dream of, but it is available only in
grsecurity-kernels, and the miniply's unofficial-grsecurity kernel appears to
me very reliable, even though the original developers left months ago --though
this statement of mine is still to be confirmed with more use/more testing!

Yet, if I didn't have targetpw I would anyway become root under different
configuration... i.e., if conf such, with user's own password. So the logs
don't prove much at all in this case... It would take strace or keyboard logger
to prove what exactly happened... Dear God, it's all so deep knowledge in
there, how do you become really secure!... I've spent huge time on grsecurity
and hardenening, and I know a little there, but there's so much more to get a
safe system that it's all a little disheartening!

> 1) if you allow yourself in the sudoers file to run 'su' as root, then you
> never need the root password anymore; you use yours instead.

Except: I chose targetpw, as the advice, to my best remembrance, was to use:
> > mr      ALL=(ALL:ALL) ALL

(as further above) only if targetpw is also set...

> 2) if you never need the root password anymore then you might quickly forget
> it, unless you have written it somewhere. But, since you don't need it, one
> can argue it doesn't matter... I leave it to your apreciation.
>
>     One nice thing with sudo is that it doesn't ask the password everytime
> you invoke it. Note that you can even give yourself the permission to run su
> without a password:

>
> mr  all = (root)      NOPASSWD: /bin/su

>
>     I wouldn't recommend it :-)

Of course not!

>                 Didier


And Renaud sent this to me instead of to the list (pobably by mistake, namely
there are no sensitive data in his email below).

On 170923-12:49-0400, Renaud (Ron) OLGIATI wrote:
> On Sat, 23 Sep 2017 15:12:23 +0000
> Miroslav Rovis <miro.rovis@???> wrote:
>
> > Anybody got a quick tips page somewhere to find the exact color codes?
>
> From the "cookbook" where I note all those interesting bits that will be needed at the next full install:
>
> and as user in vi ~/.bashrc
>     PS1='\n\[\033[1;34m\]\u@\h:\w \$ \[\033[0m\]'
> Colour codes
>   Black  0;30   Red  0;31   Green  0;32   Brown  0;33   Blue  0;34   Purple  0;35   Cyan  0;36 
>   Replace digit 0 with 1 to get light colour version.
>  Same numbers+10 for background, separated by ; 

>
> Yellow on green: PS1='\n\[\033[1;33;1;42m\]\u@\h:\w \$ \[\033[0m\]'
>
> Cheers,
>
> Ron.


Thanks! And that's from you private cookbook! :-)

All is now easier to understand. After a deep breath, and possibly some
other work that's awaiting me.

Regards!

--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr