Re: sudoers question

[tomas]

On Sat, May 13, 2023 at 09:07:19AM -0700, Kushal Kumaran wrote:

[...]

> The benefit is that there is no shared password. [...]

Thanks. This is one very good point indeed.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: sudoers question

[Kushal Kumaran]

On Sat, May 13 2023 at 01:51:03 AM, Lee  wrote:
> On 5/12/23, DdB  wrote:
>> Am 13.05.2023 um 00:03 schrieb Lee:
>>> On 5/12/23, Stefan Monnier  wrote:
> Or configure sudo to disable tty_tickets, so that the timeout (10
> minutes by default IIRC) applies to all terminals.

 `sudo bash` anyone?
>>>
>>> me!  me!  but I also have
>> (...)
>>> %adm  ALL = (root) NOPASSWD: ADM_COMMANDS
>>
>> Of course, there are ways to allow any/all sudo commands without
>> password. And i also have to cast a warning here:
>>
>> The kind of mistakes, any user (including yourself) can initiate, grows
>> considerably, if he can use any commands without even thinking.
>
> In general, yes, but how much trouble can
>   /usr/bin/dmesg,
>   /usr/bin/apt list
>   /usr/bin/apt update
>   /usr/sbin/checkrestart
>   /usr/sbin/needrestart
> cause?
>
> OTOH, I like the idea of logging in as root to do admin stuff.  But
> that seems to be frowned on now.. I don't  know why :(   .. unless
> logging?  'sudo bash' or logging in as root doesn't leave an audit
> trail of commands you've done
>

The benefit is that there is no shared password.  If one of the people
entrusted with sudo privileges needs to lose those privileges (perhaps
because they leave the organization), removing that user account stops
their access.  If, on the other hand, you were allowing admins to login
as root, you now need to change the shared root password.  Of course,
this requires a degree of locking down.  For example, the set of users
allowed to do day-to-day administration tasks must not overlap with the
set of users permitted to modify the sudo configuration or set root
password.  You can also have different sets of users permitted to do
different kinds of administrative tasks: one group might be permitted to
stop/restart a small set of services, for example.  And no one can be
permitted to do `sudo bash` or its equivalent.

Logging is a nice additional benefit, and some organizations may be
required to keep audit logs for server configuration changes.  sudo
providing this will be a bonus for them.

On single-user systems, the ability to do NOPASSWD for selected commands
is nice.  I don't know of any other benefit.

-- 
regards,
kushal

Re: sudoers question

[Dan Ritter]

to...@tuxteam.de wrote: 
> Security is engineering: always looking for a good tradeoff.
> Not magic.
> 
> (That's why I cringe when people around here scaremonger about
> "you NEED to have a password" and things. People should know
> what they are getting into, for sure, but at the same time they
> should take their own decisions).


Yes but -- if someone asks for advice and clearly doesn't know
the tradeoffs they are making, the first advice should be to
take the safer option.

Pointing them at the documentation after that is good.

-dsr-

Re: sudoers question

[debian-user]

 wrote:
> On Sat, May 13, 2023 at 10:35:31AM +0200, Michel Verdier wrote:
> > Le 12 mai 2023 tomas a écrit :
> >   
> > >> > `sudo bash` anyone?  
> > >> 
> > >> also quicker done with
> > >> su -  
> > >
> > > But not the same.  
> > 
> > Which differences do you see ?  
> 
> For su, you have to enter the root password. For sudo, there
> are many options, depending on config. Typically you enter
> yours.
> 
> Plus, you can configure which commands (and args) can be done
> by whom, based on user id, local or remote, etc.
> 
> OTOH the sudo system is way more complex than simple su, so
> there's more place where bugs can hide (it has had actual
> issues, btw).
> 
> Security is engineering: always looking for a good tradeoff.
> Not magic.
> 
> (That's why I cringe when people around here scaremonger about
> "you NEED to have a password" and things. People should know
> what they are getting into, for sure, but at the same time they
> should take their own decisions).
> 
> Cheers

Not to mention that su - uses the --login option, whilst sudo bash
doesn't.

Re: sudoers question

[Nicolas George]

DdB (12023-05-13):
> The kind of mistakes, any user (including yourself) can initiate, grows
> considerably, if he can use any commands without even thinking.

You are right with this principle but you are mistaken in applying it.
If you want to teach users to think before typing the password, then
making sure commands that are obviously harmless do not ask for the
password.

There are harmless commands that for some reason require privileges.
Configuring sudo to permit them without password is a good idea.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: sudoers question

[tomas]

On Sat, May 13, 2023 at 10:35:31AM +0200, Michel Verdier wrote:
> Le 12 mai 2023 tomas a écrit :
> 
> >> > `sudo bash` anyone?
> >> 
> >> also quicker done with
> >> su -
> >
> > But not the same.
> 
> Which differences do you see ?

