Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[andreimpopescu]

On Mi, 19 iun 19, 11:06:59, Bagas Sanjaya wrote:
> Hello all Debian Users,
> 
> Consider the hypothetical scenario below.

Your hypothetical scenario is not relevant for what you are asking.

Context for the list:
https://lists.debian.org/debian-devel/2019/06/msg00371.html
 
> I often encountered cases on systems in television stations when they
> configured sudoers like this snippet below:
> 
> %remaja ALL=(ALL:ALL) ALL
> 
> The rationale for above is most programs on such systems can only be
> accessed by users which are member of remaja (teens) group via sudo, so
> their sysadmins giving remaja user group full administrator privileges. Is
> it dangerous?

Knives are dangerous when used improperly, but we still have them at 
home.

Instead of locking them away we teach children to use them safely.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Greg Wooledge]

On Tue, Jun 25, 2019 at 10:38:10AM +0700, Bagas Sanjaya wrote:
> In this hypothetical scenario, the sudoers rule is applied to ALL systems,
> including production ones, and sysadmins doesn't have proper backups.

On Tue, Jun 25, 2019 at 08:45:13AM -, Curt wrote:
> I'd just get a better hypothetical scenario if I were the OP (they're a
> dime a dozen anyway) because as it stands now his is so completely up
> the wazoo it's really the only sensible advice.

I'm about 30% convinced this is all some sort of elaborate troll.

40% chance this person is just completely incompetent, and these
decisions will mean the end of their employment in this field.

30% chance that it's a language/translation issue, and the actual
intent is not being conveyed correctly, despite repeated requests for
clarification.

(Tt's probably some combination of the three.)

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Curt]

On 2019-06-25, Aidan Gauland  wrote:
>>
>> In this hypothetical scenario, the sudoers rule is applied to ALL
>> systems, including production ones, and sysadmins doesn't have proper
>> backups.
> OK, not having a (good) backup system is definitely bad.  You should
> always have that even if your security is very tight, in case something
> slips through, or an admin makes a mistake.

I'd just get a better hypothetical scenario if I were the OP (they're a
dime a dozen anyway) because as it stands now his is so completely up
the wazoo it's really the only sensible advice.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Aidan Gauland]

On 25/06/19 3:38 PM, Bagas Sanjaya wrote:
> On 24/06/19 06.27, Aidan Gauland wrote:
>
>> I can't really offer an opinion on whether it is dangerous without a
>> more detailed hypothetical scenario, but I would say that is
>> overbroad, and this rule should be narrowed down to only allow
>> running certain commands via sudo as required for this group to
>> perform their work.
>
> In this hypothetical scenario, the sudoers rule is applied to ALL
> systems, including production ones, and sysadmins doesn't have proper
> backups.
OK, not having a (good) backup system is definitely bad.  You should
always have that even if your security is very tight, in case something
slips through, or an admin makes a mistake.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[mick crane]

On 2019-06-25 04:38, Bagas Sanjaya wrote:

On 24/06/19 06.27, Aidan Gauland wrote:

I can't really offer an opinion on whether it is dangerous without a 
more detailed hypothetical scenario, but I would say that is 
overbroad, and this rule should be narrowed down to only allow running 
certain commands via sudo as required for this group to perform their 
work.


In this hypothetical scenario, the sudoers rule is applied to ALL
systems, including production ones, and sysadmins doesn't have proper
backups.


I've concluded that you are asking for assistance with some artistic 
idea applying anarchist political theory to TV film production but are 
confusing production method with production tools.
When film/ tape was flammable an editor wouldn't let a random person 
with a flame thrower into his editing room likewise a computer whose 
function might be video editing is a tool of many delicate parts and if 
some part of it is broken then it likely will stop working.


mick
--
Key ID4BFEBB31

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Bagas Sanjaya]

On 24/06/19 06.27, Aidan Gauland wrote:

I can't really offer an opinion on whether it is dangerous without a 
more detailed hypothetical scenario, but I would say that is 
overbroad, and this rule should be narrowed down to only allow running 
certain commands via sudo as required for this group to perform their 
work.


