| 1 |
On Tue, Aug 10, 2010 at 2:50 PM, Alan McKinnon <alan.mckinnon@×××××.com>wrote: |
| 2 |
|
| 3 |
> On Tuesday 10 August 2010 15:03:19 Kevin O'Gorman wrote: |
| 4 |
> > On Mon, Aug 9, 2010 at 6:18 PM, William Hubbs <williamh@g.o> |
| 5 |
> wrote: |
| 6 |
> > > On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote: |
| 7 |
> > > > On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@×××××.com |
| 8 |
> > |
| 9 |
> > > |
| 10 |
> > > wrote: |
| 11 |
> > > > > I actually prefer "sudo su -" -- as long as I'm giving it away! |
| 12 |
> :o) |
| 13 |
> > > |
| 14 |
> > > Afaik, there is no reason for "sudo su -" It should be either |
| 15 |
> > > |
| 16 |
> > > su - |
| 17 |
> > > |
| 18 |
> > > or, if you are using sudo, |
| 19 |
> > > |
| 20 |
> > > sudo -i |
| 21 |
> > > |
| 22 |
> > > The disadvantage of "su -" is that it requires the user to know the |
| 23 |
> root |
| 24 |
> > > password. But, "sudo -i" does the same thing without requiring the |
| 25 |
> user |
| 26 |
> > > to know the root password. |
| 27 |
> > > |
| 28 |
> > > You either didn't think or didn't actually try it. "sudo su -" needs |
| 29 |
> a |
| 30 |
> > |
| 31 |
> > password, but it's the |
| 32 |
> > user password. Running su as root never needs a password. Accordingly, |
| 33 |
> > this works on |
| 34 |
> > a stock Ubuntu with no root password. |
| 35 |
> > |
| 36 |
> > "su -" requires the root password unless you're already root, and the |
| 37 |
> root |
| 38 |
> > password may or may not exist. |
| 39 |
> > |
| 40 |
> > I didn't know about "sudo -i" (thanks), but when I tried "sudo -i" it |
| 41 |
> > immediately asked for a password, for which |
| 42 |
> > the user password was sufficient. So it's entirely equivalent to but |
| 43 |
> > slightly shorter than my version. I'll stick with |
| 44 |
> > mine because it's made of parts I already know and won't forget. |
| 45 |
> > |
| 46 |
> > I think that if sudoers don't need to enter passwords, they're still |
| 47 |
> > equivalent, but I have not tried this. |
| 48 |
> |
| 49 |
> Sounds to me like he's whinging about sudo and not much else. I find this |
| 50 |
> to |
| 51 |
> be common and far too many people advancing the idea can't define to me |
| 52 |
> basic |
| 53 |
> security concepts. I have also yet to meet someone with a beef against sudo |
| 54 |
> that can show a fundamental weakness with it, and I'm not talking about an |
| 55 |
> isolated case of buffer overflow either - that can happen with any |
| 56 |
> software. I |
| 57 |
> mean a weakness in the methodology of sudo itself. |
| 58 |
> |
| 59 |
> Many people have a stuck idea in their heads that the root password is a |
| 60 |
> magic |
| 61 |
> security bullet. In fact, it's no such thing. Like any other password it is |
| 62 |
> simply something you need to prove you know in order to to authenticate |
| 63 |
> yourself. The major threat by analysis on a workstation is stepping away |
| 64 |
> for a |
| 65 |
> leak and forgetting to lock the screen. sudo is adequate protection against |
| 66 |
> this as long as more than 5 minutes have elapsed since the last sudo was |
| 67 |
> run - |
| 68 |
> the prankster may have access to the machine but still does not know any |
| 69 |
> password, including yours. A major threat to finding passwords is shoulder |
| 70 |
> surfing. If one frequently enters the root password, it is equally easy for |
| 71 |
> a |
| 72 |
> shoulder surfer to find it as to find the user's password. Note that if you |
| 73 |
> leave your workstation unlocked with a root session open, there is no such |
| 74 |
> timeout as what one has with sudo. |
| 75 |
> |
| 76 |
> Additionally, on a shared machine (i.e. server at work), the root password |
| 77 |
> has |
| 78 |
> to be shared which is a huge hole in itself due to the difficulty of |
| 79 |
> communicating the new password when it is changed. It is trivially easy to |
| 80 |
> communicate a single password for a single user and guarantee it stays |
| 81 |
> secure |
| 82 |
> (major advances in cryptanalysis excepted). |
| 83 |
> |
| 84 |
> |
| 85 |
> -- |
| 86 |
> alan dot mckinnon at gmail dot com |
| 87 |
> |
| 88 |
> Good Luck getting people to change them frequently and haveing your techs |
| 89 |
and it departments meeting complexity and length policy. |
| 90 |
|
| 91 |
Remeber the only secure system is off and disconnected. |
| 92 |
|
| 93 |
If you are willing to use it you must apriase the community of the risk of |
| 94 |
failure; and plan for said risk. |
| 95 |
|
| 96 |
Most projects I've enjoyed had various password books usually encrypted with |
| 97 |
a "God" key for each department and it's respective responsbile area. |
| 98 |
|
| 99 |
Then those keys become an issue in and of themselfs; then it's a matter of |
| 100 |
procedural control. When the admin or admins leave, change them. |
| 101 |
|
| 102 |
Sounds simple, but far too rarely as it happens in pratice that I've headed |
| 103 |
to a client I haven't visited in a decade or so and find the same password I |
| 104 |
once used by guessing. |
| 105 |
|
| 106 |
Wich always rings true for me as a means to ensure disclosure is to those |
| 107 |
that I trust; or would trust. |
| 108 |
|
| 109 |
The discretionary access model in Gentoo is nice and to be expected; what |
| 110 |
I'd really like is a way to have my groups integrate from whichever |
| 111 |
directory service I'm using to meet the DAC mappings required on the local |
| 112 |
machine so I can enable RBAC or some other Lattice based control with local |
| 113 |
admins and limit their functions to thier jobs in an EASY fashon. |
| 114 |
|
| 115 |
Regards, |
| 116 |
-- |
| 117 |
Hazen Valliant-Saunders |
Archives