For su, you have to enter the root password. For sudo, there
are many options, depending on config. Typically you enter
yours.

Plus, you can configure which commands (and args) can be done
by whom, based on user id, local or remote, etc.

OTOH the sudo system is way more complex than simple su, so
there's more place where bugs can hide (it has had actual
issues, btw).

Security is engineering: always looking for a good tradeoff.
Not magic.

(That's why I cringe when people around here scaremonger about
"you NEED to have a password" and things. People should know
what they are getting into, for sure, but at the same time they
should take their own decisions).

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: sudoers question

[Michel Verdier]

Le 12 mai 2023 tomas a écrit :

>> > `sudo bash` anyone?
>> 
>> also quicker done with
>> su -
>
> But not the same.

Which differences do you see ?

Re: sudoers question

[Lee]

On 5/12/23, DdB  wrote:
> Am 13.05.2023 um 00:03 schrieb Lee:
>> On 5/12/23, Stefan Monnier  wrote:
 Or configure sudo to disable tty_tickets, so that the timeout (10
 minutes by default IIRC) applies to all terminals.
>>>
>>> `sudo bash` anyone?
>>
>> me!  me!  but I also have
> (...)
>> %adm  ALL = (root) NOPASSWD: ADM_COMMANDS
>
> Of course, there are ways to allow any/all sudo commands without
> password. And i also have to cast a warning here:
>
> The kind of mistakes, any user (including yourself) can initiate, grows
> considerably, if he can use any commands without even thinking.

In general, yes, but how much trouble can
  /usr/bin/dmesg,
  /usr/bin/apt list
  /usr/bin/apt update
  /usr/sbin/checkrestart
  /usr/sbin/needrestart
cause?

OTOH, I like the idea of logging in as root to do admin stuff.  But
that seems to be frowned on now.. I don't  know why :(   .. unless
logging?  'sudo bash' or logging in as root doesn't leave an audit
trail of commands you've done

> To my eye, as there is a huge responsability involved with using
> elevated powers, i would not want "my little brother" to accidentally
> sit in front of my computer while just trying commands at a console,
> that he may have heard of somewhere.

I gave login credentials to a 4 yr old :)  I was a bit apprehensive
when he started mashing the keyboard but I'd already tried to find all
the world-writeable files on the machine so I wasn't all _that_
worried.  I'm more concerned that I did the search wrong & missed some
thing than I am of getting a "rm -fr /" from random keyboard mashing.

> Even worse: When i found out, how to prevent sudo from asking a pwd, i
> in fact did cause a couple of bad mistakes, that the system would
> otherwise have prevented from happening (including making it
> unbootable). And it took my quite some time in order to get used to some
> kind of a routine, that keps me from having to reinstall everything from
> scratch after each mishap.
>
> So, after some time, i have become way more cautious at allowing too
> many powers to myself without thinking. And especially the OP did reveal
> some contradictory habits:
> He was asking, how to allow any sudo command without being asked for a
> password ( which means: without being controlled by the system ). On one
> hand, this could make sense under certain premises.
> OTOH, he was failing to display any kind of responsible attitude for the
> job (like as if reading logfiles was hs only interest ...).
>
> Just simply asking for help in this regard let me wonder, as i had been
> able to find out all this without even knowing about his group,
> including the relevance of sudoedit in this regard (which no one even
> mentioned).
>
> You can't have your cake and eat it too!
>
> If we (as a community) would support such a behavior, wouldn't we be
> responsible for the effecs, this entails

No.

> Would you hand out a loaded weapon to a child? (I certainly did not.)

Maybe I have?   But this is a personal/household machine so if files
get deleted I'll get to find out if my backup/restore process works as
well as I hope it does :)

At work, downtime is expensive, so I do tend to lock things down at
work.  At home I'm a lot more casual.

Regards
Lee

Re: sudoers question

[DdB]

Am 13.05.2023 um 00:03 schrieb Lee:
> On 5/12/23, Stefan Monnier  wrote:
>>> Or configure sudo to disable tty_tickets, so that the timeout (10
>>> minutes by default IIRC) applies to all terminals.
>>
>> `sudo bash` anyone?
> 
> me!  me!  but I also have
(...)
> %adm  ALL = (root) NOPASSWD: ADM_COMMANDS

Of course, there are ways to allow any/all sudo commands without
password. And i also have to cast a warning here:

The kind of mistakes, any user (including yourself) can initiate, grows
considerably, if he can use any commands without even thinking.

To my eye, as there is a huge responsability involved with using
elevated powers, i would not want "my little brother" to accidentally
sit in front of my computer while just trying commands at a console,
that he may have heard of somewhere.

Even worse: When i found out, how to prevent sudo from asking a pwd, i
in fact did cause a couple of bad mistakes, that the system would
otherwise have prevented from happening (including making it
unbootable). And it took my quite some time in order to get used to some
kind of a routine, that keps me from having to reinstall everything from
scratch after each mishap.