In this hypothetical scenario, the sudoers rule is applied to ALL 
systems, including production ones, and sysadmins doesn't have proper 
backups.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Andy Smith]

Hello,

On Mon, Jun 24, 2019 at 12:34:36PM +1200, Richard Hector wrote:
> On 23/06/19 12:07 PM, Andy Smith wrote:
> > andy@debtest1:~$ su - bob
> > Password: 
> > bob@debtest1:~$ whoami
> > bob
> > bob@debtest1:~$ sudo -i
> > [sudo] password for bob: 
> > Sorry, user bob is not allowed to execute '/bin/bash' as root on 
> > debtest1.vps.bitfolk.com.
> > bob@debtest1:~$ echo 
> > 'bob:$6$K6b1uzg.$pTNKJG/9hIgnhBL53Y2mr0rrsBBZE1xDWE0bO8E94dBlM.itel4/meJTZYL12IIOZ9ck/
> > 3P2/j5XGbyKcKxFK/:18070:0:9:7:::' > myshadow
> > bob@debtest1:~$ sudo mount --bind ./myshadow /etc/shadow
> > bob@debtest1:~$ su -
> > Password: 
> > root@debtest1:~# whoami
> > root

[…]

> Haven't you just set your own (bob) password there? Not saying you
> couldn't set root's instead, but ... it looks like in this case you
> already knew it.

Yes, it was a mispaste from an earlier line in my screen history.
Sorry about that.

Point is you can take a hash that you already know, e.g. your own,
write it into a new shadow file but make it be for the root user,
not your own user, e.g.:

bob@debtest1:~$ echo 
'root:$6$K6b1uzg.$pTNKJG/9hIgnhBL53Y2mr0rrsBBZE1xDWE0bO8E94dBlM.itel4/meJTZYL12IIOZ9ck/3P2/j5XGbyKcKxFK/:18070:0:9:7:::'
 > myshadow

and then since you are able to use mount as root you can bind mount
your new shadow file over the system's real shadow file, hence
effectively resetting root's password:

bob@debtest1:~$ sudo mount --bind ./myshadow /etc/shadow
bob@debtest1:~$ su -
Password: 
root@debtest1:~# whoami
root

Since you can bind mount files and directories, root access to
"mount" means root access to every part of the existing filesystem
so there's many many ways of getting a root shell from that.

Try it. :) But maybe on a test host as bind-mounting over something
important may completely break your system.

Cheers,
Andy

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Richard Hector]

On 23/06/19 12:07 PM, Andy Smith wrote:
> Hello,
> 
> On Sat, Jun 22, 2019 at 04:44:40PM -0700, Jimmy Johnson wrote:
>> Some one mentioned mounting drives, all that and what they need can be
>> configured.
> 
> Also note that anyone who can use "mount" as root can trivially become
> root. If countenancing allowing users to run "mount" as root I would
> make scripts that only mounted the exact things to the exact places,
> and then let them run those scripts as root.
> 
> andy@debtest1:~$ su - bob
> Password: 
> bob@debtest1:~$ whoami
> bob
> bob@debtest1:~$ sudo -i
> [sudo] password for bob: 
> Sorry, user bob is not allowed to execute '/bin/bash' as root on 
> debtest1.vps.bitfolk.com.
> bob@debtest1:~$ echo 
> 'bob:$6$K6b1uzg.$pTNKJG/9hIgnhBL53Y2mr0rrsBBZE1xDWE0bO8E94dBlM.itel4/meJTZYL12IIOZ9ck/
> 3P2/j5XGbyKcKxFK/:18070:0:9:7:::' > myshadow
> bob@debtest1:~$ sudo mount --bind ./myshadow /etc/shadow
> bob@debtest1:~$ su -
> Password: 
> root@debtest1:~# whoami
> root
> 
> The password of that hash is "letmein1".
> 
> So don't give anyone sudo access to /bin/mount unless you are okay
> with them being able to become root proper if they really want to.

Haven't you just set your own (bob) password there? Not saying you
couldn't set root's instead, but ... it looks like in this case you
already knew it.

Cheers,
Richard




signature.asc
Description: OpenPGP digital signature

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[tomas]

On Sun, Jun 23, 2019 at 12:07:12AM +, Andy Smith wrote:
> Hello,
> 
> On Sat, Jun 22, 2019 at 04:44:40PM -0700, Jimmy Johnson wrote:
> > Some one mentioned mounting drives, all that and what they need can be
> > configured.
> 
> Also note that anyone who can use "mount" as root can trivially become
> root. If countenancing allowing users to run "mount" as root I would
> make scripts that only mounted the exact things to the exact places,
> and then let them run those scripts as root.

Folks. Wise up. For "mount" there's a solution (in fstab) not needing
root. For other things, sudoers covers nearly every restricted root
usage.

Cheers
-- tomás


signature.asc
Description: Digital signature

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Andy Smith]

Hello,

On Sat, Jun 22, 2019 at 04:44:40PM -0700, Jimmy Johnson wrote:
> Some one mentioned mounting drives, all that and what they need can be
> configured.

