[ale] bash commands

Jim Kinney jim.kinney at gmail.com
Tue May 22 18:27:35 EDT 2012 

Big +1

sudo is not a tool for admins.
On May 22, 2012 6:01 PM, "Lightner, Jeff" <JLightner at water.com> wrote:

>   I disagree with the purpose of sudo stated previously.  It was not
> designed to prevent System Admins from getting root access.  It was
> designed to allow NON-system admins to access only those few things they
> need as root without giving them the root password and full root access.**
> **
>
> ** **
>
> Over time PHBs have somehow decided that even System Admins shouldn’t have
> root which is why you see abominations like “sudo” only distros.   System
> Admins do spend a lot of their time as root no matter how much hand
> wringing is done by people that like to claim it isn’t secure.****
>
> ** **
>
> The sad thing about sudo is how many admins do not seem to understand what
> they’re giving to users with it.   The first place I saw it they gave users
> “sudo vi”.   I had to show them what “:!/bin/sh” did in such a session.   I
> also had to explain to them why sudo access to shell scripts that were not
> writable only by root in a directory only accessible by root was a bad idea.
> ****
>
> ** **
>
> I’ve only worked one place where I thought they handled sudo for Admins
> correctly.   They had syslog traffic going to a server NOT controlled by
> the Admins and any time you used sudo you had to put in a reason why and be
> prepared for a query from management because they got emails when you did
> it.   You could hide what you did after becoming root but not the fact that
> you HAD become root.****
>
> ** **
>
> We use sudo extensively here mainly for its (IMHO) original purpose.   One
> great use of it is to get rid of purely administrative accounts for
> applications where everyone knows the password.   By requiring users that
> need access to such administrative accounts to do “sudo su - <account>” you
> can log which user became that administrative user right before everything
> went to hell in a handbasket.****
>
> ** **
>
> *From:* ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of *Wolf
> Halton
> *Sent:* Monday, May 21, 2012 8:06 AM
> *To:* Atlanta Linux Enthusiasts
> *Subject:* Re: [ale] bash commands****
>
> ** **
>
> ** **
>
> On Mon, May 21, 2012 at 7:29 AM, Matthew <simontek at gmail.com> wrote:****
>
> Atm that is the environment I am in. Some machines I have the root
> password to, some I don't, some I have to ssh 127.0.0.1 as root. My
> PDE I have to wait a bit to get root access, for my job its ironic, I
> have to use my work computer to do it, vs my govt provided one.****
>
>
> On 5/21/12, Jim Kinney <jim.kinney at gmail.com> wrote:
> > In a multi-admin server environment, selinux and auditd can fully track
> who
> > did what. Each admin logs in remotely and then can su to root, do their
> > work and log out. Even though they can use su - to fully change to the
> root
> > user with full environment, auditd tracks every command issued with both
> > effective ID and original ID. So root from Fred is different from root
> from
> > Sally.
> >
> > The addition of rootsh to the system as the only shell for root will
> > provide a full log of keyboard entry and return data. That log can be on
> a
> > remote machine.
> >
> > On Mon, May 21, 2012 at 3:01 AM, Brian Mathis <
> > brian.mathis+ale at betteradmin.com> wrote:
> >
> >> By "desktop" I mean a computer that sits on your desk either at home
> >> or work, as opposed to servers that run in a data center.  I think
> >> most people who don't see the difference between using 'su' vs 'sudo'
> >> think that way because they are only playing with Linux on their home
> >> desktop so it doesn't really matter.  However, in a server environment
> >> where you need to manage resources, it does.
> >>
> >> I don't think anyone is using "desktop" to refer to using a GUI
> >> instead of a shell prompt; at least that doesn't make sense in the
> >> context of this discussion.
> >>
> >>
> >> ❧ Brian Mathis
> >>
> >>
