Re: Edit user groups
>> >> > > and I recommend against sudo because it's very design is a man-in-the-middle > type of scenario, and one typo by the sudo devs can possibly make a mess out > of things. > > I think sudo makes a lazy admin -- too easy to just run in and hit > something. > > I think sudo is a false sense of security. If a user trusts another, and > give sudo access, why not give the whole OS to them? > > Sudo's out there -- don't get me wrong, but you won't catch me dead with a > box with sudo installed. I think it's a very misleading tool. And not to > say they do -- but what if the devs put in a keygen...do you monitor the > sudo source code? > > And if I remember correctly -- the way sudo gets it's work done is a SUID > bit to root. Those are the devil's eggs that hatch and just cause havoc. A > rogue CGI calling sudo to do something on the website, buffer overflow (with > php!) and you've gotten rooted. > > No, no -- I hate sudo for it's own doing. It's going to eat itself alive. > > No flames please. not a flame, but a point of order - you can grant sudo privs to a user that does not automatically give them full root/wheel privs. i recon this is something that most admins have had to come across when working in a multiuser environment. what sudo also does provides you is: 1) an audit trail of who did what, when with said escalated privs 2) a way to give non-wheel users access to run specific commands that may require escalted privs so i'm not really sure why one would want to throw out the baby with the bath water, it's just another layer on the onion - and much better than giving everyone root access, or requiring the one or two trusted users in wheel to executed any program that may require escalated privs (rndc reload, apachectl reload come to mind immediately). -p -- ~~o0OO0o~~ Pete Wright www.nycbug.org NYC's *BSD User Group ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Edit user groups
On Tue, Jan 20, 2009 at 09:23:32PM -0700, Tim Judd wrote: > Clifton Royston wrote: > >Good advice given so far (pw is a good tool, direct editing works) but > >I'd also suggest you consider installing and using sudo; I always > >install it on all of my systems and use it probably 10-20 times as > >often as su. > > ... > I think sudo is a false sense of security. If a user trusts another, > and give sudo access, why not give the whole OS to them? Among other reasons, because it allows you to partition privileges and give access for specific users (or groups of users) to specific accounts only, or to execute only a specific set of commands as root or another user. When I was running a department of technical support staff and another group of junior administrators, this ability to limit and partition powers was a life-saver. I think you mistrust sudo because you do not yet understand it as well as su (also essential, but a more blunt instrument.) > Sudo's out there -- don't get me wrong, but you won't catch me dead with > a box with sudo installed. I think it's a very misleading tool. And > not to say they do -- but what if the devs put in a keygen...do you > monitor the sudo source code? Rarely, but it's freely available, and thousands if not tens of thousands of other programmers and admins have access to it, and do check it enough to find the occasional bug. Same as the source to su, or to the OS as a whole; has it never occurred to you there are trust issues there as well? > And if I remember correctly -- the way sudo gets it's work done is a > SUID bit to root. Dude, how do you think su works? -- Clifton -- Clifton Royston -- clift...@iandicomputing.com / clift...@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Edit user groups
On 01/20/2009 08:23 PM, Tim Judd wrote: [...] > and I recommend against sudo because it's very design is a > man-in-the-middle type of scenario, and one typo by the sudo devs can > possibly make a mess out of things. > > I think sudo makes a lazy admin -- too easy to just run in and hit > something. > > I think sudo is a false sense of security. If a user trusts another, > and give sudo access, why not give the whole OS to them? > > Sudo's out there -- don't get me wrong, but you won't catch me dead with > a box with sudo installed. I think it's a very misleading tool. And > not to say they do -- but what if the devs put in a keygen...do you > monitor the sudo source code? > > And if I remember correctly -- the way sudo gets it's work done is a > SUID bit to root. Those are the devil's eggs that hatch and just cause > havoc. A rogue CGI calling sudo to do something on the website, buffer > overflow (with php!) and you've gotten rooted. > > No, no -- I hate sudo for it's own doing. It's going to eat itself alive. > > No flames please. Have you read through the entire src tree? And the source of every software package you've ever installed? If so, it would be a drop in the bucket to read through sudo as well. I see that you sent your e-mail from a Windows box... P.S. There is a difference between a keygen and a keylogger. -- Benjamin Lee http://www.b1c1l1.com/ signature.asc Description: OpenPGP digital signature
Re: Edit user groups
Clifton Royston wrote: On Tue, Jan 20, 2009 at 03:09:16PM -0500, Akenner wrote: Hi, I'm using FreeBSD 7.1-RELEASE and I have multiple user accounts set up. I made about 4 for myself to use and do various testing with, and made some for my Wife as well because She knows UNIX better than I do anyway heh. Anyway, one of the things I forgot about, was that FreeBSD by default doesn't allow just anyone to use su. Good advice given so far (pw is a good tool, direct editing works) but I'd also suggest you consider installing and using sudo; I always install it on all of my systems and use it probably 10-20 times as often as su. -- Clifton and I recommend against sudo because it's very design is a man-in-the-middle type of scenario, and one typo by the sudo devs can possibly make a mess out of things. I think sudo makes a lazy admin -- too easy to just run in and hit something. I think sudo is a false sense of security. If a user trusts another, and give sudo access, why not give the whole OS to them? Sudo's out there -- don't get me wrong, but you won't catch me dead with a box with sudo installed. I think it's a very misleading tool. And not to say they do -- but what if the devs put in a keygen...do you monitor the sudo source code? And if I remember correctly -- the way sudo gets it's work done is a SUID bit to root. Those are the devil's eggs that hatch and just cause havoc. A rogue CGI calling sudo to do something on the website, buffer overflow (with php!) and you've gotten rooted. No, no -- I hate sudo for it's own doing. It's going to eat itself alive. No flames please. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Edit user groups
