On Tuesday 07 August 2018 15:08:34 Nemeth Gyorgy wrote:
> 2018-08-07 14:50 keltezéssel, The Wanderer írta:
> > But it's more secure to require a second password to do elevated
> > things than to permit doing those things with the same password as
> > is used for ordinary activities.
>
> Then use o
2018-08-07 14:50 keltezéssel, The Wanderer írta:
>
> But it's more secure to require a second password to do elevated things
> than to permit doing those things with the same password as is used for
> ordinary activities.
Then use other pam backend module for sudo and not the 'common-auth'.
There
On Tue, Aug 07, 2018 at 06:01:27PM +, Curt wrote:
I thought his point might be that in typing the full path at least you
know you're getting '/bin/su' and not some other 'su' that a malevolent
individual might have created in your home directory after prepending HOME
to your path, for example
On 2018-08-07, Nicolas George wrote:
>
> Curt (2018-08-07):
>> I thought his point might be that in typing the full path at least you
>> know you're getting '/bin/su' and not some other 'su' that a malevolent
>> individual might have created in your home directory after prepending HOME
>> to your
Curt (2018-08-07):
> I thought his point might be that in typing the full path at least you
> know you're getting '/bin/su' and not some other 'su' that a malevolent
> individual might have created in your home directory after prepending HOME
> to your path, for example (in that malevolent person's
On 2018-08-07, Michael Stone wrote:
> On Tue, Aug 07, 2018 at 11:14:26AM -0500, David Wright wrote:
>>On Tue 07 Aug 2018 at 15:31:43 (+0200), Nicolas George wrote:
>>> The Wanderer (2018-08-07):
>>
>>> > > Anyone who learns the user's password can obtain the second password
>>> > > pretty easily.
On Tue, Aug 07, 2018 at 11:14:26AM -0500, David Wright wrote:
On Tue 07 Aug 2018 at 15:31:43 (+0200), Nicolas George wrote:
The Wanderer (2018-08-07):
> > Anyone who learns the user's password can obtain the second password
> > pretty easily.
> How so?
Just insert a fake su in their path. Th
On Tue, Aug 07, 2018 at 06:29:58PM +0200, Nicolas George wrote:
> David Wright (2018-08-07):
> > This does make me wonder why nobody here seems to have pointed out
> > that su should be spelled "/bin/su -". My fingers have been wired
> > that way for 20 years.
>
> As I said, there are more subtle
David Wright (2018-08-07):
> This does make me wonder why nobody here seems to have pointed out
> that su should be spelled "/bin/su -". My fingers have been wired
> that way for 20 years.
As I said, there are more subtle ways, and the full path will not
protect you from them.
Regards,
--
Nic
I think as a general philosophy it used to be
this is your computer, as user we make sure it works and you can do some
things.
You can also be root but if you break it you get to keep the bits.
mick
--
Key ID4BFEBB31
Martin writes:
> [...]
>>>
>>> is new to me, I never knew! And I think it is good approach.
>>> Does one actually get pointed to this during install?
>>
>> ┌───┤ [?] Set up users and passwords
>> ├┐
>> │
On Tue 07 Aug 2018 at 15:31:43 (+0200), Nicolas George wrote:
> The Wanderer (2018-08-07):
> > > Anyone who learns the user's password can obtain the second password
> > > pretty easily.
> > How so?
>
> Just insert a fake su in their path. There are more subtle ways.
This does make me wonder wh
On Tue 07 Aug 2018 at 08:07:56 (-0400), The Wanderer wrote:
> I'm fairly sure that when I did (some of) my existing installs - which,
> to be fair, was years and years ago - sudo came with the system, even
> though I didn't even consider the concept of setting the machine up with
> no root passwor
[...]
>>
>> is new to me, I never knew! And I think it is good approach.
>> Does one actually get pointed to this during install?
