Re: sudo - was Re: FWIW: AlmaLinux now available.
Probably not applicable to many installations, but when I was the sole admin for a couple of compute clusters, raid systems, and numerous backend servers, *everything* I did required root privs, so I just set them all up so when I ssh'd in, I was root. Didn't have time to mess with the extra sudo steps to be root, as I was in and out of my systems constantly all day long. Never once did that bite me. Although, I would use a sudo config to allow certain trusted engineers or professors on just specific systems to run specific apps/commands that needed root privs, which also generated an audit trail in the logs, and an email to me, of what commands they invoked (or tried to invoke) - just in case they tried to do something they shouldn't. But my methodology is definitely not for installations with two or more admins. - Larry ~Stack~ wrote on 4/11/21 9:39 PM: > On 2021-04-07 9:28 a.m., Teh, Kenneth M. wrote: >> If you need to run a lot of commands as root, the easiest sudo method >> is simply 'sudo su -' which makes you into root. The trailing '-' >> does a login which replaces your environment with root's. -- P. Larry Nelson (217-693-7418) | IT Administrator (retired) 810 Ventura Rd.| High Energy Physics Group Champaign, IL 61820 | Physics Dept., Univ. of Ill. MailTo: lnel...@illinois.edu | https://urldefense.proofpoint.com/v2/url?u=http-3A__hep.physics.illinois.edu_home_lnelson_=DwID-g=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=DLa1FvIiUtnD-PEy34KAo3p4WSwAisBUV0ZnfTtR1lM=gdBbjcMggx3ArhRhnpgki6hz28AXRel_j3RZ5vdsaEI= --- "Information without accountability is just noise." - P.L. Nelson, 04/06/2001
Re: sudo - was Re: FWIW: AlmaLinux now available.
> On 2021-04-07 9:28 a.m., Teh, Kenneth M. wrote: >> If you need to run a lot of commands as root, the easiest sudo method >> is simply 'sudo su -' which makes you into root. The trailing '-' >> does a login which replaces your environment with root's. On 4/7/21 9:37 AM, Gilbert E. Detillieux wrote: How is that in any way better than "sudo -i" (which I already suggested, and which avoids a needless extra command invocation)? Greetings, There's history to those commands, but the end result is dang-near identical these days. There's some distro-dependant differences that can be found but for the vast majority of the time it is the same and can be thought of as identical. On *EL systems (RHEL/SL/Rocky/CentOS/ect) the end goal is damn near the same. But there are minor differences. Follow along if you want. Open up two shells side by side and in one run `sudo -i` and in the other `sudo su -`. First up, take a look at the process hierarchy. Sudo launches a sub-exec of su from which your shell should now be running under if you did `sudo su -` but with `sudo -i` it launches it directly. Next up, run the command: `env |sort`. You will see that the `sudo su -` stripped out all of the SUDO_* environment variables that `sudo -i` has. Ok, so what? Well... *shrug* The short history is how and what bash resources were loaded. Since the su is a complete reloading of the profile it's the same as logging in as root with all the .profile and .bash_profile and .rc and blahblahblah files read in. The `sudo -i` (a long time ago in a distro far far away) used to only pull in a select subset of those profile files and there was some cross-environment variables that were kept around. Some of these details used to be more important for things like what gets listed as the ID in auditd logs, but I'm pretty confident that all of those things are similar and easily traced now with the newer audit logging tools. Thus, I *think* it's now identical...but it's too late at night for me to dig through audit logs to check! :-D So what is the difference these days? It's one extra process vs a few shell environment variables. I think there are a few more even _more_ minor details but I can't remember them. I have yet to hear a convincing argument one over the other except for how many characters are typed. Since I tend to be old school my fingers just type `sudo su -` before my brain fully processes the thought. Yes, `sudo -i` is fewer characters but muscle memory...it just happens. *shrug* :-D Not sure that was "helpful" information, but hopefully it answered the question. :-D ~Stack~
Re: sudo - was Re: FWIW: AlmaLinux now available.