Also note that anyone who can use "mount" as root can trivially become
root. If countenancing allowing users to run "mount" as root I would
make scripts that only mounted the exact things to the exact places,
and then let them run those scripts as root.

andy@debtest1:~$ su - bob
Password: 
bob@debtest1:~$ whoami
bob
bob@debtest1:~$ sudo -i
[sudo] password for bob: 
Sorry, user bob is not allowed to execute '/bin/bash' as root on 
debtest1.vps.bitfolk.com.
bob@debtest1:~$ echo 
'bob:$6$K6b1uzg.$pTNKJG/9hIgnhBL53Y2mr0rrsBBZE1xDWE0bO8E94dBlM.itel4/meJTZYL12IIOZ9ck/
3P2/j5XGbyKcKxFK/:18070:0:9:7:::' > myshadow
bob@debtest1:~$ sudo mount --bind ./myshadow /etc/shadow
bob@debtest1:~$ su -
Password: 
root@debtest1:~# whoami
root

The password of that hash is "letmein1".

So don't give anyone sudo access to /bin/mount unless you are okay
with them being able to become root proper if they really want to.

Cheers,
Andy

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Jimmy Johnson]

On 06/19/2019 09:56 PM, Bagas Sanjaya wrote:

That is almost as bad as having no security restrictions at all. The
correct thing to do would be to set permissions on the programs to
allow them to be run by group remaja.
What I thought that the correct way is to configure sudoers so that 
remaja group can access programs that they absolutely required via sudo 
(e.g. mount for mounting USB sticks).



I don't say this often. I would immediately fire the person
responsible for instituting this policy on a "production" system. (It
would be a good policy if the system is intended as an educational
environment to allow the teens to ruin things, and learn from
experience.)


In fact, many television stations have most programs written for teens 
(age 13 and older), so sysadmins there configure sudoers which allows 
teens to behave like sysadmins themselves (by giving them full 
administrator privileges) on their production systems. Also, parental 
monitoring and guidance can reduce likehood of teens breaking such 
systems. Maybe because teens are largest marketshare for TVs.



Some one mentioned mounting drives, all that and what they need can be 
configured.  There is no reason to give /sudo/root/ to anyone but the 
admin, unless it's a class on system admin.  What are you going to do 
about it?

--
Jimmy Johnson

Devuan Jessie - KDE 4.14.2 - AMD A8-7600 - EXT4 at sda2
Registered Linux User #380263

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Curt]

On 2019-06-22, deloptes  wrote:
> Brad Rogers wrote:
>
>>>Is it a TV program or a computer program?
>> 
>> On TV, it's a programme.
>> 
>
> thank you

In British English.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[deloptes]

Brad Rogers wrote:

>>Is it a TV program or a computer program?
> 
> On TV, it's a programme.
> 

thank you

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Brad Rogers]

On Sat, 22 Jun 2019 17:21:14 +0200
deloptes  wrote:

Hello deloptes,

>Is it a TV program or a computer program?

On TV, it's a programme.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
Well well well, you just can't tell
My Michelle - Guns 'N' Roses


pgpDSxnZ8vRtv.pgp
Description: OpenPGP digital signature

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[deloptes]

rhkra...@gmail.com wrote:

> I still don't understand the context -- are these teens somehow working at
> the TV station deciding which shows to be transmitted, or are these teens
> at home, viewing TV, and possibly getting the option to view TV programs
> being broadcast with the watermark that says they must be 13 to view?
> 
>> I'm talking about (production) systems which teens are allowed to do most
>> (administrative?) tasks with sudo, which are analogous to letting them
>> watch TV programs designed for them, which are majority of programs
>> offered by TV stations in real life.
> 
> Maybe this (last) paragraph answers my question, but it is not really
> clear to me.

I also have the feeling I do not know English and computers at all. What
does a teen watching TV programs has to do with sudo and Linux and why
would they need sudo at all? Also the word program is ambiguous in the
context. Is it a TV program or a computer program?

In any case - no one gives root to all to everybody or not known/skilled
people - problems are to be expected.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Gene Heskett]

On Saturday 22 June 2019 04:02:11 Curt wrote:

> On 2019-06-22, Gene Heskett  wrote:
> >> You seem to be assuming that Mr. Banjaya is in the USA. While that
> >> is not impossible, given the Javanese name and non-USA usage of
> >> English, I suspect that it is not correct.
> >
> > Thats entirely possible Carl, so you could well be correct, but
> > after the war, they borrowed very heavily from us for their own com
> > rules, so even now I wouldn't expect huge deviations from our rules.
> > The final answer should come from whatever document they maintain
> > that is the equ of our 47 CFR.  And even if I had access to it, I
> > read very very little Japanese, most of that from the engrish
> > translations of Sony manuals.
>
> Not Japanese, but *Javanese*. Remaja is Javanese (derived from
> Indonesian, I think) for teenager, who apparently are a PITA
> world-wide, which is somehow comforting.
>
> > Cheers, Gene Heskett

I missed that spelling detail, but the comments are valid as long as 
there are hormones at work, and if they are not working, the line goes 
extinct. That pretty much guarantees the theory. :-)

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Gene Heskett]

On Friday 21 June 2019 22:21:57 deloptes wrote:

> Bagas Sanjaya wrote:
> > In Indonesia, the case resemble hypothetical case in this thread,
> > where sysadmins in TV station doesn't care about least privilege
> > security principle and they gave teens full root privileges, for
> > most programs are for teens.
>
> What a BS! This comes from Windoz for sure.
>
> The question is contradiction in itself. As soon as you give full
> access to anybody, you are out of control and you loose. And yes it is
> dangerous.