>
> ┌───┤ [?] Set up users and passwords
> ├┐
> │
On Tue 07 Aug 2018 at 13:23:06 (+0200), Martin Drescher wrote:
> That
>
> > If you set a root password in d-i (as it asks you to), it doesn't
> > install sudo. If you try to set a blank root password, it locks the root
> > account, installs sudo and sets up the user you created with sudo
> > acces
On Di, Aug 07, 2018 at 02:27:48 +0200, Martin wrote:
Come on. You are telling me, it is more secure to share one secret among
multiple people against every person having it own?
If the password is stored in a password safe, and everyone in the IT has
access to it, where is the problem?
First
On 2018-08-07 10:58, Martin Drescher wrote:
Hi members,
I'm a little... lets say thoughtful, about the use of 'su' discussed
at some points in this list.
I have a strong opinion about su, which is, avoid it whenever it is
possible and use 'sudo' instead. This is the case in close to a 100%
in al
>> Once you let a user run an editor with escalated privileges, you're
>> fu**ed. In almost every editor, you can load a different file, save
>> the buffer with a different file name.
>
> Of course.
>
> Again, that comes down to: do you trust this user with elevated access,
> or not?
It is not
On Tue, Aug 07, 2018 at 09:22:07AM -0400, The Wanderer wrote:
Or, rather, that you can do elevated-access things with the same
credentials as are used to permit non-elevated access.
I consider that to be, by definition, a security hole.
That can be addressed three ways: first, you can have sud
> I've long forgotten why, but I committed "sudo su -" to muscle memory
First, you execute sudo with target UID 0 (aka. root).
While doing that, sudo does all the fancy things for you, like setting or
unsetting environments (eg SUDO_COMMAND, SUDO_UID, SUDO_USER) and check, if you
will be grante
The Wanderer (2018-08-07):
> I don't consider that a significant downside;
Maybe your uses are too limited for you to experience it.
> in some contexts, it may
> even be an advantage.
No, it may not. With sudo, adding "sh -c" allows to emulate su's
b
On 2018-08-07 at 09:22, Dave Sherohman wrote:
> On Tue, Aug 07, 2018 at 08:07:56AM -0400, The Wanderer wrote:
>
>> On 2018-08-07 at 07:47, Martin wrote:
>>
>>> The point is not, that ONE person needs a root password. All
>>> people intended to do privileged things will have to share this
>>> pas
On 2018-08-07 at 09:09, Nicolas George wrote:
> The Wanderer (2018-08-07):
>
>> "su OPTIONAL_USERNAME -c 'YOUR_COMMAND'"
>
> The superiority of sudu over su in this particular case is that it
> does not require an extra level of quoting.
I don't consider that a significant downside; in some con
On Tue, Aug 07, 2018 at 12:22:53PM +0100, James Allsopp wrote:
> As far as I can see "su -" saves a lot of grief if you're the only admin on
> a system. Tried sudo ing to a protected directory? Doesn't work.
Works fine for me:
dave$ sudo bash
[sudo] password for dave:
root# cd /some/protected/dir
On Tue, Aug 07, 2018 at 08:07:56AM -0400, The Wanderer wrote:
> On 2018-08-07 at 07:47, Martin wrote:
> > The point is not, that ONE person needs a root password. All people
> > intended to do privileged things will have to share this password.
> > This is a security nightmare!
>
> If they're all
On 2018-08-07 at 09:04, Martin wrote:
> Am 07.08.2018 um 14:50 schrieb The Wanderer:
>
>> On 2018-08-07 at 08:27, Martin wrote:
>>> So, what is bad with 'sudo -u TARGETUSER YOUR_COMMEND'? How do
>>> you edit a file with su? Invoke a shell? Take a look at
>>> sudoedit!
>>
>> "su OPTIONAL_USERNAM
On Tue, Aug 07, 2018 at 11:46:55AM +, Curt wrote:
I've never used it myself. I'm all by my lonesome on this machine. I've
been using 'su' from the very beginning (but maybe I should start or
will start whenever the future and the new 'su' arrives using 'su -').
