Re: sudo and UNIXes
Curt cu...@free.fr writes: On 2013-11-02, Joe Pfeiffer pfeif...@cs.nmsu.edu wrote: Again -- isn't basically equivalent to giving everyone uid=0. Permits someone who *has* sudo access to avoid retyping a password. Not only that. Permits someone who already has sudo access to continue having such access indefinitely, ignoring being excluded from sudoers altogether. You made a specific claim, that sudo without patches is basically equivalent to giving everyone uid=0. You have yet to say anything that even begins to substantiate that claim. How about this bug: http://www.sudo.ws/sudo/alerts/sudo_debug.html Impact: Successful exploitation of the bug will allow a user to run arbitrary commands as root. Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible. OK, there has been a bug that will cause the claimed behavior if the sysadmin updated his system between February and November 2011 but not since, and you've got a seriously malicious user. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1bvc09paki@snowball.wb.pfeifferfamily.net
Re: sudo and UNIXes
Reco recovery...@gmail.com writes: Hi. On Sat, 2 Nov 2013 11:46:48 -0500 Cybe R. Wizard cybe_r_wiz...@earthlink.net wrote: How about this bug: http://www.sudo.ws/sudo/alerts/sudo_debug.html Impact: Successful exploitation of the bug will allow a user to run arbitrary commands as root. Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible. How valid is that considering that Wheezy is using sudo version 1.8.5p2-1+nmu1 ? Perfectly valid, considering that this part of thread is about using sudo in the UNIX environment, not Linux one. May I assume that there are still a lot of non-upgraded machines out there? Depends. For example, AIX 5, 6 and 7 all have sudo-1.6.7p5-3 (the only version built officially by IBM). Unless you build sudo from the source - no upgrades for you. Solaris 11.1 has sudo-1.8.6.7 out of the box. Note that neither of these is subject to vulnerability in the bug report. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1br4axpaik@snowball.wb.pfeifferfamily.net
Re: sudo and UNIXes
On 2013-11-02, Joe Pfeiffer pfeif...@cs.nmsu.edu wrote: Again -- isn't basically equivalent to giving everyone uid=0. Permits someone who *has* sudo access to avoid retyping a password. Not only that. Permits someone who already has sudo access to continue having such access indefinitely, ignoring being excluded from sudoers altogether. You made a specific claim, that sudo without patches is basically equivalent to giving everyone uid=0. You have yet to say anything that even begins to substantiate that claim. How about this bug: http://www.sudo.ws/sudo/alerts/sudo_debug.html Impact: Successful exploitation of the bug will allow a user to run arbitrary commands as root. Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnl7a6ss.2cf.cu...@einstein.electron.org
Re: sudo and UNIXes
On Sat, 2 Nov 2013 15:34:13 + (UTC) Curt cu...@free.fr wrote: On 2013-11-02, Joe Pfeiffer pfeif...@cs.nmsu.edu wrote: Again -- isn't basically equivalent to giving everyone uid=0. Permits someone who *has* sudo access to avoid retyping a password. Not only that. Permits someone who already has sudo access to continue having such access indefinitely, ignoring being excluded from sudoers altogether. You made a specific claim, that sudo without patches is basically equivalent to giving everyone uid=0. You have yet to say anything that even begins to substantiate that claim. How about this bug: http://www.sudo.ws/sudo/alerts/sudo_debug.html Impact: Successful exploitation of the bug will allow a user to run arbitrary commands as root. Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible. How valid is that considering that Wheezy is using sudo version 1.8.5p2-1+nmu1 ? May I assume that there are still a lot of non-upgraded machines out there? Maybe best advice would be to upgrade their whole Debian. Cybe R. Wizard -- Nice computers don't go down. Larry Niven, Steven Barnes The Barsoom Project -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131102114648.190b3d4d.cybe_r_wiz...@earthlink.net
Re: sudo and UNIXes
On 2013-11-02, Cybe R. Wizard cybe_r_wiz...@earthlink.net wrote: http://www.sudo.ws/sudo/alerts/sudo_debug.html Impact: Successful exploitation of the bug will allow a user to run arbitrary commands as root. Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible. How valid is that considering that Wheezy is using sudo version 1.8.5p2-1+nmu1 ? May I assume that there are still a lot of non-upgraded machines out there? Maybe best advice would be to upgrade their whole Debian. I thought we were talking about people running unpatched sudos in distros where the program isn't included in the official repositories of packages and therefore gets no security updates (or something)? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnl7ad5p.37q.cu...@einstein.electron.org
Re: sudo and UNIXes
Hi. On Sat, 2 Nov 2013 11:46:48 -0500 Cybe R. Wizard cybe_r_wiz...@earthlink.net wrote: How about this bug: http://www.sudo.ws/sudo/alerts/sudo_debug.html Impact: Successful exploitation of the bug will allow a user to run arbitrary commands as root. Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible. How valid is that considering that Wheezy is using sudo version 1.8.5p2-1+nmu1 ? Perfectly valid, considering that this part of thread is about using sudo in the UNIX environment, not Linux one. May I assume that there are still a lot of non-upgraded machines out there? Depends. For example, AIX 5, 6 and 7 all have sudo-1.6.7p5-3 (the only version built officially by IBM). Unless you build sudo from the source - no upgrades for you. Solaris 11.1 has sudo-1.8.6.7 out of the box. Maybe best advice would be to upgrade their whole Debian. That's neat idea (I sure view transition from HP-UX to Debian as an upgrade, same for AIX), but most of the time if people bought that hardware - they intend to use it with stock OS, not Linux. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131102220500.049af9c284e6295963b50...@gmail.com
Re: Only in America! ? (was ... Re: sudo and UNIXes (was: audacity export wma format[1 more question]))
On Thu, Oct 31, 2013 at 09:35:16PM +, Curt wrote: On 2013-10-31, Chris Bannister cbannis...@slingshot.co.nz wrote: So you could shoot kids in halloween costumes for illegally being on your property? Only if they've been through your underwear (_very_ puritanical country). If it was Halloween, it would be difficult to tell if they had. :) -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131102203352.GB12542@tal
Re: Only in America! ? (was ... Re: sudo and UNIXes (was: audacity export wma format[1 more question]))
On 2013-10-31, Thierry Chatelet tchate...@free.fr wrote: On Thursday 31 October 2013 15:33:25 Bob Proulx wrote: Note that I didn't say that I *would* shoot them dead. Maybe shoot them just injured ? /Smilet/ Thierry Right, he would've just blown their kneecaps out so they couldn't run away while he hogtied them and rounded up a posse to catch the ringleaders. What was that line spoken by Walter Brennan (Old Man Clanton) in the movie My Darling Clementine? Old Man Clanton (talking to his son?): When ya pull a gun shoot a man! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnl771b3.2jf.cu...@einstein.electron.org
Re: Only in America! ? (was ... Re: sudo and UNIXes (was: audacity export wma format[1 more question]))
On Thu, Oct 31, 2013 at 4:33 PM, Bob Proulx b...@proulx.com wrote: What would any of us do if confronted by a burgler in the middle of the night while we were home and woken up from a sound sleep? Ceratinly a terrifying situation. Calm thinking does not happen at such times. Agreed. Even the Bible recognizes the difference between night-time and day-time responses to break-ins: Exodus 22:1 “If a thief caught in the act of breaking in is beaten to death, it is not murder; 2 unless it happens after sunrise, in which case it is murder. (Complete Jewish Biblehttp://www.biblegateway.com/passage/?search=ex%2022:2version=CJB ) -- Kent West))) Westing Peacefully - http://kentwest.blogspot.com
Re: sudo and UNIXes
Reco recovery...@gmail.com writes: On Mon, Oct 28, 2013 at 10:19:43AM -0600, Joe Pfeiffer wrote: Reco recovery...@gmail.com writes: You also have to add to the picture such a vulnerability, and I haven't noticed any. If we're speaking of public vulnerabilities: CVE-2010-0427. Does not permit users outside of those in the sudoers file (or with the root password) to escalate privileges. Lessens attack surface, but doesn't void the existence of vulnerability. CVE-2013-1775 (allows bypass sudoders modification to retain root privileges). Again -- isn't basically equivalent to giving everyone uid=0. Permits someone who *has* sudo access to avoid retyping a password. Not only that. Permits someone who already has sudo access to continue having such access indefinitely, ignoring being excluded from sudoers altogether. You made a specific claim, that sudo without patches is basically equivalent to giving everyone uid=0. You have yet to say anything that even begins to substantiate that claim. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1b4n7vik0q@snowball.wb.pfeifferfamily.net