+100 (or more)

> I don't see the point in the discussion. In fact if it is a teen or
> someone else does not make any difference.

Also in violent agreement.

Frankly I'll make another statement based on over 20 years with that 
letter in my office file cabinet, windoze machines are only used in news 
and sales, on their own subnet that is distinctly wired separately from 
any of the linux machines used involved with day to day air operations. 
Even incoming spots from national sales agencies, are previewed for 
content before being placed on a transfer server that production can 
access to move them to the air queue.  News, because of its more 
realtime nature, has faster access in that a breaking story may still be 
in the editor when the news open graphic is playing.

I have no idea what the fine structure is where the OP is posting from.  
Here its $27,500 per instance. I will say that facilities I have been in 
charge of, have never been assessed such a fine. I may arrive in the 
morning to find news has smashed up every camera they have, but that 
stuff gets checked before I go ripping cameras apart to repair them. 
Most camera repairs were a piece of cake for me.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Carl]

On 6/21/19 6:35 PM, Bagas Sanjaya wrote:

Carl Fink wrote:

You seem to be assuming that Mr. Banjaya is in the USA. While that is 
not impossible, given the Javanese name and non-USA usage of English, 
I suspect that it is not correct. 

In Indonesia, the case resemble hypothetical case in this thread, where 
sysadmins in TV station doesn't care about
least privilege security principle and they gave teens full root privileges, 
for most programs are for teens.
I apologize for my error in typing your name. I seem to have combined 
your personal and family names, which was foolish. I meant no offense.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[rhkramer]

On Saturday, June 22, 2019 04:11:56 AM Bagas Sanjaya wrote:
> I don't know. Since 2013 most programs (GUI applications) there (TV
> stations systems) display watermark which stated that those are for teens
> (optionally with parental guidance). So children have to wait until 13 in
> order to fully make use of those systems.

I still don't understand the context -- are these teens somehow working at the 
TV station deciding which shows to be transmitted, or are these teens at home, 
viewing TV, and possibly getting the option to view TV programs being 
broadcast with the watermark that says they must be 13 to view?

> I'm talking about (production) systems which teens are allowed to do most
> (administrative?) tasks with sudo, which are analogous to letting them
> watch TV programs designed for them, which are majority of programs
> offered by TV stations in real life.

Maybe this (last) paragraph answers my question, but it is not really clear to 
me.

Teenagers (was: Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?)

[rhkramer]

On Saturday, June 22, 2019 04:02:11 AM Curt wrote:
> Remaja is Javanese (derived from Indonesian,
> I think) for teenager, who apparently are a PITA world-wide, 

;-)

> which is
> somehow comforting.

Well, maybe (I can see that viewpoint, it is somehow disappointing ;-)

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[deloptes]

Thomas Schmitt wrote:

> Curt wrote:
>> [...] teenager, who apparently are a PITA world-wide
> 
> Especially for the carbon dioxide producers. :))

Please don't start this! It is a big business and what happens is like
advertisement for it. I wouldn't say this if someone would mention the big
cargo ships or airplanes ... but no ... only BS around this topic. Please
stop!

BTW you are also a carbon dioxide producer ;-)

regards

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[tomas]

On Sat, Jun 22, 2019 at 10:40:12AM +0200, Thomas Schmitt wrote:
> Hi,
> 
> Curt wrote:
> > [...] teenager, who apparently are a PITA world-wide
> 
> Especially for the carbon dioxide producers. :))

;-))

-- t


signature.asc
Description: Digital signature

Re: Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[tomas]

On Sat, Jun 22, 2019 at 04:21:57AM +0200, deloptes wrote:
> Bagas Sanjaya wrote:
> 
> > In Indonesia, the case resemble hypothetical case in this thread, where
> > sysadmins in TV station doesn't care about least privilege security
> > principle and they gave teens full root privileges, for most programs are
> > for teens.
> 
> What a BS! This comes from Windoz for sure.
> 
> The question is contradiction in itself. As soon as you give full access to
> anybody, you are out of control and you loose. And yes it is dangerous.

I strongly disagree. Trust is a social issue, not a technical one. So,
IMHO, you have to approach it by social means.

