(Also replying to Didier Kryn, because it is related to my question put following Edward email below, however, too much Edward's text missing in Didier's reply.)
On 170923-09:15+0200, Edward Bartolo wrote: > Quote: "He's actually right: the least the superuser's password is > used, the better > and the safer." > > Granted, but sudo as configured in Ubuntu makes the use of a superuser > password pointless. Sudo is configured to be a wide wide open door > leading to any part of a computer's 'household'. In other words, sudo > with the infamous 'user ALL=(ALL)' in /etc/sudoers makes root > practically like any other user. I do have it (that exact section of my /etc/sudoers follows): # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL Defaults targetpw mr ALL=(ALL:ALL) ALL Does the "Defaults targetpw", and a really strong password still keep me safe, sudo-wise (not talking other measures: iptables, grsecurity, just sudo-wise)? I am (as user mr) both: # cat /etc/group | grep sudo sudo:x:27:mr # member of group sudo, and have those lines under "Defaults targetpw". Really interested about opinions/advice: safe, as far as sudo goes? > Sudo does have its benefits but it must be used to control user > privileges. Granting all commands to every user is the opposite of > what security means. As above, the targetpw helps against that... And I don't get what Didier means. Citation below is manually pasted in. On 170923-11:10+0200, Didier Kryn wrote: > Le 23/09/2017 à 08:49, Alessandro Selli a écrit : > > He's actually right: the least the superuser's password is used, the > > better > > and the safer. > > Yep, you can invoke 'sudo su -l'; that's su without the root password. > It helps you forget the root password. > > Didier Whatever do you mean that command above "helps you forget the root password"? Let me use grsecurity-kernel's exec_logging and audit chdir features of my (miniply github repo) grsecurity-hardened kernel to explain my query. It was originally 44 lines, and 44 lines of quick truth, but I reduced it to 20-something lines, as some of it is not relevant to here, and I deliberately modified some info, where not relevant only. But, I wrapped all the lines for email web, and inserted space btwn lines. Here: The first 8 lines is me starting an xterm to test that Didier's command: Sep 23 14:12:35 gdOv kernel: [471743.404689] grsec: exec of /usr/bin/xterm (xterm -g 110x35+0+154 -fn -misc-fixed-medium-r-normal--13-120-75-75-c-70-iso10646-1 ) by /usr/bin/xterm[bash:5257] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4315] uid/euid:1000/1000 gid/egid:1000/1000 Sep 23 14:12:35 gdOv kernel: [471743.516776] grsec: exec of /usr/lib/x86_64-linux-gnu/utempter/utempter (/usr/lib/x86_64-linux-gnu/utempter/utempter add :0 ) by /usr/lib/x86_64-linux-gnu/utempter/utempter[xterm:5258] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/xterm[xterm:5257] uid/euid:1000/1000 gid/egid:1000/1000 Sep 23 14:12:35 gdOv kernel: [471743.523902] grsec: exec of /bin/bash (bash ) by /bin/bash[xterm:5259] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/xterm[xterm:5257] uid/euid:1000/1000 gid/egid:1000/1000 Sep 23 14:12:35 gdOv kernel: [471743.531515] grsec: exec of /usr/bin/tput (tput setaf 1 ) by /usr/bin/tput[bash:5260] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5259] uid/euid:1000/1000 gid/egid:1000/1000 Sep 23 14:12:35 gdOv kernel: [471743.535058] grsec: exec of /usr/bin/dircolors (dircolors -b ) by /usr/bin/dircolors[bash:5262] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5261] uid/euid:1000/1000 gid/egid:1000/1000 Sep 23 14:12:35 gdOv kernel: [471743.561333] grsec: exec of /bin/ls (ls /etc/bash_completion.d ) by /bin/ls[bash:5264] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5263] uid/euid:1000/1000 gid/egid:1000/1000 Sep 23 14:12:35 gdOv kernel: [471743.577900] grsec: exec of /usr/bin/xset (xset r rate 220 70 ) by /usr/bin/xset[bash:5265] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5259] uid/euid:1000/1000 gid/egid:1000/1000 Sep 23 14:12:35 gdOv kernel: [471743.585045] grsec: exec of /usr/bin/tty (tty ) by /usr/bin/tty[bash:5267] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5266] uid/euid:1000/1000 gid/egid:1000/1000 And this is pasting that command straight from Didier's email or so: Sep 23 14:12:38 gdOv kernel: [471746.636753] grsec: exec of /usr/bin/sudo (sudo su -l ) by /usr/bin/sudo[bash:5268] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5259] uid/euid:1000/1000 gid/egid:1000/1000 