Only in America! ? (was ... Re: sudo and UNIXes (was: audacity export wma format[1 more question]))
On Mon, Oct 28, 2013 at 03:38:12PM -0600, Bob Proulx wrote: Case 1: I find that someone in my family who lives in my house has rumaged through my underwear drawer. A violation of trust has occurred. I am unhappy and will talk with them and give them a harsh lecture. This is not appropriate behavior. Case 2: I find someone who is not a member of my family and who does not live in my house and who I don't know has rummaged through my underwear drawer. A very serious crime has been committed. I live in a state where I am fully legally protected if I shoot them dead. :( And yet you can't shoot the family member? I think most murders are actually committed by family members against other family members, if my memory serves me correctly. So you could shoot kids in halloween costumes for illegally being on your property? -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131031182240.GC5993@tal
Re: Only in America! ? (was ... Re: sudo and UNIXes (was: audacity export wma format[1 more question]))
On Thursday, October 31, 2013 02:22:40 PM Chris Bannister wrote: On Mon, Oct 28, 2013 at 03:38:12PM -0600, Bob Proulx wrote: Case 1: I find that someone in my family who lives in my house has rumaged through my underwear drawer. A violation of trust has occurred. I am unhappy and will talk with them and give them a harsh lecture. This is not appropriate behavior. Case 2: I find someone who is not a member of my family and who does not live in my house and who I don't know has rummaged through my underwear drawer. A very serious crime has been committed. I live in a state where I am fully legally protected if I shoot them dead. : :( And yet you can't shoot the family member? I think most murders are actually committed by family members against other family members, if my memory serves me correctly. So you could shoot kids in halloween costumes for illegally being on your property? An uninvited stranger in someone's home rifling through the occupants' belongings should expect to have a short life expectancy. There is a certain amount of responsibility involved before one exercises the power to use arms (with rights come responsibilities). But we begin to digress from this list's purpose. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201310311514.05426.neal.p.mur...@alum.wpi.edu
Re: Only in America! ? (was ... Re: sudo and UNIXes
Chris Bannister writes: So you could shoot kids in halloween costumes for illegally being on your property? If you catch them in your bedroom rifling through your underwear, maybe. There is no state in the union where the mere fact that someone was trespassing is a valid murder defense. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8738nhf92q@thumper.dhh.gt.org
Re: Only in America! ? (was ... Re: sudo and UNIXes (was: audacity export wma format[1 more question]))
Neal Murphy wrote: Chris Bannister wrote: Bob Proulx wrote: Case 1: I find that someone in my family who lives in my house has rumaged through my underwear drawer. A violation of trust has occurred. I am unhappy and will talk with them and give them a harsh lecture. This is not appropriate behavior. Case 2: I find someone who is not a member of my family and who does not live in my house and who I don't know has rummaged through my underwear drawer. A very serious crime has been committed. I live in a state where I am fully legally protected if I shoot them dead. Obviously I was using that colorful story to illustrate the differences between the same act committed by two different people becomes a very different crime depending upon who is doing it. Note that I didn't say that I *would* shoot them dead. I said I was fully legally protected if I did so. Which is true of all who live in my state regardless of their own personal politics. All here live under the same rule of law. I meant that to illustrate the severity of the crime in a colorful way. Perhaps too colorful for the list. Sorry about that. What would any of us do if confronted by a burgler in the middle of the night while we were home and woken up from a sound sleep? Ceratinly a terrifying situation. Calm thinking does not happen at such times. The point having been made let's not commit this list to a political discussion of the politics of it. Please? So you could shoot kids in halloween costumes for illegally being on your property? An uninvited stranger in someone's home rifling through the occupants' belongings should expect to have a short life expectancy. There is a certain amount of responsibility involved before one exercises the power to use arms (with rights come responsibilities). But we begin to digress from this list's purpose. With great power comes great responsibility. Bob signature.asc Description: Digital signature
Re: Only in America! ? (was ... Re: sudo and UNIXes (was: audacity export wma format[1 more question]))
On 2013-10-31, Chris Bannister cbannis...@slingshot.co.nz wrote: So you could shoot kids in halloween costumes for illegally being on your property? Only if they've been through your underwear (_very_ puritanical country). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnl75j9v.7mv.cu...@einstein.electron.org
Re: Only in America! ? (was ... Re: sudo and UNIXes
On 10/31/2013 05:02 PM, John Hasler wrote: Chris Bannister writes: So you could shoot kids in halloween costumes for illegally being on your property? If you catch them in your bedroom rifling through your underwear, maybe. There is no state in the union where the mere fact that someone was trespassing is a valid murder defense. In many (most?) states, you are only justified in using deadly force if you are threatened with bodily harm to yourself or your family. If you catch someone going thru your underwear drawer, the most you can do is either try to restrain or immobilize the culprit or call the police, and the second would be necessary anyway if the first is successful. --doug -- Blessed are the peacemakers..for they shall be shot at from both sides. --A.M.Greeley -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5272d638.7010...@optonline.net
Re: Only in America! ? (was ... Re: sudo and UNIXes
Doug writes: In many (most?) states, you are only justified in using deadly force if you are threatened with bodily harm to yourself or your family. If you wake up in the middle of the night, see a stranger searching your dresser, and shoot him, you will almost certainly succeed in convincing a court that you were in justifiable fear for your life even if he turns out to be unarmed. In many states that suffices. On the other hand, if you shoot a couple of teenagers just because they stepped off the sidewalk and onto your lawn you will be convicted of murder anywhere in the USA. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87y559dqan@thumper.dhh.gt.org
Re: Only in America! ? (was ... Re: sudo and UNIXes (was: audacity export wma format[1 more question]))
On Thursday 31 October 2013 15:33:25 Bob Proulx wrote: Note that I didn't say that I *would* shoot them dead. Maybe shoot them just injured ? /Smilet/ Thierry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5014901.NVTbXgDfSN@new-one
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Mon, Oct 28, 2013 at 03:38:12PM -0600, Bob Proulx wrote: Reco wrote: And what about the end result ('user will get root privs')? They are different users. A remote user could be anyone. A local user is someone who is already known and has an account on the system and who has an established relationship and trust. Now I got it, thanks. Such meaning of 'local' and 'remote' applied to users didn't came to my mind. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131029060442.GA13545@x101h
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Tue, Oct 29, 2013 at 1:17 AM, Bob Proulx b...@proulx.com wrote: Tom H wrote: The standard task installs both nfs-common and rpcbind. Aha! Apparently the ability to nfs mount in /etc/fstab is the root cause of the dependency chain that requires nfs-common and therefore portmapper. At a guess. Good guess! I don't install the standard task and then add the bits that it provides and that I want piecemeal. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=syez7eetlyordkjvb9jg5_heikcjq0tjevo-whryqu...@mail.gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Sun, Oct 27, 2013 at 3:31 AM, Reco recovery...@gmail.com wrote: On Sat, 26 Oct 2013 21:50:23 + Tom H tomh0...@gmail.com wrote: On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote: Yes, but pfexec is not sudo. And privilege-aware Solaris shells are definitely not sudo too. It might not be sudo but it's the same principle of privilege escalation. sudo's simpler to set up so I've yet to work at any Solaris shop where it hasn't been installed (it's not necessarily used though; I moonlight at two companies where telnetting as root is the norm...). I agree that sudo is simpler to setup. I disagree that sudo is installed everywhere where Solaris is. Because - it's third-party software. And people don't like to install third-party software ('vendor didn't included it - we don't use it'). Your experience may be different but you can't disagree with what's been my experience over many years in many different companies! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=syyg5txsz83qfx-pjqrejrct2dxohkmnkby1gwdyjz...@mail.gmail.com
Re: sudo and UNIXes
On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote: Reco recovery...@gmail.com writes: True, you need to add to the picture that curious user who just read on Bugtraq or Full Disclosure about fresh vulnerability in sudo. Or that disgruntled user who needs /etc/system changed right here and now. Or that developer who needs to do this 'small change, nobody will notice' on a production server. And if you don't have such people there - good for you, as here we can always find such person here. You also have to add to the picture such a vulnerability, and I haven't noticed any. If we're speaking of public vulnerabilities: CVE-2010-0427. CVE-2013-1775 (allows bypass sudoders modification to retain root privileges). I have no knowledge about private 0days. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131028134702.GA23316@x101h
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Mon, Oct 28, 2013 at 09:37:02AM -0400, Tom H wrote: On Sun, Oct 27, 2013 at 3:31 AM, Reco recovery...@gmail.com wrote: On Sat, 26 Oct 2013 21:50:23 + Tom H tomh0...@gmail.com wrote: On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote: Yes, but pfexec is not sudo. And privilege-aware Solaris shells are definitely not sudo too. It might not be sudo but it's the same principle of privilege escalation. sudo's simpler to set up so I've yet to work at any Solaris shop where it hasn't been installed (it's not necessarily used though; I moonlight at two companies where telnetting as root is the norm...). I agree that sudo is simpler to setup. I disagree that sudo is installed everywhere where Solaris is. Because - it's third-party software. And people don't like to install third-party software ('vendor didn't included it - we don't use it'). Your experience may be different but you can't disagree with what's been my experience over many years in many different companies! Of course I agree with you. You've seen what you have seen, I have no doubts about that. Of course there are people who use sudo on Solaris, but - there are people who are not, and who are won't do it. Third-party status is one of the reasons for it. Reco. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131028135129.GB23316@x101h
Re: sudo and UNIXes
On 10/28/2013 03:47 PM, Reco wrote: On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote: [snip] You also have to add to the picture such a vulnerability, and I haven't noticed any. If we're speaking of public vulnerabilities: CVE-2010-0427. CVE-2013-1775 (allows bypass sudoders modification to retain root privileges). CVE-2010-0427 may be the better example of the two, though it relies on a special configuration. CVE-2013-1775 is a rather contrived case and needs physical access. The general perception is that the game is over anyway when there is physical access. /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526e6d10.5070...@gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Sun, Oct 27, 2013 at 08:15:43PM -0600, Bob Proulx wrote: Reco wrote: Oh. You mean that HP suddenly transformed to good fairies and stopped charging extra for aCC? Or IBM received an encrypted signal from their supervisors from Mars and did the same to vacc? And don't even mention Sun, those guys managed to build their base system with two different C compilers at once (gcc and that thing they put in Sun Studio instead of C compiler). Wait. You mean the first thing you compile on a new system isn't gcc? Sometimes it would be 'make' first. Then gcc, binutils, and the rest of the support chain. The make again using gcc. Then a hundred others! Yep. On Solaris I use vendor packages with gcc, gmake and GNU toolchain. On AIX I use Linux Compatibility toolkit, and it provides me GNU toolchain too. Luckily I don't have to compile anything for HP-UX. Heard someone built gcc for it, didn't needed it so far. Once I've bootstrapped GNU toolchain on Solaris (it was x86 so it was relatively fast), and I have no desire to repeat this process on, say, T2000. As for 'solid base'... C'mon, treating openssh as a third-party tool? No meaningful firewall in default install? Telnet and FTP (root is allowed by default) enabled by default and are listening 0.0.0.0? Mandatory access control as a paid feature? Clearly our definitions of 'solid base' are different. By solid base I mean the Unix kernel. Have you ever needed to rescue a system suffering under a fork-bomb? Well, there was that incident with Solaris projects and limiting LWPs with them, and I thought it was a good idea to test it with Perl fork bomb. That particular project was configured wrong way :( Bugger ate all memory just as fine as it'd did on Linux. Forking any process wasn't possible as a result. So, server was bounced. Under the Linux kernel with defaults you will need to power cycle it. Even if you were already logged into it at best you would rather quickly get Connection closed by foreign host. But I have been able to log into HP-UX systems while under such stress and was able to kill the offending processes. That is what I meant by a solid base. It has a solid kernel. That is the base of the operating system. I didn't test fork bombs on HP-UX (that's something I'll probably do in the future). If they use optimistic memory allocation, it'll be an interesting experience. The other things you mention I place in another layer above it. Most are policy decisions about telnet, ftp, and others wide open you can affect and change when it is your system to maintain. There isn't any reason not to turn off telnet and ftp entirely for example. That's a legitimate point of view. But I prefer the systems in which I don't have to turn off anything unneeded (ideally, I don't have to install anything I don't need). But I agree about the security aspect. When I have needed to put one of those legacy systems on the net I usually protected it by putting it behind a separate firewall box. Because of some of the problems you mention. Using a separate proxy box for just the task needed made the security easier. But that doesn't make the machine less reliable for running large loads with an uptime of years. There's nothing you wrote here I'd disagree with. And one must be careful of throwing stones. For example Debian does not provide a firewall by default. And it is debatable if it needs one. Many people don't configure one. Many people do. It all depends upon many things about the use case. I don't put one on internal machines. But I do put one on front facing machines. That's Debian fault indeed. But at least they don't include any network services worth speaking of (should we count NFS portmapper, or not?) in an installation produced by netboot. You left the large unless local sysadmins care about security escape clause there. But what about if the local admin *does* care about security? In that case you can have a system with _better_ security than that provided by the vendor. If local sysadmin cares about security then that site is truly blessed. No irony. See, I earn my salary for solving problems with certain proprietary cross-platform software. As a part of job, I visit may different places, and what do I see there? No need to try to convince me. I have seen many horrors. But I don't think this problem is specific to the legacy Unix vendors. Of course not, that's something I've admitted in the same mail. UNIXes just make managing useful third-party software harder, that's all. Not that UNIXes are that bad. It happens for any OS, GNU/Linux included. And that is exactly my point. The biggest place I see problems today are companies that have full paid support for RHEL. But they are running very old and outdated software. I ask them why they are running RHEL and the answer is invariably because that was a commercially supported
Re: sudo and UNIXes