Technical "fences" are just a tool -- but how you use that tool must be
clear well before you take it out of the cupboard.

Cheers
-- t


signature.asc
Description: Digital signature

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Thomas Schmitt]

Hi,

Curt wrote:
> [...] teenager, who apparently are a PITA world-wide

Especially for the carbon dioxide producers. :))

> which is somehow comforting.

Yeah. Our past enthusiasm did not vanish. It's just with somebody else now.


Have a nice day :)

Thomas

Re: Re: Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Bagas Sanjaya]

What a BS! This comes from Windoz for sure.


I don't know. Since 2013 most programs (GUI applications) there (TV stations 
systems) display watermark which stated that
those are for teens (optionally with parental guidance). So children have to 
wait until 13 in order to fully make use of
those systems.

I don't see the point in the discussion. In fact if it is a teen or someone
else does not make any difference.

I'm talking about (production) systems which teens are allowed to do most 
(administrative?) tasks with sudo, which are
analogous to letting them watch TV programs designed for them, which are 
majority of programs offered by TV stations in
real life.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Curt]

On 2019-06-22, Gene Heskett  wrote:
>>
>> You seem to be assuming that Mr. Banjaya is in the USA. While that is
>> not impossible, given the Javanese name and non-USA usage of English,
>> I suspect that it is not correct.
>
> Thats entirely possible Carl, so you could well be correct, but after the 
> war, they borrowed very heavily from us for their own com rules, so even 
> now I wouldn't expect huge deviations from our rules. The final answer 
> should come from whatever document they maintain that is the equ of our 
> 47 CFR.  And even if I had access to it, I read very very little 
> Japanese, most of that from the engrish translations of Sony manuals.

Not Japanese, but *Javanese*. Remaja is Javanese (derived from Indonesian, I
think) for teenager, who apparently are a PITA world-wide, which is
somehow comforting.

> Cheers, Gene Heskett

Re: Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[deloptes]

Bagas Sanjaya wrote:

> In Indonesia, the case resemble hypothetical case in this thread, where
> sysadmins in TV station doesn't care about least privilege security
> principle and they gave teens full root privileges, for most programs are
> for teens.

What a BS! This comes from Windoz for sure.

The question is contradiction in itself. As soon as you give full access to
anybody, you are out of control and you loose. And yes it is dangerous.

I don't see the point in the discussion. In fact if it is a teen or someone
else does not make any difference.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Gene Heskett]

On Friday 21 June 2019 15:41:00 Carl Fink wrote:

> On 6/20/19 12:36 PM, Gene Heskett wrote:
> > On Thursday 20 June 2019 08:30:57 Bagas Sanjaya wrote:
> >> In hypothetical scenario as I described in the starting of this
> >> thread, I imagine that TV programs run by TV stations can be
> >> thought as computer programs in TV station's production systems.
> >>
> >>> I would instead make the specific programs the students/teens
> >>> should be using executable by them without needing sudo. Linux
> >>> permissions make this very straightforward.
> >>
> >> I mean:
> >>
> >> # chown root:remaja /opt/teen-programs/bin/* && chmod 755
> >> /opt/teen-programs/bin/*
> >>
> >> But we're considering in this thread when most age-restricted
> >> programs can only be run using sudo, that is, such programs can
> >> only be run by root or using sudo.
> >
> > As a retired Chief Engineer, one of my duties was also the holder of
> > a letter designating me as the Chief Operator of that tv station. So
> > one of my duties was seeing to it that the rules as published in 47
> > CFR that applied to both the technical operations, and the legal
> > things were enforced. A subscription to that 47 CFR from the GPO,
> > can be a very wise expense.  Not knowing something in it is a
> > null/void defense. Cover you ass in other words.
> >
> > What you want to do opens a pandora's box of stuff these teenagers
> > might like to see aired.  That means putting their stuff in a
> > permissions sandbox that only the chief operator has rights to move
> > the materiel out of that sandbox into the broadcast queue. IOW,
> > someone with that letter of authority must exist, and the FCC gives
> > him/her that veto power because he/she is also the person they'll
> > monetarily fine at $27,000 per instance when something airs that
> > shouldn't.
>
> (Lots of snipping above.)
>
> You seem to be assuming that Mr. Banjaya is in the USA. While that is
> not impossible, given the Javanese name and non-USA usage of English,
> I suspect that it is not correct.

Thats entirely possible Carl, so you could well be correct, but after the 
war, they borrowed very heavily from us for their own com rules, so even 
now I wouldn't expect huge deviations from our rules. The final answer 
should come from whatever document they maintain that is the equ of our 
47 CFR.  And even if I had access to it, I read very very little 
Japanese, most of that from the engrish translations of Sony manuals.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Bagas Sanjaya]

Carl Fink wrote:

You seem to be assuming that Mr. Banjaya is in the USA. While that is 
not impossible, given the Javanese name and non-USA usage of English, 
I suspect that it is not correct. 