I've long forgotten why, but
On Tue, Aug 07, 2018 at 02:27:48PM +0200, Martin wrote:
Am 07.08.2018 um 14:07 schrieb The Wanderer:
On 2018-08-07 at 07:47, Martin wrote:
As a system operator, you need some elevated privileges on a daily
basis. How do you do that without sudo?
No, I don't. I only need them when I'm doing el
The Wanderer (2018-08-07):
> "su OPTIONAL_USERNAME -c 'YOUR_COMMAND'"
The superiority of sudu over su in this particular case is that it does
not require an extra level of quoting.
> But it's more secure to require a second password to do elevated things
> than to permit doing those things with t
Am 07.08.2018 um 14:50 schrieb The Wanderer:
> On 2018-08-07 at 08:27, Martin wrote:
>
>> Am 07.08.2018 um 14:07 schrieb The Wanderer:
>>
>>> On 2018-08-07 at 07:47, Martin wrote:
>
As a system operator, you need some elevated privileges on a
daily basis. How do you do that without sudo
On 2018-08-07 at 08:27, Martin wrote:
> Am 07.08.2018 um 14:07 schrieb The Wanderer:
>
>> On 2018-08-07 at 07:47, Martin wrote:
>>> As a system operator, you need some elevated privileges on a
>>> daily basis. How do you do that without sudo?
>>
>> No, I don't. I only need them when I'm doing e
On 08/07/2018 09:06 PM, Joe wrote:
> On Tue, 7 Aug 2018 12:11:50 +0100
> Jonathan Dowland wrote:
>> If you set a root password in d-i (as it asks you to), it doesn't
>> install sudo. If you try to set a blank root password, it locks the
>> root account, installs sudo and sets up the user you creat
Am 07.08.2018 um 14:19 schrieb Stephan Seitz:
> On Di, Aug 07, 2018 at 11:46:55 +, Curt wrote:
>> But it seems the whole point of the thing in a multi-user environment is
>> that you can use a granular approach to permissions, so I suppose if you
>> didn't desire a particular user modifying the
Am 07.08.2018 um 14:07 schrieb The Wanderer:
> On 2018-08-07 at 07:47, Martin wrote:
>
>> Am 07.08.2018 um 13:20 schrieb The Wanderer:
>>
>>> On 2018-08-07 at 05:58, Martin Drescher wrote:
>>>
Hi members,
I'm a little... lets say thoughtful, about the use of 'su'
discussed at s
On Di, Aug 07, 2018 at 01:33:20 +0200, Martin wrote:
I don’t know if Debian does, but the difference between su and sudo
seems quite like to the difference between ssh logins with password
and with keys. Both have advantages and disadvantages.
By far: No.
su only invokes or acts like login, pam
On Di, Aug 07, 2018 at 11:46:55 +, Curt wrote:
But it seems the whole point of the thing in a multi-user environment is
that you can use a granular approach to permissions, so I suppose if you
didn't desire a particular user modifying the logs, while granting her
other administrative privileg
On Tuesday, August 7, 2018 11:58:48 AM -04 Martin Drescher wrote:
> Hi members,
>
> I'm a little... lets say thoughtful, about the use of 'su' discussed at some
> points in this list. I have a strong opinion about su, which is, avoid it
> whenever it is possible and use 'sudo' instead. This is the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Aug 07, 2018 at 12:22:53PM +0100, James Allsopp wrote:
> As far as I can see "su -" saves a lot of grief if you're the only admin on
> a system. Tried sudo ing to a protected directory? Doesn't work. Tired of
> entering your password every coup
On 2018-08-07 at 07:47, Martin wrote:
> Am 07.08.2018 um 13:20 schrieb The Wanderer:
>
>> On 2018-08-07 at 05:58, Martin Drescher wrote:
>>
>>> Hi members,
>>>
>>> I'm a little... lets say thoughtful, about the use of 'su'
>>> discussed at some points in this list. I have a strong opinion
>>> a
On Tue, 7 Aug 2018 12:11:50 +0100
Jonathan Dowland wrote:
> On Tue, Aug 07, 2018 at 11:40:29AM +0100, Joe wrote:
> >Why, I don't know, but the last time I installed stable, sudo was not
> >installed by default, and never has been in my experience. I always
> >add sudo and mc immediately after an
On 08/07/2018 07:40 PM, Joe wrote:
> On Tue, 7 Aug 2018 11:58:48 +0200
> Why, I don't know, but the last time I installed stable, sudo was not
> installed by default, and never has been in my experience. I always add
> sudo and mc immediately after an installation.