On Tue, Jan 20, 2009 at 03:09:16PM -0500, Akenner wrote: > Hi, > > I'm using FreeBSD 7.1-RELEASE and I have multiple user accounts set up. > I made about 4 for myself to use and do various testing with, and made > some for my Wife as well because She knows UNIX better than I do anyway heh. > > Anyway, one of the things I forgot about, was that FreeBSD by default > doesn't allow just anyone to use su. Good advice given so far (pw is a good tool, direct editing works) but I'd also suggest you consider installing and using sudo; I always install it on all of my systems and use it probably 10-20 times as often as su. -- Clifton -- Clifton Royston -- clift...@iandicomputing.com / clift...@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Edit user groups
Thanks everyone for the replies, much appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Edit user groups
In response to Akenner : > Hi, > > I'm using FreeBSD 7.1-RELEASE and I have multiple user accounts set up. > I made about 4 for myself to use and do various testing with, and made > some for my Wife as well because She knows UNIX better than I do anyway heh. > > Anyway, one of the things I forgot about, was that FreeBSD by default > doesn't allow just anyone to use su. > > I come from mainly using Linux, where you can log in and then whenever > you need to open a root xterm or even a root shell, you just type the > password and go. I looked up how to do this but most of my results came > back with setting up user accounts, and other things. I did add another > user that was in the wheel group so I could do it, but I'd really like > to be able to add my main user account to the wheel group so I can su > from this one instead of doing su otheruser and then su again to root. > > I found while searching for this something that MIGHT be what I'm > looking for, but after reading it over, it seems I'd have to read > through the whole man page first and then, it could be bad if I mistype > something, or I could even screw up an account, which I can't risk. > > Is there an exact way to take a user account on my system, and add it to > the wheel group? man pw Specifically: pw usermod -n username -G wheel or pw groupmod -n wheel -m username -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Edit user groups
Akenner wrote: > Hi, > > I'm using FreeBSD 7.1-RELEASE and I have multiple user accounts set up. > I made about 4 for myself to use and do various testing with, and made > some for my Wife as well because She knows UNIX better than I do anyway > heh. > > Anyway, one of the things I forgot about, was that FreeBSD by default > doesn't allow just anyone to use su. > > I come from mainly using Linux, where you can log in and then whenever > you need to open a root xterm or even a root shell, you just type the > password and go. I looked up how to do this but most of my results came > back with setting up user accounts, and other things. I did add another > user that was in the wheel group so I could do it, but I'd really like > to be able to add my main user account to the wheel group so I can su > from this one instead of doing su otheruser and then su again to root. > > I found while searching for this something that MIGHT be what I'm > looking for, but after reading it over, it seems I'd have to read > through the whole man page first and then, it could be bad if I mistype > something, or I could even screw up an account, which I can't risk. > > Is there an exact way to take a user account on my system, and add it to > the wheel group? Yes. # ee /etc/group ...and add your username to the list of users after the wheel group. For instance, by default, the entry will appear as such: wheel:*:0:root ...and if my username is steve, you will append the line like this: wheel:*:0:root,steve ...then hit ESC, then ENTER twice. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Edit user groups
On Tue, Jan 20, 2009 at 03:09:16PM -0500, Akenner wrote: > Hi, > > I'm using FreeBSD 7.1-RELEASE and I have multiple user accounts set up. > I made about 4 for myself to use and do various testing with, and made > some for my Wife as well because She knows UNIX better than I do anyway heh. > > Anyway, one of the things I forgot about, was that FreeBSD by default > doesn't allow just anyone to use su. > > I come from mainly using Linux, where you can log in and then whenever > you need to open a root xterm or even a root shell, you just type the > password and go. I looked up how to do this but most of my results came > back with setting up user accounts, and other things. I did add another > user that was in the wheel group so I could do it, but I'd really like > to be able to add my main user account to the wheel group so I can su > from this one instead of doing su otheruser and then su again to root. > > I found while searching for this something that MIGHT be what I'm > looking for, but after reading it over, it seems I'd have to read > through the whole man page first and then, it could be bad if I mistype > something, or I could even screw up an account, which I can't risk. > > Is there an exact way to take a user account on my system, and add it to > the wheel group? Just edit the /etc/group file and put that user in that group. That is the normal way of doing it. I would not suggest making wheel be the primary group for any other than root accounts. jerry > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Edit user groups
Hi, I'm using FreeBSD 7.1-RELEASE and I have multiple user accounts set up. I made about 4 for myself to use and do various testing with, and made some for my Wife as well because She knows UNIX better than I do anyway heh. Anyway, one of the things I forgot about, was that FreeBSD by default doesn't allow just anyone to use su. I come from mainly using Linux, where you can log in and then whenever you need to open a root xterm or even a root shell, you just type the password and go. I looked up how to do this but most of my results came back with setting up user accounts, and other things. I did add another user that was in the wheel group so I could do it, but I'd really like to be able to add my main user account to the wheel group so I can su from this one instead of doing su otheruser and then su again to root. I found while searching for this something that MIGHT be what I'm looking for, but after reading it over, it seems I'd have to read through the whole man page first and then, it could be bad if I mistype something, or I could even screw up an account, which I can't risk. Is there an exact way to take a user account on my system, and add it to the wheel group? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"