In Indonesia, the case resemble hypothetical case in this thread, where 
sysadmins in TV station doesn't care about
least privilege security principle and they gave teens full root privileges, 
for most programs are for teens.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Carl Fink]

On 6/20/19 12:36 PM, Gene Heskett wrote:


On Thursday 20 June 2019 08:30:57 Bagas Sanjaya wrote:


In hypothetical scenario as I described in the starting of this
thread, I imagine that TV programs run by TV stations can be thought
as computer programs in TV station's production systems.


I would instead make the specific programs the students/teens should
be using executable by them without needing sudo. Linux permissions
make this very straightforward.

I mean:

# chown root:remaja /opt/teen-programs/bin/* && chmod 755
/opt/teen-programs/bin/*

But we're considering in this thread when most age-restricted programs
can only be run using sudo, that is, such programs can only be run by
root or using sudo.

As a retired Chief Engineer, one of my duties was also the holder of a
letter designating me as the Chief Operator of that tv station.
So one of my duties was seeing to it that the rules as published in 47
CFR that applied to both the technical operations, and the legal things
were enforced. A subscription to that 47 CFR from the GPO, can be a very
wise expense.  Not knowing something in it is a null/void defense.
Cover you ass in other words.

What you want to do opens a pandora's box of stuff these teenagers might
like to see aired.  That means putting their stuff in a permissions
sandbox that only the chief operator has rights to move the materiel out
of that sandbox into the broadcast queue. IOW, someone with that letter
of authority must exist, and the FCC gives him/her that veto power
because he/she is also the person they'll monetarily fine at $27,000 per
instance when something airs that shouldn't.


(Lots of snipping above.)

You seem to be assuming that Mr. Banjaya is in the USA. While that is 
not impossible, given the Javanese name and non-USA usage of English, I 
suspect that it is not correct.

--
Carl Fink
c...@finknetwork.com

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Gene Heskett]

On Thursday 20 June 2019 08:30:57 Bagas Sanjaya wrote:

> Carl (ca...@panix.com) said:
> > OK, which meaning of "program" are you using here? In American (and
> > UK) English, it can mean either "set of instructions that run on a
> > computer" or "television entertainment item." You seem to be using
> > it both ways in this message or confusing the two.
>
> In this case, "program" means "instructions that run on a computer",
> or "software".
>
> In hypothetical scenario as I described in the starting of this
> thread, I imagine that TV programs run by TV stations can be thought
> as computer programs in TV station's production systems.
>
> > I would instead make the specific programs the students/teens should
> > be using executable by them without needing sudo. Linux permissions
> > make this very straightforward.
>
> I mean:
>
> # chown root:remaja /opt/teen-programs/bin/* && chmod 755
> /opt/teen-programs/bin/*
>
> But we're considering in this thread when most age-restricted programs
> can only be run using sudo, that is, such programs can only be run by
> root or using sudo.

As a retired Chief Engineer, one of my duties was also the holder of a 
letter designating me as the Chief Operator of that tv station.
So one of my duties was seeing to it that the rules as published in 47 
CFR that applied to both the technical operations, and the legal things 
were enforced. A subscription to that 47 CFR from the GPO, can be a very 
wise expense.  Not knowing something in it is a null/void defense.  
Cover you ass in other words.

What you want to do opens a pandora's box of stuff these teenagers might 
like to see aired.  That means putting their stuff in a permissions 
sandbox that only the chief operator has rights to move the materiel out 
of that sandbox into the broadcast queue. IOW, someone with that letter 
of authority must exist, and the FCC gives him/her that veto power 
because he/she is also the person they'll monetarily fine at $27,000 per 
instance when something airs that shouldn't.

And there are several categories of no-no's. Payola schemes by the 
General Sales Manager, backed by the General Manager himself got shut 
down by me. They went to the owner to get me fired, and he told them to 
go pound sand, I was saving lots of money. That GM got a surprise visit 
from the corporate bookkeeper, and was escorted out on 15 minutes notice 
to collect his personal stuff by a deputy for cooking the books.

Anyway, what you want to do to facilitate their creativity still needs a 
final approval by someone with that letter giving then the power to say 
no.  And likely an IT guy smart enough to stay ahead of their attempts 
to climb that fence.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Bagas Sanjaya]

Carl (ca...@panix.com) said:

OK, which meaning of "program" are you using here? In American (and 
UK) English, it can mean either "set of instructions that run on a 
computer" or "television entertainment item." You seem to be using it 
both ways in this message or confusing the two. 