On Mon, Oct 28, 2013 at 03:56:32PM +0200, Lars Noodén wrote: On 10/28/2013 03:47 PM, Reco wrote: On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote: [snip] You also have to add to the picture such a vulnerability, and I haven't noticed any. If we're speaking of public vulnerabilities: CVE-2010-0427. CVE-2013-1775 (allows bypass sudoders modification to retain root privileges). CVE-2010-0427 may be the better example of the two, though it relies on a special configuration. CVE-2013-1775 is a rather contrived case and needs physical access. The general perception is that the game is over anyway when there is physical access. Still, they are (hopefully fully fixed) vulnerabilities, and they allow escalation to root, aren't they? Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131028143416.GD23316@x101h
Re: sudo and UNIXes
Reco recovery...@gmail.com writes: On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote: Reco recovery...@gmail.com writes: True, you need to add to the picture that curious user who just read on Bugtraq or Full Disclosure about fresh vulnerability in sudo. Or that disgruntled user who needs /etc/system changed right here and now. Or that developer who needs to do this 'small change, nobody will notice' on a production server. And if you don't have such people there - good for you, as here we can always find such person here. You also have to add to the picture such a vulnerability, and I haven't noticed any. If we're speaking of public vulnerabilities: CVE-2010-0427. Does not permit users outside of those in the sudoers file (or with the root password) to escalate privileges. CVE-2013-1775 (allows bypass sudoders modification to retain root privileges). Again -- isn't basically equivalent to giving everyone uid=0. Permits someone who *has* sudo access to avoid retyping a password. I have no knowledge about private 0days. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1bvc0hcqqo@snowball.wb.pfeifferfamily.net
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Mon, Oct 28, 2013 at 1:51 PM, Reco recovery...@gmail.com wrote: On Mon, Oct 28, 2013 at 09:37:02AM -0400, Tom H wrote: On Sun, Oct 27, 2013 at 3:31 AM, Reco recovery...@gmail.com wrote: On Sat, 26 Oct 2013 21:50:23 + Tom H tomh0...@gmail.com wrote: On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote: Yes, but pfexec is not sudo. And privilege-aware Solaris shells are definitely not sudo too. It might not be sudo but it's the same principle of privilege escalation. sudo's simpler to set up so I've yet to work at any Solaris shop where it hasn't been installed (it's not necessarily used though; I moonlight at two companies where telnetting as root is the norm...). I agree that sudo is simpler to setup. I disagree that sudo is installed everywhere where Solaris is. Because - it's third-party software. And people don't like to install third-party software ('vendor didn't included it - we don't use it'). Your experience may be different but you can't disagree with what's been my experience over many years in many different companies! Of course I agree with you. You've seen what you have seen, I have no doubts about that. Of course there are people who use sudo on Solaris, but - there are people who are not, and who are won't do it. Third-party status is one of the reasons for it. It's a question of cost/benefit. The IT department asks itself: Does the cost of installing and maintaining sudo outweigh the benefit of integrating it into the admin workflow? Invariably the answer's been yes everywhere that I've worked, in spite of the third-party nature of sudo (and the same goes with lsof BTW, although far less often), to the _official_ dismay of visiting Sun/Oracle reps and admins. Using sudo also aligns switch to root for sysadmins and switch to their special users for developers on Solaris and Linux in terms or use, logging, and auditing. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=szac-chpcz7n-kwyemymhtfzdfiqrdub2fxhq81zs1...@mail.gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
Reco wrote: Bob Proulx wrote: And one must be careful of throwing stones. For example Debian does not provide a firewall by default. And it is debatable if it needs one. Many people don't configure one. Many people do. It all depends upon many things about the use case. I don't put one on internal machines. But I do put one on front facing machines. That's Debian fault indeed. But at least they don't include any network services worth speaking of (should we count NFS portmapper, or not?) in an installation produced by netboot. Is 'rpcbind' installed by default? I will need to look. I wonder why it would be there? That is an exaggeration. For one it would need to be a local exploit for sudo to come in play. Ok, let's say … CVE-2010-0427. Somewhat old, but possible. CVE-2010-0427 is a local only exploit. (Failure to reset group permissions properly.) So it would need to be a locally known user in order to exploit it. Not the same as having written the password on a T-shirt and wearing it around. Therefore it would require a local user to attack it. A local access attack. SSH or telnet which is given such user for any legitimate purpose will do just fine. Yes. But as described on these old Unix systems they are almost certainly part of the company, part of the family. There are different levels of security needed to get jobs done. Not every system needs to have ultimate security applied to it. And again it isn't the same as putting it on a T-shirt and wearing it around. The password on a t-shirt would require simply require someone who could walk by the admin and see it to gain remote access. Hmm. Usually they keep developers, end users and sysadmins separated here. So it's basically the same access complexity. Goodness forbid that developers would ever talk with users or sysadmins! :-( And sudo isn't that important. There's always Swiss-cheese web-interfaces today :) People are writing new bugs every day! Those that do not study history are doomed to repeat it. Bob signature.asc Description: Digital signature
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Mon, Oct 28, 2013 at 11:45:03AM -0600, Bob Proulx wrote: Reco wrote: Bob Proulx wrote: And one must be careful of throwing stones. For example Debian does not provide a firewall by default. And it is debatable if it needs one. Many people don't configure one. Many people do. It all depends upon many things about the use case. I don't put one on internal machines. But I do put one on front facing machines. That's Debian fault indeed. But at least they don't include any network services worth speaking of (should we count NFS portmapper, or not?) in an installation produced by netboot. Is 'rpcbind' installed by default? I will need to look. I wonder why it would be there? Part of a NFS client, I guess. Package is not marked as an essential one, though. Running a diskless client over NFS would be a curious trick without NFS support enabled. That is an exaggeration. For one it would need to be a local exploit for sudo to come in play. Ok, let's say … CVE-2010-0427. Somewhat old, but possible. CVE-2010-0427 is a local only exploit. (Failure to reset group permissions properly.) So it would need to be a locally known user in order to exploit it. Not the same as having written the password on a T-shirt and wearing it around. I fail to see how one could be given an SSH access to the host, be able to use sudo (and do so successfully), and still not be a local user. I must miss something here, can you please enlighten me? SSH or telnet which is given such user for any legitimate purpose will do just fine. Yes. But as described on these old Unix systems they are almost certainly part of the company, part of the family. There are different levels of security needed to get jobs done. Not every system needs to have ultimate security applied to it. And again it isn't the same as putting it on a T-shirt and wearing it around. Servers are usually differentiated by their lifecycle status indeed. Purpose of testing and development servers that don't even try to mimic production environment always eluded me. The password on a t-shirt would require simply require someone who could walk by the admin and see it to gain remote access. Hmm. Usually they keep developers, end users and sysadmins separated here. So it's basically the same access complexity. Goodness forbid that developers would ever talk with users or sysadmins! :-( Not funny. That's exactly what goes on here usually. About the only people who can (and will) speak to everybody are helpdesk and HRs. Old 'divide and rule' principle applied at a shop level. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131028180553.GA29376@x101h
Re: sudo and UNIXes