I have one issue with the 'sudo su -' "trick". When there is both a distro and an original "supplier" of an application (such as Mozilla Firefox), I use the original, not the distro, except when there are complicated specifics (such as my past experience with the Nvidia GPU driver and utilities source package for which I get a prebuilt version designed for the specific OS and kernel, etc, in use). Why? Every rebuild has both the possibility of software defects as well as maintaining the "chain of custody" to be assured that there will be no compromises added that were not in the original release (e.g., building on a compromised system for which the compromise inserts a compromise into the binary executable output). However, Firefox and other such applications that have an internal update mechanism that updates from within the application. If the application is installed as part of the "system", not in the space of the specific ordinary user, then one must be logged-in as root into a GUI workspace, not text shell, for the internal update to be enabled. There may be a way to do this within a GUI workspace manager as an ordinary user, but such a method does not seem to be universal (different syntax/operations between GUI workspace systems, and some types seem not to support such an action) -- whereas a root instance of that GUI does work. To do this within Ubuntu requires several files being modified -- I can share what to do. Of course, in many cases for the update, one typically can download, say, a .tgz file that contains a full executable release of the current (update) release version, but this is much more work than using the internal update mechanism of the GUI application. On 4/7/21 7:28 AM, Teh, Kenneth M. wrote: If you need to run a lot of commands as root, the easiest sudo method is simply 'sudo su -' which makes you into root. The trailing '-' does a login which replaces your environment with root's. *From:* owner-scientific-linux-us...@listserv.fnal.gov on behalf of Gilbert E. Detillieux *Sent:* Wednesday, April 7, 2021 9:19 AM *To:* Andrew C Aitchison *Cc:* scientific-linux-users *Subject:* Re: sudo - was Re: FWIW: AlmaLinux now available. On 2021-04-07 2:11 a.m., Andrew C Aitchison wrote: On Tue, 6 Apr 2021, Yasha Karant wrote: The major issue I find is that everything at the system level is sudo -- however, for Ubuntu, I have found the fixes so that I can become root and do what I need both from a text interface and a GUI interface. I find sudo on Ubuntu much easier to use than sudo on SL6. By default on Ubuntu you can run succeccive sudo commands without reentering the password each time. I never figured out how to do that with SL. That doesn't sound like default behaviour for sudo on SL6. I've been using it for years, and haven't had the password issue you mention. Since sudo is pretty old, stable code, there likely aren't any differences between its implementation in RHEL/SL vs Debian/Ubuntu, other than the content of the /etc/sudoers file. I'd check that against the distro's clean, initial configuration, and see what's broken. When I need to use pipes or redirect stdin and stdout as root, a simple "sudo bash" first solves those issues. You can use "sudo -i" to accomplish the same thing, but with perhaps more "sane" initial setup, since it simulates a login. Gilbert -- Gilbert E. Detillieux E-mail: Dept. of Computer Science Web: https://urldefense.proofpoint.com/v2/url?u=http-3A__cs.umanitoba.ca_-7Egedetil_=DwIDaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=ngvZhv2g2MiFuLwD8Pig29aVZry8YCxwGnF4G1QV_jk=npAcwiHQAtZERrcpKjbPYhJrQcqMvbSLkfOIpJGM5Z4= <https://urldefense.proofpoint.com/v2/url?u=http-3A__cs.umanitoba.ca_-7Egedetil_=DwIDaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=ngvZhv2g2MiFuLwD8Pig29aVZry8YCxwGnF4G1QV_jk=npAcwiHQAtZERrcpKjbPYhJrQcqMvbSLkfOIpJGM5Z4=> University of Manitoba Phone: 204-783-1031 Winnipeg MB CANADA R3T 2N2 For best service, contact .
Re: sudo - was Re: FWIW: AlmaLinux now available.
How is that in any way better than "sudo -i" (which I already suggested, and which avoids a needless extra command invocation)? Gilbert On 2021-04-07 9:28 a.m., Teh, Kenneth M. wrote: If you need to run a lot of commands as root, the easiest sudo method is simply 'sudo su -' which makes you into root. The trailing '-' does a login which replaces your environment with root's. *From:* owner-scientific-linux-us...@listserv.fnal.gov on behalf of Gilbert E. Detillieux *Sent:* Wednesday, April 7, 2021 9:19 AM *To:* Andrew C Aitchison *Cc:* scientific-linux-users *Subject:* Re: sudo - was Re: FWIW: AlmaLinux now available. On 2021-04-07 2:11 a.m., Andrew C Aitchison wrote: On Tue, 6 Apr 2021, Yasha Karant wrote: The major issue I find is that everything at the system level is sudo -- however, for Ubuntu, I have found the fixes so that I can become root and do what I need both from a text interface and a GUI interface. I find sudo on Ubuntu much easier to use than sudo on SL6. By default on Ubuntu you can run succeccive sudo commands without reentering the password each time. I never figured out how to do that with SL. That doesn't sound like default behaviour for sudo on SL6. I've been using it for years, and haven't had the password issue you mention. Since sudo is pretty old, stable code, there likely aren't any differences between its implementation in RHEL/SL vs Debian/Ubuntu, other than the content of the /etc/sudoers file. I'd check that against the distro's clean, initial configuration, and see what's broken. When I need to use pipes or redirect stdin and stdout as root, a simple "sudo bash" first solves those issues. You can use "sudo -i" to accomplish the same thing, but with perhaps more "sane" initial setup, since it simulates a login. Gilbert
Re: sudo - was Re: FWIW: AlmaLinux now available.