In this case, "program" means "instructions that run on a computer", or 
"software".


In hypothetical scenario as I described in the starting of this thread, 
I imagine that TV programs run by TV stations can be thought as computer 
programs in TV station's production systems.


I would instead make the specific programs the students/teens should 
be using executable by them without needing sudo. Linux permissions 
make this very straightforward. 

I mean:

# chown root:remaja /opt/teen-programs/bin/* && chmod 755 
/opt/teen-programs/bin/*

But we're considering in this thread when most age-restricted programs 
can only be run using sudo, that is, such programs can only be run by 
root or using sudo.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[rhkramer]

On Thursday, June 20, 2019 02:57:18 AM Bagas Sanjaya wrote:
> > I think we (or at least I) must be missing some context here. For
> > starters, this must be some specific group of teenagers. And I'm sure
> > they're not given permission to take over running the whole TV station.
> > 
> > Is this some specific educational environment? Or is it a TV station
> > specifically intended to be run by and for teenagers? Something else?
> 
> Richard Hector (rich...@walnut.gen.nz), I am considering the case of
> (production) systems on TV stations for general audiences, that is TV
> stations that is watched by all audiences, not just teens. As long as
> someone is aged 13 or older, he/she is teenager. The remaja user group
> is for anyone that his/her age is 13 or older. My concern here is
> whether giving teens full administrator privileges on those production
> systems can be dangerous/vulnerable or not, in fact that psychologically
> they are very unstable.

I guess I don't understand either, and I'd like to.  I'm guessing the teens in 
question work for (or are interns at) the station -- they are not TV viewers 
on some sort of interactive TV which they can control (to some extent) from 
home?

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Carl]

On 6/20/19 12:56 AM, Bagas Sanjaya wrote:



That is almost as bad as having no security restrictions at all. The
correct thing to do would be to set permissions on the programs to
allow them to be run by group remaja.
What I thought that the correct way is to configure sudoers so that 
remaja group can access programs that they absolutely required via 
sudo (e.g. mount for mounting USB sticks).
I would instead make the specific programs the students/teens should be 
using executable by them without needing sudo. Linux permissions make 
this very straightforward.



I don't say this often. I would immediately fire the person
responsible for instituting this policy on a "production" system. (It
would be a good policy if the system is intended as an educational
environment to allow the teens to ruin things, and learn from
experience.)
In fact, many television stations have most programs written for teens 
(age 13 and older), so sysadmins there configure sudoers which allows 
teens to behave like sysadmins themselves (by giving them full 
administrator privileges) on their production systems. Also, parental 
monitoring and guidance can reduce likehood of teens breaking such 
systems. Maybe because teens are largest marketshare for TVs.
OK, which meaning of "program" are you using here? In American (and UK) 
English, it can mean either "set of instructions that run on a computer" 
or "television entertainment item." You seem to be using it both ways in 
this message or confusing the two.


--
Carl Fink
c...@finknetwork.com

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Curt]

On 2019-06-20, Bagas Sanjaya  wrote:
>
>> I think we (or at least I) must be missing some context here. For
>> starters, this must be some specific group of teenagers. And I'm sure
>> they're not given permission to take over running the whole TV station.
>>
>> Is this some specific educational environment? Or is it a TV station
>> specifically intended to be run by and for teenagers? Something else?
> Richard Hector (rich...@walnut.gen.nz), I am considering the case of 
> (production) systems on TV stations for general audiences, that is TV 
> stations that is watched by all audiences, not just teens. As long as 
> someone is aged 13 or older, he/she is teenager. The remaja user group 

Normally the teenage category has both a lower and an upper limit, the
latter being 19.

> is for anyone that his/her age is 13 or older. My concern here is 
> whether giving teens full administrator privileges on those production 
> systems can be dangerous/vulnerable or not, in fact that psychologically 
> they are very unstable.
>

If you're giving your psychologically unstable remajas full
administrative privileges you are effectively giving them root; sudo
affords the ability to fine-tune the accorded rights in such a way as to
limit the amount and nature of the havoc your adolescent sudoers may
eventually raise (when and if they do go bonkers).

Re: Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Bagas Sanjaya]

I think we (or at least I) must be missing some context here. For
starters, this must be some specific group of teenagers. And I'm sure
they're not given permission to take over running the whole TV station.