On Mon, Oct 28, 2013 at 10:19:43AM -0600, Joe Pfeiffer wrote: Reco recovery...@gmail.com writes: You also have to add to the picture such a vulnerability, and I haven't noticed any. If we're speaking of public vulnerabilities: CVE-2010-0427. Does not permit users outside of those in the sudoers file (or with the root password) to escalate privileges. Lessens attack surface, but doesn't void the existence of vulnerability. CVE-2013-1775 (allows bypass sudoders modification to retain root privileges). Again -- isn't basically equivalent to giving everyone uid=0. Permits someone who *has* sudo access to avoid retyping a password. Not only that. Permits someone who already has sudo access to continue having such access indefinitely, ignoring being excluded from sudoers altogether. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131028181130.GB29376@x101h
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
Reco wrote: Bob Proulx wrote: Is 'rpcbind' installed by default? I will need to look. I wonder why it would be there? Part of a NFS client, I guess. Package is not marked as an essential one, though. Running a diskless client over NFS would be a curious trick without NFS support enabled. NFS client is not enabled by default. So that wouldn't be it. I just tried a minimum installation of Debian Wheezy in a VM and rpcbind was not installed. Are you sure it is installed by default? CVE-2010-0427 is a local only exploit. (Failure to reset group permissions properly.) So it would need to be a locally known user in order to exploit it. Not the same as having written the password on a T-shirt and wearing it around. I fail to see how one could be given an SSH access to the host, be able to use sudo (and do so successfully), and still not be a local user. I must miss something here, can you please enlighten me? You said using outdated sudo is an equivalent to wearing T-shirt with a root password written on it as an end result will be the same. I was refuting that statement. It isn't even close to being the same. Using sudo would require a local user exploit. You seem to agree that it would require a local user to exploit it. Having the root password publicly known does not require a local user. They are not the same class of issue at all. Not even close. Bob signature.asc Description: Digital signature
Re: sudo and UNIXes
Bob Proulx writes: I just tried a minimum installation of Debian Wheezy in a VM and rpcbind was not installed. Are you sure it is installed by default? Rpcbind is priority standard. It is neither essential nor required. Thus whether it is installed by default or not depends on how you define a minimum installation. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/874n81gnpl@thumper.dhh.gt.org
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Mon, Oct 28, 2013 at 01:14:33PM -0600, Bob Proulx wrote: Reco wrote: Bob Proulx wrote: Is 'rpcbind' installed by default? I will need to look. I wonder why it would be there? Part of a NFS client, I guess. Package is not marked as an essential one, though. Running a diskless client over NFS would be a curious trick without NFS support enabled. NFS client is not enabled by default. So that wouldn't be it. I just tried a minimum installation of Debian Wheezy in a VM and rpcbind was not installed. Are you sure it is installed by default? No, I'm unsure. May be it was minimum install + recommended server install (whatever it is called now actually). Did minimum install had any network services activated? CVE-2010-0427 is a local only exploit. (Failure to reset group permissions properly.) So it would need to be a locally known user in order to exploit it. Not the same as having written the password on a T-shirt and wearing it around. I fail to see how one could be given an SSH access to the host, be able to use sudo (and do so successfully), and still not be a local user. I must miss something here, can you please enlighten me? You said using outdated sudo is an equivalent to wearing T-shirt with a root password written on it as an end result will be the same. I was refuting that statement. It isn't even close to being the same. Using sudo would require a local user exploit. You seem to agree that it would require a local user to exploit it. Having the root password publicly known does not require a local user. They are not the same class of issue at all. Not even close. Point taken. And what about the end result ('user will get root privs')? Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131028201600.GA8940@x101h
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
Reco wrote: And what about the end result ('user will get root privs')? They are different users. A remote user could be anyone. A local user is someone who is already known and has an account on the system and who has an established relationship and trust. Case 1: I find that someone in my family who lives in my house has rumaged through my underwear drawer. A violation of trust has occurred. I am unhappy and will talk with them and give them a harsh lecture. This is not appropriate behavior. Case 2: I find someone who is not a member of my family and who does not live in my house and who I don't know has rummaged through my underwear drawer. A very serious crime has been committed. I live in a state where I am fully legally protected if I shoot them dead. The crime is the same in both cases. The only difference is who has done it. Your argument is that they are the same. My argument is that they are different. This discussion has become circular. We are at irreconcilable differences. Therefore I will close my part of it with this thought: Security is the one part of the system that by design makes the system harder to use. Hopefully infinitely hard to the bad guys. Hopefully less so for the good guys. But of course no system is perfect and the only 100% safe system is one that is off. Anything else is a compromise. Bob signature.asc Description: Digital signature
Re: sudo and UNIXes
John Hasler wrote: Bob Proulx writes: I just tried a minimum installation of Debian Wheezy in a VM and rpcbind was not installed. Are you sure it is installed by default? Rpcbind is priority standard. It is neither essential nor required. Thus whether it is installed by default or not depends on how you define a minimum installation. Ah! That explains it. I had nothing in tasksel checked. But if I do check Standard system then rpcbind is installed. That explains it. I usually don't install the Standard system because that installs Exim (a find tool) but I always install Postfix which much then push it out. Therefore I never select standard system and always install Postfix and other things later. That is how I missed it. But I would consider the Standard system utilities selection to be a normal small Debian install. I don't think rpcbind should be priority standard these days. I wonder if it would be possible to convince people that it should be demoted to installed only as a dependency instead. Or if it is needed to learn why it is still needed. Thanks! Bob signature.asc Description: Digital signature
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Mon, Oct 28, 2013 at 7:14 PM, Bob Proulx b...@proulx.com wrote: Reco wrote: Bob Proulx wrote: Is 'rpcbind' installed by default? I will need to look. I wonder why it would be there? Part of a NFS client, I guess. Package is not marked as an essential one, though. Running a diskless client over NFS would be a curious trick without NFS support enabled. NFS client is not enabled by default. So that wouldn't be it. I just tried a minimum installation of Debian Wheezy in a VM and rpcbind was not installed. Are you sure it is installed by default? The standard task installs both nfs-common and rpcbind. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=sz+jfdtfuh8vsbmvsf2cplelk1_212j99c+wkpeb+k...@mail.gmail.com
Re: sudo and UNIXes
Bob Proulx writes: I don't think rpcbind should be priority standard these days. I wonder if it would be possible to convince people that it should be demoted to installed only as a dependency instead. Or if it is needed to learn why it is still needed. Standard consists of packages that you would be surprised not to find on a UNIX system. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87zjptezem@thumper.dhh.gt.org
portmapper / rpcbind installed by default (was: sudo and UNIXes)
John Hasler wrote: Bob Proulx writes: I don't think rpcbind should be priority standard these days. I wonder if it would be possible to convince people that it should be demoted to installed only as a dependency instead. Or if it is needed to learn why it is still needed. Standard consists of packages that you would be surprised not to find on a UNIX system. Hmm... That is another statement that sounds like it says something but in reality doesn't define anything. There are many things I would be surprised not to find on a Unix system that isn't installed by default. I would be surprised not to find a C compiler and 'make'. I would be surprised not to find 'less'. Also 'at', 'ed', 'mailx', 'ssh', and 'rsync'. And I would be surprised if my list were even close to the same list as other people. And there is the problem with that statement. :-) But the portmapper is very closely associated with Sun RPC. If I have not installed anything in that family then I would not expect to find the portmapper installed. But it certainly is a valid dependency. I think it would be more appropriate to have it pulled in upon needing it as a dependency of other packages. It is already a dependency of nfs-common. I would simply stop there. Bob signature.asc Description: Digital signature