It's installed if you choose to
On 2018-08-07, James Allsopp wrote:
>
> sudo does mean that the admin actions of a particular user are logged, but
> unless you lock down what they can do, they can change/delete the logs
> easily enough.
>
But it seems the whole point of the thing in a multi-user environment is
that you can use
Am 07.08.2018 um 13:20 schrieb The Wanderer:
> On 2018-08-07 at 05:58, Martin Drescher wrote:
>
>> Hi members,
>>
>> I'm a little... lets say thoughtful, about the use of 'su' discussed
>> at some points in this list. I have a strong opinion about su, which
>> is, avoid it whenever it is possible
> I don’t know if Debian does, but the difference between su and sudo seems
> quite like to the difference between ssh logins with password and with keys.
> Both have advantages and disadvantages.
By far: No.
su only invokes or acts like login, pam included. sudo may represent a complex
role
That
> If you set a root password in d-i (as it asks you to), it doesn't
> install sudo. If you try to set a blank root password, it locks the root
> account, installs sudo and sets up the user you created with sudo
> access.
is new to me, I never knew! And I think it is good approach. Does one a
As far as I can see "su -" saves a lot of grief if you're the only admin on
a system. Tried sudo ing to a protected directory? Doesn't work. Tired of
entering your password every couple of minutes?
sudo does mean that the admin actions of a particular user are logged, but
unless you lock down what
On 2018-08-07 at 05:58, Martin Drescher wrote:
> Hi members,
>
> I'm a little... lets say thoughtful, about the use of 'su' discussed
> at some points in this list. I have a strong opinion about su, which
> is, avoid it whenever it is possible and use 'sudo' instead. This is
> the case in close t
On Di, Aug 07, 2018 at 11:58:48 +0200, Martin Drescher wrote:
And I'm curious why Debian still prefers the use of su over sudo?
I don’t know if Debian does, but the difference between su and sudo seems
quite like to the difference between ssh logins with password and with
keys. Both have adva
On Tue, Aug 07, 2018 at 11:40:29AM +0100, Joe wrote:
Why, I don't know, but the last time I installed stable, sudo was not
installed by default, and never has been in my experience. I always add
sudo and mc immediately after an installation.
If you set a root password in d-i (as it asks you to)
On 08/07/2018 04:58 AM, Martin Drescher wrote:
Hi members,
I'm a little... lets say thoughtful, about the use of 'su' discussed at some
points in this list.
I don't recall that discussion. Can you give a link to the archives?
I have a strong opinion about su, which is, avoid it whenever it
On Tue, 7 Aug 2018 11:58:48 +0200
Martin Drescher wrote:
> Hi members,
>
> I'm a little... lets say thoughtful, about the use of 'su' discussed
> at some points in this list. I have a strong opinion about su, which
> is, avoid it whenever it is possible and use 'sudo' instead. This is
> the case
Hi members,
I'm a little... lets say thoughtful, about the use of 'su' discussed at some
points in this list.
I have a strong opinion about su, which is, avoid it whenever it is possible
and use 'sudo' instead. This is the case in close to a 100% in all cases I can
think of.
This opinion is bas
52 matches
Mail list logo