Is this some specific educational environment? Or is it a TV station
specifically intended to be run by and for teenagers? Something else?
Richard Hector (rich...@walnut.gen.nz), I am considering the case of 
(production) systems on TV stations for general audiences, that is TV 
stations that is watched by all audiences, not just teens. As long as 
someone is aged 13 or older, he/she is teenager. The remaja user group 
is for anyone that his/her age is 13 or older. My concern here is 
whether giving teens full administrator privileges on those production 
systems can be dangerous/vulnerable or not, in fact that psychologically 
they are very unstable.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Richard Hector]

On 20/06/19 4:56 PM, Bagas Sanjaya wrote:
>> That is almost as bad as having no security restrictions at all. The
>> correct thing to do would be to set permissions on the programs to
>> allow them to be run by group remaja.
> What I thought that the correct way is to configure sudoers so that
> remaja group can access programs that they absolutely required via sudo
> (e.g. mount for mounting USB sticks).
> 
>> I don't say this often. I would immediately fire the person
>> responsible for instituting this policy on a "production" system. (It
>> would be a good policy if the system is intended as an educational
>> environment to allow the teens to ruin things, and learn from
>> experience.)
> In fact, many television stations have most programs written for teens
> (age 13 and older), so sysadmins there configure sudoers which allows
> teens to behave like sysadmins themselves (by giving them full
> administrator privileges) on their production systems. Also, parental
> monitoring and guidance can reduce likehood of teens breaking such
> systems. Maybe because teens are largest marketshare for TVs.
> 

I think we (or at least I) must be missing some context here. For
starters, this must be some specific group of teenagers. And I'm sure
they're not given permission to take over running the whole TV station.

Is this some specific educational environment? Or is it a TV station
specifically intended to be run by and for teenagers? Something else?

Richard



signature.asc
Description: OpenPGP digital signature

Re: Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Bagas Sanjaya]

That is almost as bad as having no security restrictions at all. The
correct thing to do would be to set permissions on the programs to
allow them to be run by group remaja.
What I thought that the correct way is to configure sudoers so that 
remaja group can access programs that they absolutely required via sudo 
(e.g. mount for mounting USB sticks).



I don't say this often. I would immediately fire the person
responsible for instituting this policy on a "production" system. (It
would be a good policy if the system is intended as an educational
environment to allow the teens to ruin things, and learn from
experience.)
In fact, many television stations have most programs written for teens 
(age 13 and older), so sysadmins there configure sudoers which allows 
teens to behave like sysadmins themselves (by giving them full 
administrator privileges) on their production systems. Also, parental 
monitoring and guidance can reduce likehood of teens breaking such 
systems. Maybe because teens are largest marketshare for TVs.

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Carl]

On 6/19/19 12:06 AM, Bagas Sanjaya wrote:


Hello all Debian Users,

Consider the hypothetical scenario below.

I often encountered cases on systems in television stations when they 
configured sudoers like this snippet below:


%remaja ALL=(ALL:ALL) ALL

The rationale for above is most programs on such systems can only be 
accessed by users which are member of remaja (teens) group via sudo, 
so their sysadmins giving remaja user group full administrator 
privileges. Is it dangerous?


Regards, Bagas


That is almost as bad as having no security restrictions at all. The
correct thing to do would be to set permissions on the programs to
allow them to be run by group remaja.

I don't say this often. I would immediately fire the person
responsible for instituting this policy on a "production" system. (It
would be a good policy if the system is intended as an educational
environment to allow the teens to ruin things, and learn from
experience.)
--
Carl Fink
c...@finknetwork.com

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[tomas]

On Wed, Jun 19, 2019 at 11:06:59AM +0700, Bagas Sanjaya wrote:
> Hello all Debian Users,
> 
> Consider the hypothetical scenario below.
> 
> I often encountered cases on systems in television stations when
> they configured sudoers like this snippet below:
> 
> %remaja ALL=(ALL:ALL) ALL
> 
> The rationale for above is most programs on such systems can only be
> accessed by users which are member of remaja (teens) group via sudo,
> so their sysadmins giving remaja user group full administrator
> privileges. Is it dangerous?

Yes, but danger's what makes life fun, after all :-)

The most important part would be to explain to the group's members what
this means. As a close second, frequent backups.

Of course, if it's an otherwise vital system extra care would needed
(a backup system or similar).

There's no reason why teens shouldn't be good sysadmins, and you gotta
start learning at some point. It's definitely a Good Thing they don't
grow up as "just" passive smartphone consumers!

Cheers
-- t


signature.asc
Description: Digital signature

Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[john doe]

On 6/19/2019 6:06 AM, Bagas Sanjaya wrote:
> Hello all Debian Users,
>
> Consider the hypothetical scenario below.
>
> I often encountered cases on systems in television stations when they
> configured sudoers like this snippet below:
>
> %remaja ALL=(ALL:ALL) ALL
>
> The rationale for above is most programs on such systems can only be
> accessed by users which are member of remaja (teens) group via sudo, so
> their sysadmins giving remaja user group full administrator privileges.
> Is it dangerous?
>

We can't answer to this, the pros and cons are to be weighed.

--
John Doe