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
Tom H wrote: The standard task installs both nfs-common and rpcbind. Aha! Apparently the ability to nfs mount in /etc/fstab is the root cause of the dependency chain that requires nfs-common and therefore portmapper. At a guess. Bob signature.asc Description: Digital signature
Re: portmapper / rpcbind installed by default (was: sudo and UNIXes)
Bob Proulx wrote: John Hasler wrote: Standard consists of packages that you would be surprised not to find on a UNIX system. But the portmapper is very closely associated with Sun RPC. If I have not installed anything in that family then I would not expect to find the portmapper installed. But it certainly is a valid dependency. I think it would be more appropriate to have it pulled in upon needing it as a dependency of other packages. It is already a dependency of nfs-common. I would simply stop there. Aha! I had forgotten about /etc/fstab. That is the first link in the chain of dependencies. man fstab In order to support nfs mounts in /etc/fstab it needs nfs-common and portmapper installed. And therefore I _had_ actually installed something, /etc/fstab, that would pull in the Sun RPC family by default. Hmm... Bob signature.asc Description: Digital signature
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
Hi. On Sat, 26 Oct 2013 21:50:23 + Tom H tomh0...@gmail.com wrote: On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote: Yes, but pfexec is not sudo. And privilege-aware Solaris shells are definitely not sudo too. It might not be sudo but it's the same principle of privilege escalation. sudo's simpler to set up so I've yet to work at any Solaris shop where it hasn't been installed (it's not necessarily used though; I moonlight at two companies where telnetting as root is the norm...). I agree that sudo is simpler to setup. I disagree that sudo is installed everywhere where Solaris is. Because - it's third-party software. And people don't like to install third-party software ('vendor didn't included it - we don't use it'). As for telnet as a root - the very setup of Solaris (before 10u4 iirc), pushed one to do exactly this (ssh required manual generation of host keys, telnet was already there and worked, root is the only working user after install). Considering that primary usage of sudo is to provide controlled privilege escalation to uid=0, using unsupported (therefore - not updated unless local sysadmins care about security) sudo on these OSes is basically equivalent to giving everyone uid=0. Somewhat exaggerated :) No offense meant, but probably you're living in a some kind of IT paradise ;) 'Nobody does no evil, nobody does any mistakes' kind of paradise. Not updating/patching sudo isn't equivalent to giving everyone root access! It's a BIG leap! True, you need to add to the picture that curious user who just read on Bugtraq or Full Disclosure about fresh vulnerability in sudo. Or that disgruntled user who needs /etc/system changed right here and now. Or that developer who needs to do this 'small change, nobody will notice' on a production server. And if you don't have such people there - good for you, as here we can always find such person here. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131027113150.5d165f99e540507a98921...@gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
Reco wrote: Bob Proulx wrote: Most of those systems ship very little by their vendors. I have used them for many years and almost all of the software that you will use on those systems will have been compiled and installed by the local admin. IMNHO they are mainly a good solid base upon which you as the local admin build the working system upon. And for me if we are talking about what we compile locally from source I would need to look but the list is several hundred packages long! Oh. You mean that HP suddenly transformed to good fairies and stopped charging extra for aCC? Or IBM received an encrypted signal from their supervisors from Mars and did the same to vacc? And don't even mention Sun, those guys managed to build their base system with two different C compilers at once (gcc and that thing they put in Sun Studio instead of C compiler). Wait. You mean the first thing you compile on a new system isn't gcc? Sometimes it would be 'make' first. Then gcc, binutils, and the rest of the support chain. The make again using gcc. Then a hundred others! As for 'solid base'... C'mon, treating openssh as a third-party tool? No meaningful firewall in default install? Telnet and FTP (root is allowed by default) enabled by default and are listening 0.0.0.0? Mandatory access control as a paid feature? Clearly our definitions of 'solid base' are different. By solid base I mean the Unix kernel. Have you ever needed to rescue a system suffering under a fork-bomb? Under the Linux kernel with defaults you will need to power cycle it. Even if you were already logged into it at best you would rather quickly get Connection closed by foreign host. But I have been able to log into HP-UX systems while under such stress and was able to kill the offending processes. That is what I meant by a solid base. It has a solid kernel. That is the base of the operating system. The other things you mention I place in another layer above it. Most are policy decisions about telnet, ftp, and others wide open you can affect and change when it is your system to maintain. There isn't any reason not to turn off telnet and ftp entirely for example. But I agree about the security aspect. When I have needed to put one of those legacy systems on the net I usually protected it by putting it behind a separate firewall box. Because of some of the problems you mention. Using a separate proxy box for just the task needed made the security easier. But that doesn't make the machine less reliable for running large loads with an uptime of years. And one must be careful of throwing stones. For example Debian does not provide a firewall by default. And it is debatable if it needs one. Many people don't configure one. Many people do. It all depends upon many things about the use case. I don't put one on internal machines. But I do put one on front facing machines. You left the large unless local sysadmins care about security escape clause there. But what about if the local admin *does* care about security? In that case you can have a system with _better_ security than that provided by the vendor. If local sysadmin cares about security then that site is truly blessed. No irony. See, I earn my salary for solving problems with certain proprietary cross-platform software. As a part of job, I visit may different places, and what do I see there? No need to try to convince me. I have seen many horrors. But I don't think this problem is specific to the legacy Unix vendors. Outdated (like, 10 years outdated) SSH clients. Passwords stored in a plain text files in a recyclebin (or on a sheet of paper under the keyboard). Telnet as a primary administration tool (because 'terminal looks funny in a SecureCRT if I use SSH'). Cargo cult as the main method of configuring servers. Advices such as 'disable encryption in SSH, our server's CPUs cannot handle encryption' (copying files with scp from one Superdome to another). Complete inability to grasp even basic concepts of TCP/IP (we have network guys, they handle it). 'We're using VLANs so we don't need to encrypt anything'. 'We've installed antivirus everywhere = we're secure'. And last, but not least - 'security is complex, security bores me, security breaks our system'. Yep. I agree totally with what you have said. I have seen the like myself up close and personal. Horrors! And they are not Joe and Jane the Average End Users. They are sysadmins :( Yes. But just because they have the job does not make make them good at it. Most importantly it does not give them the attitude that if it is broken then it must be fixed. (Broken windows lead to more brokenness.) The attitude is more important. If they are persistent then with the attitude that broken windows must be fixed then they will learn what they need. Attitude is more important. But too often I see people who simply occupy hours on the time card. If they don't have
Re: sudo and UNIXes
