You are not logged in.

#1 2012-12-14 18:20:59

rrcyance
Member
Registered: 2012-12-09
Posts: 6

Question about sudo and about grub

It seems to me that in Archbang, one can use sudo to do anything as long as one has access to a terminal and sudo never asks for any password, neither from root nor from normal user. I can even change my root password using only sudo without being asked for a current password. Isn't this insecure?

Also, I have installed archbang on three laptops as a dual boot setup. Updating the linux kernal on the other linuxes causes Archbang to disapear from the boot up grub menu on all three. Well, updating ubuntu 12.10 kernal did not in one case but updating ubuntu 12.04 did. I installed Mint 14 in place of 12.04 and Mint entirely ignored the Archbang partition.

This is with the latest Archbang 32 bit as seen on Distrowatch.

Offline

#2 2012-12-15 02:43:00

handy
Member
Registered: 2011-11-03
Posts: 505

Re: Question about sudo and about grub

Sudo is "normally" set up to require a password for whatever you are doing, unless your commands fall into a time space like 2 minutes (or whatever) since the root password was first issued.

Have a look here where you can learn to modify visudo to suit your requirements:

https://wiki.archlinux.org/index.php/Sudo

Offline

#3 2012-12-15 11:05:23

rrcyance
Member
Registered: 2012-12-09
Posts: 6

Re: Question about sudo and about grub

Thanks handy. Will do.

Offline

#4 2012-12-15 17:56:26

rob.til
Member
Registered: 2011-02-12
Posts: 41

Re: Question about sudo and about grub

I don't get asked for a password using sudo, ever - so there is no time frame started.
This is because /etc/sudoers.d/g_wheel has:

%wheel  ALL=(ALL) NOPASSWD: ALL

and the default user is group member of wheel
Change it to

%wheel  ALL=(ALL) ALL

for a more sane default.

Last edited by rob.til (2012-12-15 18:02:27)

Offline

#5 2012-12-15 18:18:58

oliver
Administrator
Registered: 2010-11-04
Posts: 2,209

Re: Question about sudo and about grub

I can't say I'm a big fan of sudo as a security measure.  It would be much worse for me to lose my home dir than to have to reinstall the o/s, and I don't need sudo to mess that up.  I consider it more as a convenience saving me from typing the root password every so often.

Offline

#6 2012-12-15 18:47:36

handy
Member
Registered: 2011-11-03
Posts: 505

Re: Question about sudo and about grub

From memory PC-BSD (probably FreeBSD too as PC-BSD is just a desktop friendlier version) don't use sudo at all, due to the inherent security risks.

I'll quite happily use sudo when it is available, as far as my data is concerned I keep it backed up (multiple times) & if I have to re-install, so be it, though touch wood, so far so good on that front re. security anyway.

I really should get myself organised to use Clonezilla every so often. I have IDE drives suitable for the job but no adapter(s) to use the IDE drives on SATA machines. I tried to get the guys in town to supply but their suppliers don't do that stuff. (I try to avoid buying on the web where possible.)

Last edited by handy (2012-12-15 18:48:51)

Offline

#7 2012-12-16 02:33:54

Mr Green
Administrator
Registered: 2010-11-07
Posts: 6,920

Re: Question about sudo and about grub

@handy then its time to build a NASbox possbily an old pc put in ide drives hook it up to your network job done.


Comments, suggestions please feel free to contact me mrgreen(at)archbang(dot)org

Offline

#8 2012-12-16 05:36:22

handy
Member
Registered: 2011-11-03
Posts: 505

Re: Question about sudo and about grub

I ran FreeNAS for quite some time, but the machine I ran it on was way too powerful & therefore environmentally unfriendly. So I bought a ReadyNAS Duo v1. which I use to carry duplicates of data from my computers. I also have data backed up across computers & if it is critical it is backed up off of computers too.

I really just need 1 or 2 SATA to IDE drive adapters so I can connect the drives to my more modern computers & do whatever with them.

Offline

#9 2012-12-16 05:51:14

Mr Green
Administrator
Registered: 2010-11-07
Posts: 6,920

Re: Question about sudo and about grub

Other than that an external drive via usb, which is of course much slower...


Comments, suggestions please feel free to contact me mrgreen(at)archbang(dot)org

Offline

#10 2012-12-16 20:00:22

rrcyance
Member
Registered: 2012-12-09
Posts: 6

Re: Question about sudo and about grub

@ #4

Thanks rob.til. I edited it.