So, after some time, i have become way more cautious at allowing too
many powers to myself without thinking. And especially the OP did reveal
some contradictory habits:
He was asking, how to allow any sudo command without being asked for a
password ( which means: without being controlled by the system ). On one
hand, this could make sense under certain premises.
OTOH, he was failing to display any kind of responsible attitude for the
job (like as if reading logfiles was hs only interest ...).

Just simply asking for help in this regard let me wonder, as i had been
able to find out all this without even knowing about his group,
including the relevance of sudoedit in this regard (which no one even
mentioned).

You can't have your cake and eat it too!

If we (as a community) would support such a behavior, wouldn't we be
responsible for the effecs, this entails?
Would you hand out a loaded weapon to a child? (I certainly did not.)

just saying ...
good luck
DdB

Re: sudoers question

[Lee]

On 5/12/23, Stefan Monnier  wrote:
>> Or configure sudo to disable tty_tickets, so that the timeout (10
>> minutes by default IIRC) applies to all terminals.
>
> `sudo bash` anyone?

me!  me!  but I also have
# cat /etc/sudoers.d/adm-grp-privs
# members of adm can run certain commands as root without supplying
# a password
#   Andrei POPESCU  Sun, Dec 5, 2021 at 10:46 AM
#   To: debian-user@lists.debian.org
#   Re: Don't try this at home kids

Cmnd_AliasADM_COMMANDS = /usr/bin/dmesg, \
 /usr/bin/apt list, \
 /usr/bin/apt update, \
 /usr/sbin/checkrestart, \
 /usr/sbin/needrestart, \
 /usr/sbin/reboot

%adm  ALL = (root) NOPASSWD: ADM_COMMANDS

Regards
Lee

Re: sudoers question

[Curt]

On 2023-05-12, Tom Reed  wrote:
>> Tom Reed (12023-05-12):
>>> otherwise every time i have to input password for sudo.
>>
>> Yes, that is the point.
>>
>> If “every time” is a lot for you, maybe your use habits need to be
>> reviewed.
>>
>
> that's normal. for example, I have to check every kind of logs (mail,
> webserver, systems etc). They require sudo then.
>
> regards
>
>

Certain people here who don't use sudo on single human user systems used
to say they'd keep a root terminal open at all times (with some kind of
cautionary reddish prompt to remind them of the inherent power) for
convenient switching to administrative work.

That's if you have no cat or child or other malicious creature in the
vicinity, of course.

Re: sudoers question

[tomas]

On Fri, May 12, 2023 at 05:46:21PM +0200, Michel Verdier wrote:
> Le 12 mai 2023 Stefan Monnier a écrit :
> 
> >> Or configure sudo to disable tty_tickets, so that the timeout (10
> >> minutes by default IIRC) applies to all terminals.
> >
> > `sudo bash` anyone?
> 
> also quicker done with
> su -

But not the same.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: sudoers question

[Michel Verdier]

Le 12 mai 2023 Stefan Monnier a écrit :

>> Or configure sudo to disable tty_tickets, so that the timeout (10
>> minutes by default IIRC) applies to all terminals.
>
> `sudo bash` anyone?

also quicker done with
su -

Re: sudoers question

[Max Nikulin]

On 12/05/2023 21:00, Byung-Hee HWANG (황병희) wrote:

On Fri, 2023-05-12 at 08:25 -0400, Stefan Monnier wrote:


`sudo bash` anyone?


AMAZING! Thanks for tip, Stefan ^^^


Isn't it a way to get e.g. ~/.bash_history owned by root?

sudo -i

should be better

Re: sudoers question

[황병희]

Hi Stefan,

On Fri, 2023-05-12 at 08:25 -0400, Stefan Monnier wrote:
> > Or configure sudo to disable tty_tickets, so that the timeout (10
> > minutes by default IIRC) applies to all terminals.
> 
> `sudo bash` anyone?
> 

AMAZING! Thanks for tip, Stefan ^^^


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: sudoers question

[Michel Verdier]

Le 12 mai 2023 Tom Reed a écrit :

> that's normal. for example, I have to check every kind of logs (mail,
> webserver, systems etc). They require sudo then.

Logs are with adm gid, so just add your user to the group adm to be able
to consult logs.

Re: sudoers question

[Nicolas George]

Stefan Monnier (12023-05-12):
> `sudo bash` anyone?

Why not “sudo start-gnome” or logging as root on the display manager
while you are at it?

Regards,

-- 
  Nicolas George

Re: sudoers question

[Stefan Monnier]

> Or configure sudo to disable tty_tickets, so that the timeout (10
> minutes by default IIRC) applies to all terminals.

`sudo bash` anyone?