If you need to run a lot of commands as root, the easiest sudo method is simply 'sudo su -' which makes you into root. The trailing '-' does a login which replaces your environment with root's. From: owner-scientific-linux-us...@listserv.fnal.gov on behalf of Gilbert E. Detillieux Sent: Wednesday, April 7, 2021 9:19 AM To: Andrew C Aitchison Cc: scientific-linux-users Subject: Re: sudo - was Re: FWIW: AlmaLinux now available. On 2021-04-07 2:11 a.m., Andrew C Aitchison wrote: > On Tue, 6 Apr 2021, Yasha Karant wrote: > >> The major issue I find is that everything at the system level is sudo >> -- however, for Ubuntu, I have found the fixes so that I can become >> root and do what I need both from a text interface and a GUI interface. > > I find sudo on Ubuntu much easier to use than sudo on SL6. > By default on Ubuntu you can run succeccive sudo commands without > reentering the password each time. > I never figured out how to do that with SL. That doesn't sound like default behaviour for sudo on SL6. I've been using it for years, and haven't had the password issue you mention. Since sudo is pretty old, stable code, there likely aren't any differences between its implementation in RHEL/SL vs Debian/Ubuntu, other than the content of the /etc/sudoers file. I'd check that against the distro's clean, initial configuration, and see what's broken. > When I need to use pipes or redirect stdin and stdout as root, > a simple "sudo bash" first solves those issues. You can use "sudo -i" to accomplish the same thing, but with perhaps more "sane" initial setup, since it simulates a login. Gilbert -- Gilbert E. DetillieuxE-mail: Dept. of Computer ScienceWeb: https://urldefense.proofpoint.com/v2/url?u=http-3A__cs.umanitoba.ca_-7Egedetil_=DwIDaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=ngvZhv2g2MiFuLwD8Pig29aVZry8YCxwGnF4G1QV_jk=npAcwiHQAtZERrcpKjbPYhJrQcqMvbSLkfOIpJGM5Z4= University of Manitoba Phone: 204-783-1031 Winnipeg MB CANADA R3T 2N2 For best service, contact .
Re: sudo - was Re: FWIW: AlmaLinux now available.
On 2021-04-07 2:11 a.m., Andrew C Aitchison wrote: On Tue, 6 Apr 2021, Yasha Karant wrote: The major issue I find is that everything at the system level is sudo -- however, for Ubuntu, I have found the fixes so that I can become root and do what I need both from a text interface and a GUI interface. I find sudo on Ubuntu much easier to use than sudo on SL6. By default on Ubuntu you can run succeccive sudo commands without reentering the password each time. I never figured out how to do that with SL. That doesn't sound like default behaviour for sudo on SL6. I've been using it for years, and haven't had the password issue you mention. Since sudo is pretty old, stable code, there likely aren't any differences between its implementation in RHEL/SL vs Debian/Ubuntu, other than the content of the /etc/sudoers file. I'd check that against the distro's clean, initial configuration, and see what's broken. When I need to use pipes or redirect stdin and stdout as root, a simple "sudo bash" first solves those issues. You can use "sudo -i" to accomplish the same thing, but with perhaps more "sane" initial setup, since it simulates a login. Gilbert -- Gilbert E. DetillieuxE-mail: Dept. of Computer ScienceWeb: https://urldefense.proofpoint.com/v2/url?u=http-3A__cs.umanitoba.ca_-7Egedetil_=DwIDaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=ngvZhv2g2MiFuLwD8Pig29aVZry8YCxwGnF4G1QV_jk=npAcwiHQAtZERrcpKjbPYhJrQcqMvbSLkfOIpJGM5Z4= University of Manitoba Phone: 204-783-1031 Winnipeg MB CANADA R3T 2N2 For best service, contact .
Re: sudo - was Re: FWIW: AlmaLinux now available.
On Wed, Apr 7, 2021 at 3:12 AM Andrew C Aitchison wrote: > > On Tue, 6 Apr 2021, Yasha Karant wrote: > > > The major issue I find is that everything at the system level is sudo > > -- however, for Ubuntu, I have found the fixes so that I can become root and > > do what I need both from a text interface and a GUI interface. > > I find sudo on Ubuntu much easier to use than sudo on SL6. > By default on Ubuntu you can run succeccive sudo commands without > reentering the password each time. > I never figured out how to do that with SL. SL 6 is 10 years old. It's not a fair comparison. It certainly works well with more recent releases. > When I need to use pipes or redirect stdin and stdout as root, > a simple "sudo bash" first solves those issues. > > -- > Andrew C. Aitchison Kendal, UK > and...@aitchison.me.uk
sudo - was Re: FWIW: AlmaLinux now available.
On Tue, 6 Apr 2021, Yasha Karant wrote: The major issue I find is that everything at the system level is sudo -- however, for Ubuntu, I have found the fixes so that I can become root and do what I need both from a text interface and a GUI interface. I find sudo on Ubuntu much easier to use than sudo on SL6. By default on Ubuntu you can run succeccive sudo commands without reentering the password each time. I never figured out how to do that with SL. When I need to use pipes or redirect stdin and stdout as root, a simple "sudo bash" first solves those issues. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk