Hi, I'm not going to elaborate on anything, but I'd rather point out a thing about sudo.
On Wed, Oct 22, 2008 at 10:39 PM, David Masover <[EMAIL PROTECTED]> wrote: > On Wed, Oct 22, 2008 at 9:55 AM, Mislav Marohnić < > [EMAIL PROTECTED]> wrote: > >> On Wed, Oct 22, 2008 at 16:41, David Masover <[EMAIL PROTECTED]> wrote: >> >>> >>> For example: My SSH key has access to both the user the application runs >>> as, and root. There's a reason we don't run applications as root -- but this >>> gives that user the ability, temporarily, to obtain root. >> >> >> Uh, you shouldn't log in as root. That's bad practice. Sysadmins often >> deny the root user login rights. You should use a user that's a sudo-er for >> administrative tasks. >> > > First: Sudo is annoying, for this purpose. I've got passwordless SSH to all > sorts of places, and yes, my key file is encrypted. If I can login as every > user except root, I can still do quite a lot of damage. sudo is annoying, and it's desgined to be annoying. :) Keyfile authentication is ok. As a pactice I never use key based SSH authentication outside of a LAN. The point is carrying around or keeping the key files out side doesn't make me comfortable. Encrypted keyfiles are better, but you endup with passwords again. :) So, even if they can't get root, it provides a means for one application to > steal another application's user, or for a sandbox experiment to jump into > an application user. Me not logging in as root doesn't address the root > cause (so to speak). Not sure what you mean. Second: What does sudo actually buy, in terms of security? I am the admin. I > built the virtual machine image. If I want to cause problems, nothing is > going to stop me. All this would do is annoy me, pretty much like Vista's > UAC. sudo is not like Vistas UAC, at least not what I've seen in my little Vista exposure. Please see below. I understand the purpose of sudo on a desktop machine, but often, I end up > doing 'sudo su -' anyway. So I consider ssh-ing as root to be a similar > action -- it's like sudoing, but less annoying. How sudo differs significantly and how to stop 'sudo su -' is to use sudo sparingly. For example rather than using capuser ALL=(ALL) ALL you could try specifiying which commands to have super user privileges. Allowing all commands the privileges wouldn't give much advantage as you said, probably other than the security of obscurity. I've tried Capistrano with selective sudo privileges. It's a little work, but it works. Now, for the automated stuff, sure -- I should be using sudo, and I should > have specific tasks as exceptions. Automate as much as possible, and run as > little as possible as root. > > But sometimes, you just have to edit fstab, or add users, or muck with > MySQL permissions, or copy some files (or change ownership on them), or > distribute SSH keys, or a dozen other things you didn't plan for, and don't > have a dedicated script to automate. Thanks for voicing many admins. Yes, there are manual work required usually on production systems. They may be not as glorious as running two commands and finishing, but I'd rather rather manually grant a single db user with minimal privileges needed. :) --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---