Stefan

Re: sudoers question

[Nicolas George]

Greg Wooledge (12023-05-12):
> If you're launching a terminal, running a single sudo command, closing
> the terminal, opening a new terminal, etc. ... then perhaps you should
> stop doing that.  Leave your terminal open, at least until you're done
> with whatever administrative task you're doing.

Or configure sudo to disable tty_tickets, so that the timeout (10
minutes by default IIRC) applies to all terminals.

Regards,

-- 
  Nicolas George

Re: sudoers question

[Greg Wooledge]

On Fri, May 12, 2023 at 08:13:31PM +0800, Tom Reed wrote:
> that's normal. for example, I have to check every kind of logs (mail,
> webserver, systems etc). They require sudo then.

If you check the logs all at once, as part of a daily routine, then you
only have to type the password one time, at the beginning of your
log-checking session.  The second, third, fourth, etc. sudo commands
will all use the cached credentials that you supplied the first time.

You might also consider adding "tom" to the "adm" group, so that "tom"
can read most of the system log files without needing sudo.

Re: sudoers question

[Andrew M.A. Cater]

On Fri, May 12, 2023 at 07:27:25PM +0800, Tom Reed wrote:
> Hello
> 
> what's the right way to add an user to run sudo without password?
> I have to edit /etc/sudoers by manual. But I don't think it's a grace way.
> 
> Thanks.
> Tom
>

As others have said: sudo is *designed* this way - you have to prove your
 identity once and then you get some time in the session before you would
have to reinput a password.

If you don't appreciate why this is important, I would respectfully suggest
that you go and read up on computer security.

It is also worth reading up on restrictions on commands and forced commands:
you can create a group such that users can only perform one command. For
example, backupusers as a group and then configure sudo to *only* allow
the members of that group to use a backup command.

Hope this helps,

Andy Cater

Re: sudoers question

[Nicolas George]

Tom Reed (12023-05-12):
> that's normal. for example, I have to check every kind of logs (mail,
> webserver, systems etc). They require sudo then.

No they do not. You just have to adjust files permissions if they are
not correct by default, which they usually are.

My crystal ball tells me you neglected to add yourself to the adm group.

Regards,

-- 
  Nicolas George

Re: sudoers question

[Greg Wooledge]

On Fri, May 12, 2023 at 08:03:00PM +0800, Tom Reed wrote:
> for a common account, such as tom, a nopasswd sudo also makes sense?
> otherwise every time i have to input password for sudo.

Within a given terminal session, you only have to enter your passwors
once.  This will allow passwordless sudo on that terminal for the next
15 minutes (by default).

If you're launching a terminal, running a single sudo command, closing
the terminal, opening a new terminal, etc. ... then perhaps you should
stop doing that.  Leave your terminal open, at least until you're done
with whatever administrative task you're doing.

Re: sudoers question

[Tom Reed]

> Tom Reed (12023-05-12):
>> otherwise every time i have to input password for sudo.
>
> Yes, that is the point.
>
> If “every time” is a lot for you, maybe your use habits need to be
> reviewed.
>

that's normal. for example, I have to check every kind of logs (mail,
webserver, systems etc). They require sudo then.

regards

Re: sudoers question

[Nicolas George]

Tom Reed (12023-05-12):
> otherwise every time i have to input password for sudo.

Yes, that is the point.

If “every time” is a lot for you, maybe your use habits need to be
reviewed.

Regards,

-- 
   Nicolas George

Re: sudoers question

[Tom Reed]

> On Fri, May 12, 2023 at 07:27:25PM +0800, Tom Reed wrote:
>> what's the right way to add an user to run sudo without password?
>> I have to edit /etc/sudoers by manual. But I don't think it's a grace
>> way.
>
> *Without password*??  Yes, that will require a manual edit.
>
> There is no "graceful way" to grant that power to users, because that's
> an obscene amount of power without a check.  Usually one would only
> do this for a non-interactive account (some sort of service/daemon
> account that does an automated backup, or something of that nature).
>
>

Hello Greg,

for a common account, such as tom, a nopasswd sudo also makes sense?
otherwise every time i have to input password for sudo.

Thanks

Re: sudoers question

[Greg Wooledge]

On Fri, May 12, 2023 at 07:27:25PM +0800, Tom Reed wrote:
> what's the right way to add an user to run sudo without password?
> I have to edit /etc/sudoers by manual. But I don't think it's a grace way.

*Without password*??  Yes, that will require a manual edit.

There is no "graceful way" to grant that power to users, because that's
an obscene amount of power without a check.  Usually one would only
do this for a non-interactive account (some sort of service/daemon
account that does an automated backup, or something of that nature).

sudoers question

[Tom Reed]

Hello

what's the right way to add an user to run sudo without password?
I have to edit /etc/sudoers by manual. But I don't think it's a grace way.

Thanks.
Tom