Reco recovery...@gmail.com writes: Tom H tomh0...@gmail.com wrote: On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote: Considering that primary usage of sudo is to provide controlled privilege escalation to uid=0, using unsupported (therefore - not updated unless local sysadmins care about security) sudo on these OSes is basically equivalent to giving everyone uid=0. Somewhat exaggerated :) No offense meant, but probably you're living in a some kind of IT paradise ;) 'Nobody does no evil, nobody does any mistakes' kind of paradise. Not updating/patching sudo isn't equivalent to giving everyone root access! It's a BIG leap! True, you need to add to the picture that curious user who just read on Bugtraq or Full Disclosure about fresh vulnerability in sudo. Or that disgruntled user who needs /etc/system changed right here and now. Or that developer who needs to do this 'small change, nobody will notice' on a production server. And if you don't have such people there - good for you, as here we can always find such person here. You also have to add to the picture such a vulnerability, and I haven't noticed any. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1b38nmdqfg@snowball.wb.pfeifferfamily.net
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote: On Fri, 25 Oct 2013 20:28:57 + Tom H tomh0...@gmail.com wrote: On Fri, Oct 25, 2013 at 7:41 PM, recovery...@gmail.com wrote: On Fri, 25 Oct 2013 12:31:55 -0600 Bob Proulx b...@proulx.com wrote: Sudo has been on HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't anything new. It is a good worthy tool. This is not entirely correct. Sudo is considered third-party software in HP-UX (HP merely builds it and doesn't install by default), AIX (not provided by IBM and therefore not supported) and Solaris (third-party software without any support in versions = 10). About the only exception is Solaris 11 which provides sudo in default install (and it is configured the same way as in Ubuntu by default). Solaris has had pfexec since Solaris 8. Yes, but pfexec is not sudo. And privilege-aware Solaris shells are definitely not sudo too. It might not be sudo but it's the same principle of privilege escalation. sudo's simpler to set up so I've yet to work at any Solaris shop where it hasn't been installed (it's not necessarily used though; I moonlight at two companies where telnetting as root is the norm...). Considering that primary usage of sudo is to provide controlled privilege escalation to uid=0, using unsupported (therefore - not updated unless local sysadmins care about security) sudo on these OSes is basically equivalent to giving everyone uid=0. Somewhat exaggerated :) No offense meant, but probably you're living in a some kind of IT paradise ;) 'Nobody does no evil, nobody does any mistakes' kind of paradise. Not updating/patching sudo isn't equivalent to giving everyone root access! It's a BIG leap! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=syowajfhff+4y-m52cew4odcyhog894yufxtgbnyxk...@mail.gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
Hi. On Fri, 25 Oct 2013 12:31:55 -0600 Bob Proulx b...@proulx.com wrote: Sudo has been on HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't anything new. It is a good worthy tool. This is not entirely correct. Sudo is considered third-party software in HP-UX (HP merely builds it and doesn't install by default), AIX (not provided by IBM and therefore not supported) and Solaris (third-party software without any support in versions = 10). About the only exception is Solaris 11 which provides sudo in default install (and it is configured the same way as in Ubuntu by default). Considering that primary usage of sudo is to provide controlled privilege escalation to uid=0, using unsupported (therefore - not updated unless local sysadmins care about security) sudo on these OSes is basically equivalent to giving everyone uid=0. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131025234110.478c8065ddd992139a38b...@gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
This seems to be an unintended initiated thread by me :D. In the past I was against sudo, but nowadays I set up a root account (su) and sudo for my Linux and if I use Ubuntu I usually keep it as is, IOW just sudo, no root account. Security doesn't suffer from sudo, OTOH ich bin schmerzfrei as we say in German, somebody on this list called it a sledgehammer: #!/bin/sh xhost + gksudo -u chuser $* xhost - exit C'mon, not all machines are multi-user top security environments. If you talk about pros and cons sudo, first clarify for what task. Better add sudo, even without asking for a password, than have people running X sessions as root. Without PAM we likely would run X audio sessions as superuser ;). http://jackaudio.org/linux_rt_config People still can become root by su and than do disgusting things ;) and unintended allow foreigners to do disgusting things too, assumed the superuser leaves something over intruders could damage. Regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1382731835.656.48.camel@archlinux
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Fri, Oct 25, 2013 at 7:41 PM, recovery...@gmail.com wrote: On Fri, 25 Oct 2013 12:31:55 -0600 Bob Proulx b...@proulx.com wrote: Sudo has been on HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't anything new. It is a good worthy tool. This is not entirely correct. Sudo is considered third-party software in HP-UX (HP merely builds it and doesn't install by default), AIX (not provided by IBM and therefore not supported) and Solaris (third-party software without any support in versions = 10). About the only exception is Solaris 11 which provides sudo in default install (and it is configured the same way as in Ubuntu by default). Solaris has had pfexec since Solaris 8. Considering that primary usage of sudo is to provide controlled privilege escalation to uid=0, using unsupported (therefore - not updated unless local sysadmins care about security) sudo on these OSes is basically equivalent to giving everyone uid=0. Somewhat exaggerated :) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=SyHvrF=gpje83ryhjf+iyrlc6aqmtdhbjbjtfdfowt...@mail.gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
recovery...@gmail.com wrote: Bob Proulx wrote: Sudo has been on HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't anything new. It is a good worthy tool. This is not entirely correct. Sudo is considered third-party software in HP-UX (HP merely builds it and doesn't install by default), AIX (not provided by IBM and therefore not supported) and Solaris (third-party software without any support in versions = 10). About the only exception is Solaris 11 which provides sudo in default install (and it is configured the same way as in Ubuntu by default). It is certainly fair that you would take exception to my words (since I often do that to others!) but I said on those not distributed by them. ;-) I didn't say the vendor distributed it. Most of those systems ship very little by their vendors. I have used them for many years and almost all of the software that you will use on those systems will have been compiled and installed by the local admin. IMNHO they are mainly a good solid base upon which you as the local admin build the working system upon. And for me if we are talking about what we compile locally from source I would need to look but the list is several hundred packages long! Considering that primary usage of sudo is to provide controlled privilege escalation to uid=0, using unsupported (therefore - not updated unless local sysadmins care about security) sudo on these OSes is basically equivalent to giving everyone uid=0. You left the large unless local sysadmins care about security escape clause there. But what about if the local admin *does* care about security? In that case you can have a system with _better_ security than that provided by the vendor. And even in the case of an overworked and somewhat slack admin the system security with source sudo installed but old is probably about the same as the provided by the vendor. Vendors don't update their software that often and usually not without something pushing them to do so. For improved security a system with many eyes upon the code such as Debian is much better. Anyone using a traditional legacy Unix system today is most likely not using it for the security of the system but for other aspects of it. Bob signature.asc Description: Digital signature