My password is not trivial, it takes me a few seconds (7 seconds here, btwn the above and the execution): Sep 23 14:12:45 gdOv kernel: [471752.948437] grsec: exec of /bin/su (su -l ) by /bin/su[sudo:5269] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sudo[sudo:5268] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471752.976075] grsec: chdir to /root by /bin/su[su:5270] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:5269] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471752.976381] grsec: exec of /bin/bash (-su ) by /bin/bash[su:5270] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:5269] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471752.983247] grsec: exec of /usr/bin/id (id -u ) by /usr/bin/id[bash:5272] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5271] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471753.007333] grsec: exec of /bin/ls (ls /etc/bash_completion.d ) by /bin/ls[bash:5274] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5273] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471753.027574] grsec: exec of /usr/bin/dircolors (dircolors ) by /usr/bin/dircolors[bash:5276] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5275] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471753.033984] grsec: exec of /usr/bin/dircolors (dircolors -b ) by /usr/bin/dircolors[bash:5278] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5277] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471753.038948] grsec: exec of /usr/bin/xset (xset r rate 220 70 ) by /usr/bin/xset[bash:5279] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471753.042488] grsec: exec of /usr/bin/setxkbmap (setxkbmap fr ) by /usr/bin/setxkbmap[bash:5280] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471753.057277] grsec: exec of /bin/dash (sh -c "/usr/bin/xkbcomp" -w 1 "-R/usr/share/X11/xkb" -xkm "-" -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " ) by /bin/dash[Xorg:5281] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib/xorg/Xorg[Xorg:4131] uid/euid:1000/0 gid/egid:1000/0 Sep 23 14:12:45 gdOv kernel: [471753.071382] grsec: exec of /usr/bin/xkbcomp (/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 The XKEYBOARD keymap compiler (xkbcomp) reports: -emp > -eml Errors from) by /usr/bin/xkbcomp[sh:5282] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/dash[sh:5281] uid/euid:1000/1000 gid/egid:1000/1000 Sep 23 14:12:45 gdOv kernel: [471753.072665] grsec: chdir to /usr/share/X11/xkb by /usr/bin/xkbcomp[xkbcomp:5282] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/dash[sh:5281] uid/euid:1000/1000 gid/egid:1000/1000 Sep 23 14:12:45 gdOv kernel: [471753.095838] grsec: exec of /usr/bin/xset (xset b off ) by /usr/bin/xset[bash:5283] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0 Sep 23 14:12:45 gdOv kernel: [471753.109265] grsec: exec of /usr/bin/mesg (mesg n ) by /usr/bin/mesg[bash:5284] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5270] uid/euid:0/0 gid/egid:0/0 [...] Sep 23 14:15:09 gdOv kernel: [471897.458734] grsec: exec of /bin/date (date +%y%m%d_%H%M%S ) by /bin/date[bash:5317] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5316] uid/euid:0/0 gid/egid:0/0 Sep 23 14:15:09 gdOv kernel: [471897.458774] grsec: exec of /bin/cat (cat /var/log/kern.log ) by /bin/cat[bash:5315] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4382] uid/euid:0/0 gid/egid:0/0 Sep 23 14:15:09 gdOv kernel: [471897.463625] grsec: exec of /bin/hostname (hostname ) by /bin/hostname[bash:5318] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5316] uid/euid:0/0 gid/egid:0/0 Sep 23 14:15:09 gdOv kernel: [471897.466904] grsec: exec of /bin/grep (grep -aE -A23000 471743.404689 ) by /bin/grep[bash:5316] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4382] uid/euid:0/0 gid/egid:0/0 I decided to keep the last lines, because it's how I got those logs. The command was: # cat /var/log/kern.log | grep -aE -A23000 471743.404689 \ > kern.log_$(date +%y%m%d_%H%M%S)_$(hostname) (where 471743.404689 was taken from the terminal in bottom left where only "tail -f /var/log/kern.log" is running) So what about and how that command "helps you forget the root password"? I did have to type my root password right before I became "uid/euid:0/0 gid/egid:0/0" having started as only "uid/euid:1000/1000 gid/egid:1000/1000"... Regards? -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
signature.asc
Description: PGP signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng