Jim Cheetham wrote:
On Aug 5, 2005, at 6:27 PM, Robert Himmelmann wrote:
Jim Cheetham wrote:
lol. "sudo su" is almost pointless ... "sudo -s" gives you a root
shell :-)
Ok, I do not have much experience with sudo and typing 'u' is for me
easier than '-'.
:-) agreed. Functionally they are very similar - in internal detail
they are very different. Most of the time people are interested only
in functionality ...
I commented everything in /etc/sudoers. I do not like sudo. Normally
two thirds of the commands I use I do as root.
I left one line which lets root use sudo. I do not think that that line
is harmfull
Then, remove sudo. If you have disabled it like that, why not remove
it completely?
(One answer - because distribution dependancies might try to prevent
you. The answer to that might be Slackware or Linux From Scratch)
Maybe not even that:
ubuntu / # apt-get remove sudo
Reading package lists... Done
Building dependency tree... Done
The following packages will be REMOVED:
gdm gksu gnome-netstatus-applet gnome-system-tools sudo ubuntu-base
ubuntu-desktop
0 upgraded, 0 newly installed, 7 to remove and 0 not upgraded.
Need to get 0B of archives.
After unpacking 18.2MB disk space will be freed.
Do you want to continue [Y/n]?
One of my friends used to do everything on his laptop as the root
user. After all, he owned the machine, didn't he?
(There's no downside to the story. He never made a costly mistake ;-)
Yes, he's that good).
I don't trust myself that much. It is also useful to have one account
that is known to work.
It's up to you how hackable you leave your system. :-)
I can rely on security through obsurity. By modifing the keyboard
layout for my own needs I have made it very difficult to use for
anyone else. The only problem with this is that it is difficult for
me to use any computer on which I have not copied that layout.
I've supported so many different systems that I've instead become able
to use the most default system to do my job. Even on a machine that I
expect to use for years, I make very few changes. If you heavily
customise your machine, I advise you to also make sure that you can
copy and re-apply those essential customisations to a default machine,
quickly ;-) It's worth spending a bit of time generalising your setup,
because if you get a new stock machine, it will take you much longer
when you really need to get it done. I think that's some variation on
the laws of thermodynamics ... ;-)
I use xmodmap. I tried my layout on an Italian laptop I got from my
brother and it works fine. You only have to be at the stage where you do
not look at your keyboard. If I do that I always get confused. For my
next system I will try to get a keyboard with blank keys.
nmap shows that I have only one open port which is ssh and which I
disable when I do not need it.
Unless you are explicitly asking nmap to probe every port, be aware
that it only usually scans a few thousand likely target port numbers
by default. Better to use netstat or the excellent "lsof -i TCP" and
"lsof -i UDP" to say what ports you really do have open.
The only line I get:
sshd 6611 root 3u IPv4 13653 TCP *:ssh (LISTEN)
*cough* same friend as above - always disables ports he doesn't need.
He plugged his laptop into my network this afternoon ... I nmapped
him. One open port - distccd. Hmmm ... he's a gentoo user, that's why
he has distcc running.
Only one distribution? That would mean that he can only use emerge to
install programs.
Google says ...
http://www.metasploit.com/projects/Framework/exploits.html#distcc_exec
http://distcc.samba.org/security.html
<quote>The server completely trusts an authorized client. A malicious
client could execute arbitrary commands on the server.</quote>
Perhaps he isn't that good after all?
I tried distcc as well. There is one function with which you can
authorise only clients from certain IPs and domains. There are also
options such as running everything in a chroot, switching to a certain
user &c. I doubt that he used these. The safest way is probably running
it over ssh.
:-)
Like I said, "It's up to you how hackable you leave your system".
Choose any two from these three - "security", "functionality",
"complexity".
For me that would be twice complexity, althought I would rather call it
"not standard conform optimisation which occasionaly breaks the system
and makes exesive use of CPU, RAM, hard-disk space and human recources"
(TM, C, R &c.)
-jim
Happy Hacking,
Robert Himmelmann