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Fri, 25 Oct 2013 14:21:37 -0600 Bob Proulx b...@proulx.com wrote: recovery...@gmail.com wrote: Bob Proulx wrote: This is not entirely correct. Sudo is considered third-party software in HP-UX (HP merely builds it and doesn't install by default), AIX (not provided by IBM and therefore not supported) and Solaris (third-party software without any support in versions = 10). About the only exception is Solaris 11 which provides sudo in default install (and it is configured the same way as in Ubuntu by default). It is certainly fair that you would take exception to my words (since I often do that to others!) but I said on those not distributed by them. ;-) I didn't say the vendor distributed it. Indeed you didn't. My sincere apologies just in case. Most of those systems ship very little by their vendors. I have used them for many years and almost all of the software that you will use on those systems will have been compiled and installed by the local admin. IMNHO they are mainly a good solid base upon which you as the local admin build the working system upon. And for me if we are talking about what we compile locally from source I would need to look but the list is several hundred packages long! Oh. You mean that HP suddenly transformed to good fairies and stopped charging extra for aCC? Or IBM received an encrypted signal from their supervisors from Mars and did the same to vacc? And don't even mention Sun, those guys managed to build their base system with two different C compilers at once (gcc and that thing they put in Sun Studio instead of C compiler). As for 'solid base'… C'mon, treating openssh as a third-party tool? No meaningful firewall in default install? Telnet and FTP (root is allowed by default) enabled by default and are listening 0.0.0.0? Mandatory access control as a paid feature? Clearly our definitions of 'solid base' are different. Considering that primary usage of sudo is to provide controlled privilege escalation to uid=0, using unsupported (therefore - not updated unless local sysadmins care about security) sudo on these OSes is basically equivalent to giving everyone uid=0. You left the large unless local sysadmins care about security escape clause there. But what about if the local admin *does* care about security? In that case you can have a system with _better_ security than that provided by the vendor. If local sysadmin cares about security then that site is truly blessed. No irony. See, I earn my salary for solving problems with certain proprietary cross-platform software. As a part of job, I visit may different places, and what do I see there? Outdated (like, 10 years outdated) SSH clients. Passwords stored in a plain text files in a recyclebin (or on a sheet of paper under the keyboard). Telnet as a primary administration tool (because 'terminal looks funny in a SecureCRT if I use SSH'). Cargo cult as the main method of configuring servers. Advices such as 'disable encryption in SSH, our server's CPUs cannot handle encryption' (copying files with scp from one Superdome to another). Complete inability to grasp even basic concepts of TCP/IP (we have network guys, they handle it). 'We're using VLANs so we don't need to encrypt anything'. 'We've installed antivirus everywhere = we're secure'. And last, but not least - 'security is complex, security bores me, security breaks our system'. And they are not Joe and Jane the Average End Users. They are sysadmins :( Not that UNIXes are that bad. It happens for any OS, GNU/Linux included. And even in the case of an overworked and somewhat slack admin the system security with source sudo installed but old is probably about the same as the provided by the vendor. Vendors don't update their software that often and usually not without something pushing them to do so. Sudo had vulnerabilities that lead to gaining root access by exploiting them. And people will use is as vendors won't provide them any meaninful way to update all installed software at once. Therefore - using outdated sudo is an equivalent to wearing T-shirt with a root password written on it as an end result will be the same. For improved security a system with many eyes upon the code such as Debian is much better. Anyone using a traditional legacy Unix system today is most likely not using it for the security of the system but for other aspects of it. That's true, but. I didn't implied that proprietary software is insecure (although, honestly, it is :) given what kind of people actually writing it today) a priori, I meant that using outdated tool for gaining security actually lowers it. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131026010704.c520162a574e2d5d01ccf...@gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Fri, 25 Oct 2013 20:28:57 + Tom H tomh0...@gmail.com wrote: On Fri, Oct 25, 2013 at 7:41 PM, recovery...@gmail.com wrote: On Fri, 25 Oct 2013 12:31:55 -0600 Bob Proulx b...@proulx.com wrote: Sudo has been on HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't anything new. It is a good worthy tool. This is not entirely correct. Sudo is considered third-party software in HP-UX (HP merely builds it and doesn't install by default), AIX (not provided by IBM and therefore not supported) and Solaris (third-party software without any support in versions = 10). About the only exception is Solaris 11 which provides sudo in default install (and it is configured the same way as in Ubuntu by default). Solaris has had pfexec since Solaris 8. Yes, but pfexec is not sudo. And privilege-aware Solaris shells are definitely not sudo too. Considering that primary usage of sudo is to provide controlled privilege escalation to uid=0, using unsupported (therefore - not updated unless local sysadmins care about security) sudo on these OSes is basically equivalent to giving everyone uid=0. Somewhat exaggerated :) No offense meant, but probably you're living in a some kind of IT paradise ;) 'Nobody does no evil, nobody does any mistakes' kind of paradise. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131026011611.f2a1e103756681a7d0e85...@gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Sat, 2013-10-26 at 01:07 +0400, Reco wrote: Passwords stored in a plain text files in a recyclebin (or on a sheet of paper under the keyboard). Female sysadmins wearing slips of paper on the forehead with passphrases: http://www.kingmatz.com/Bilder%202007/2009/mk/RIMG0206.JPG -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1382735826.656.70.camel@archlinux
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Fri, 25 Oct 2013 22:10:35 +0200 Ralf Mardorf ralf.mard...@alice-dsl.net wrote: In the past I was against sudo, but nowadays I set up a root account (su) and sudo for my Linux and if I use Ubuntu I usually keep it as is, IOW just sudo, no root account. Security doesn't suffer from sudo, OTOH ich bin schmerzfrei as we say in German, somebody on this list called it a sledgehammer: #!/bin/sh xhost + gksudo -u chuser $* xhost - exit Indeed it does have some qualities of a sledgehammer. 'xhost +si:localuser:chuser' will do the same with less side effects. Copying right part of .Xauthority will remove the need to do xhost. C'mon, not all machines are multi-user top security environments. Sure. Also you don't mind providing your credit card number and CCV to the rest of the world. And in no circumstances you won't store any files on any of those machines you don't want to show to anyone. And you have no objections to help some poor kind soul to mine some bitcoins. And you have to objections to participating in botnets or send spam. If you talk about pros and cons sudo, first clarify for what task. Better add sudo, even without asking for a password, than have people running X sessions as root. I never implied that sudo is a bad thing. It is Ubuntu-style sudo (ability to run arbitrary command as a root) is a bad thing IMO. Without PAM we likely would run X audio sessions as superuser ;). http://jackaudio.org/linux_rt_config Please tell that to that Lennart Poeterring guy who invented his own RealTimeGizmo for his beloved PulseAudio ;) Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131026013423.1aef56a50728fa4e4c261...@gmail.com
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Sat, 2013-10-26 at 01:34 +0400, Reco wrote: Please tell that to that Lennart Poeterring guy who invented his own RealTimeGizmo for his beloved PulseAudio ;) Ok, now I'm able to resist. I love to be marxbrotherish, but with respect to the list, I try to fake, that I don't know who this girl is. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1382737291.656.74.camel@archlinux
Re: sudo and UNIXes (was: audacity export wma format[1 more question])
On Fri, 25 Oct 2013 23:17:06 +0200 Ralf Mardorf ralf.mard...@alice-dsl.net wrote: On Sat, 2013-10-26 at 01:07 +0400, Reco wrote: Passwords stored in a plain text files in a recyclebin (or on a sheet of paper under the keyboard). Female sysadmins wearing slips of paper on the forehead with passphrases: http://www.kingmatz.com/Bilder%202007/2009/mk/RIMG0206.JPG Not secure enough. Everyone knows that good passwords are made of asterisks only. They use big dots instead :) Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131026014556.75f34f5eeddf48d795157...@gmail.com