> >> On Mon, May 21, 2012 at 2:48 AM, Matthew <simontek at gmail.com> wrote:
> >> > I don't usually work in a desktop environment. Even though our project
> >> > is using kde, I still do everything from command line.
> >> >
> >> > On 5/21/12, Brian Mathis <brian.mathis+ale at betteradmin.com> wrote:
> >> >> There is an ENORMOUS difference between using "su" and "sudo -i", and
> >> >> it's big enough that any old codgers out there should learn this new
> >> >> trick:
> >> >>
> >> >>     To use 'su' you need the ROOT password.
> >> >>     To use 'sudo', you need YOUR password.
> >> >>
> >> >> In any environment outside of your personal desktop, this is a huge
> >> >> difference.  Securely distributing the root password to any number of
> >> >> sysadmins, keeping track of who has it, and changing it every time
> >> >> someone leaves (and redistributing the changed password) is a
> >> >> nightmare, and it also violates most accepted rules of good security
> >> >> (using shared passwords).
> >> >>
> >> >> If you grant root access through sudo, even if admins use 'sudo -i',
> >> >> you only need to manage the sudoers file and you can forget about the
> >> >> root password issue.  You still need to keep track of the root
> >> >> password, but now you can set it to some long random string and keep
> >> >> it locked in a safe somewhere.  You also get an audit trail of who's
> >> >> logging in and switching to root, even if you don't get a full audit
> >> >> of every command they run.
> >> >>
> >> >>
> >> >> ❧ Brian Mathis
> >> >>
> >> >>
> >> >> On Sun, May 20, 2012 at 9:30 PM, matt <ur.matt at gmail.com> wrote:
> >> >>> Why not just log in as root and stomp around if you're going to use
> >> sudo
> >> >>> -i?
> >> >>>
> >> >>> On Sun, May 20, 2012 at 6:27 PM, matt <ur.matt at gmail.com> wrote:
> >> >>>> sudo -i is definitely bad practice, it completely negates the
> >> >>>> purpose
> >> of
> >> >>>> using sudo in the first place.
> >> >>>>
> >> >>>> On Sun, May 20, 2012 at 6:19 PM, Brian Stanaland
> >> >>>> <brian at stanaland.org
> >> >
> >> >>>> wrote:
> >> >>>>> I use 'sudo su -' which gets you the complete root experience.
> >> >>>>>
> >> >>>>> -- Brian
> >> >>>>>
> >> >>>>> On Sun, May 20, 2012 at 9:10 PM, Mike Harrison <
> cluon at geeklabs.com>
> >> >>>>> wrote:
> >> >>>>>>
> >> >>>>>> On Sun, 20 May 2012, Jim Lynch wrote:
> >> >>>>>> > If that's current thinking, then it's changed.  I've been
> >> >>>>>> > administrating
> >> >>>>>> > Unix systems for about 25 years.  Sudo didn't exist and you
> >> needed to
> >> >>>>>> > su
> >> >>>>>> > in order to do admin tasks.  It was accepted and expected.  You
> >> >>>>>> > couldn't
> >> >>>>>> > install SunOS, HPUX, UNICOS or Irix without it.  I'm afraid
> this
> >> old
> >> >>>>>> > dog
> >> >>>>>> > isn't learning new tricks, I use sudo -s or sudo -i on a
> regular
> >> >>>>>> > basis
> >> >>>>>> > when I don't have su enabled.
> >> >>>>>>
> >> >>>>>> I use sudo -s on my desktop when I need to do root things. Saves
> a
> >> lot
> >> >>>>>> of
> >> >>>>>> time and typing over "sudo foo" for every command. On a desktop,
> >> normal
> >> >>>>>> user system.. it seems to be the "right way". Be a user for user
> >> >>>>>> things,
> >> >>>>>> become almost root for doing admin stuff on my box.
> >> >>>>>>
> >> >>>>>> On a server.. there is only root for most sysadmin tasks. I've
> >> >>>>>> only
> >> >>>>>> been
> >> >>>>>> running Linux since 94.. but have also worked on DG Nova's, SCO
> >> unix,
> >> >>>>>> Slowlaris, etc.. but it seems to be the right way to admin a
> >> >>>>>> server.
> >> >>>>>> If you can't handle SSHing in/logging in as root..  you should
> not
> >> be.
> >> >>>> --
> >> >>>> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours
> >> >>> --
> >> >>> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours
> >> >>
> >> >>
>
>
>
>
>
>   _______________________________________________
> >> >> Ale mailing list
> >> >> Ale at ale.org
> >> >> http://mail.ale.org/mailman/listinfo/ale
> >> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> >> http://mail.ale.org/mailman/listinfo
> >> >>
> >> >
> >> > --
> >> > Sent from my mobile device
> >> >
> >> > SimonTek
> >> > 912-398-6704
> >> >
> >> > _______________________________________________
> >> > Ale mailing list
> >> > Ale at ale.org
> >> > http://mail.ale.org/mailman/listinfo/ale
> >> > See JOBS, ANNOUNCE and SCHOOLS lists at
> >> > http://mail.ale.org/mailman/listinfo
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >>
> >
> >
> >
> > --
> > --
> > James P. Kinney III
> >
> > As long as the general population is passive, apathetic, diverted to
> > consumerism or hatred of the vulnerable, then the powerful can do as they
> > please, and those who survive will be left to contemplate the outcome.**
> **
>
> > - *2011 Noam Chomsky
> >
> > http://heretothereideas.blogspot.com/****
>
> > *
> >
>
> --
> Sent from my mobile device
>
> SimonTek
> 912-398-6704
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo****
>
>
>
> Our general practice is to use sudo and do a few things under the timer.
> There are install sessions that require changing to user env of 3 different
> users, all essentially system users, to whose accts, I have the passwords,
> but it is far quicker to sudo su - or sudo -i and then su - into the other
> two accts from root, which requires no password to get into the accounts.
> The system user passwords, and also the system root user passwords can then
> be different from machine to machine, and my work is not slowed down while
> I get the notebooks with all passwords to search for this or that machine
> and user.
> Those notebooks would be the holy skeleton keys for the entire network
> (and a huge security vulnerability), but are in a safe buried under 20 feet
> of concrete, as all any of the admins have to have is their own password to
> do any of the admin tasks they are permitted to do on any of the machines.
> Sudo can be very granular, allowing some but not all admin tasks.  This
> isn't all that apparent for new users of Ubuntu (which has root login
> disabled by default in the gui Runlevel 5 login screen (GDM)).
>
> -Wolf
>
> PS In the most recent Ubuntu release, the automated update-manager
> behaviour is to allow updates and safe-upgrades without a password entry,
> but you still need a password to run aptitude or the Ubuntu software center
> application.
>
> --
> This Apt Has Super Cow Powers - http://sourcefreedom.com
> Open-Source Software in Libraries - http://FOSS4Lib.org
> Advancing Libraries Together - http://LYRASIS.org
> Apache Open Office Developer wolfhalton at apache.org****
>
>
>
>
>
> Athena®, Created for the Cause™
>
> Making a Difference in the Fight Against Breast Cancer
>
>
>
>
>
> *How and Why I Should Support Bottled Water!
> *Do not relinquish your right to choose bottled water as a healthy
> alternative to beverages that contain sugar, calories, etc. Your support of
> bottled water will make a difference! Your signatures count! Go to
> http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and
> sign a petition to support your right to always choose bottled water. Help
> fight federal and state issues, such as bottle deposits (or taxes) and
> organizations that want to ban the sale of bottled water. Support community
> curbside recycling programs. Support bottled water as a healthy way to
> maintain proper hydration. Our goal is 50,000 signatures. Share this
> petition with your friends and family today!
>
>
>
> ---------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
> information and is for the sole use of the intended recipient(s). If you
> are not the intended recipient, any disclosure, copying, distribution, or
> use of the contents of this information is prohibited and may be unlawful.
> If you have received this electronic transmission in error, please reply
> immediately to the sender that you have received the message in error, and
> delete it. Thank you.
> ----------------------------------****
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120522/ede3548c/attachment-0001.html

More information about the Ale mailing list