Offline

#11 2012-12-17 00:04:56

handy
Member
Registered: 2011-11-03
Posts: 505

Re: Question about sudo and about grub

@rrcyance: That info' is also in the Arch wiki link previously posted. wink

Offline

#12 2012-12-17 01:22:24

ArchVortex
Retired
From: Ts’elxweyeqw, Canada
Registered: 2011-04-01
Posts: 1,465

Re: Question about sudo and about grub

What is sudo? Isn't that training wheels for the Linux CLI? big_smile

As for ArchBang/Arch disappearing/getting ignored in the grub menu when using other Linux installed to the MBR, I'm not sure why and I'm too lazy to find out. If you use os-prober with another Linux it may miss ArchBang as well. I found that mounting the ArchBang partition before running update-grub or grub-mkconfig -o /boot/grub/grub.cfg with another Linux will allow the AB partition to be found and added to the grub menu.


You have the capacity to learn from mistakes. You'll learn a lot today.
FP:E5F8 7DBA 8128 9ACB 75F7 7279 BE34 AB66 76D9 16DE
KEY ID:76D916DE
Currently running ArchBang / LFS / OpenSUSE Tumbleweed

Offline

#13 2012-12-17 01:56:43

handy
Member
Registered: 2011-11-03
Posts: 505

Re: Question about sudo and about grub

ArchVortex wrote:

What is sudo? Isn't that training wheels for the Linux CLI? big_smile

8< 8< 8< 8< 8< snip ---

What is ArchBang? Isn't that  training wheels for the Arch Linux? wink

Offline

#14 2012-12-17 12:38:58

rob.til
Member
Registered: 2011-02-12
Posts: 41

Re: Question about sudo and about grub

I can't say I'm a big fan of sudo as a security measure.

If sudo never ask for password it's nearly as bad as working as root/admin all the time

It would be much worse for me to lose my home dir than to have to reinstall the o/s, and I don't need sudo to mess that up.

If you've wrecked your system, it's your fault - either done as root or with the help of sudo
To kill your home dir, you don't need either one wink


After removing NOPASSWD from /etc/sudoers.d/g_wheel I also had to remove sudo in /etc/oblogout.conf

shutdown = systemctl poweroff
restart = systemctl reboot

to poweroff/reboot

Offline

#15 2012-12-17 12:56:22

oliver
Administrator
Registered: 2010-11-04
Posts: 2,209

Re: Question about sudo and about grub

rob.til wrote:

If sudo never ask for password it's nearly as bad as working as root/admin all the time

If someone has access to my PC (which is not listening on any ports) I have bigger problems than worrying whether they can sudo with no password, so why add to the inconvenience?  I still have to prefix any command with 'sudo' which stops me from doing really dumb stuff

Offline

#16 2012-12-17 14:26:15

rob.til
Member
Registered: 2011-02-12
Posts: 41

Re: Question about sudo and about grub

If someone has access to my PC (which is not listening on any ports)

Really bad excuse for a start... human errors are the most likely cause of failure.
Second are software/design errors exploited by maleware with a little help from social engineering

I have bigger problems than worrying whether they can sudo with no password, so why add to the inconvenience?

Why? Because YOU(*) would notice any unauthorized use or it would fail gracefully.

YOU(*) Anyone, professionals, experienced and novice users.
I would call it 'best practice' developed by professionals to enlighten the experienced and guide the novices.

I still have to prefix any command with 'sudo' which stops me from doing really dumb stuff

Nothing stops you from doing stupid things

Last edited by rob.til (2012-12-17 14:38:53)

Offline

#17 2012-12-17 14:44:19

oliver
Administrator
Registered: 2010-11-04
Posts: 2,209

Re: Question about sudo and about grub

rob.til wrote:

Second are software/design errors exploited by maleware with a little help from social engineering

sudo caches the password by x minutes by default.  All malware has to do is test every 119 or 179 seconds whether it can run without a password and you're compromised.  If you're that paranoid, just don't use sudo.

What do you think sudo is protecting you from?

Offline

#18 2012-12-17 15:03:28

rrcyance
Member
Registered: 2012-12-09
Posts: 6

Re: Question about sudo and about grub

ArchVortex wrote:

What is sudo? Isn't that training wheels for the Linux CLI? big_smile

As for ArchBang/Arch disappearing/getting ignored in the grub menu when using other Linux installed to the MBR, I'm not sure why and I'm too lazy to find out. If you use os-prober with another Linux it may miss ArchBang as well. I found that mounting the ArchBang partition before running update-grub or grub-mkconfig -o /boot/grub/grub.cfg with another Linux will allow the AB partition to be found and added to the grub menu.

Thanks. That is easier than chrooting into my archbang partition and then updating grub as I did.

Last edited by rrcyance (2012-12-17 15:08:04)

Offline

#19 2012-12-17 15:06:57

rrcyance
Member
Registered: 2012-12-09
Posts: 6

Re: Question about sudo and about grub

rob.til wrote:

I can't say I'm a big fan of sudo as a security measure.

If sudo never ask for password it's nearly as bad as working as root/admin all the time

It would be much worse for me to lose my home dir than to have to reinstall the o/s, and I don't need sudo to mess that up.

If you've wrecked your system, it's your fault - either done as root or with the help of sudo
To kill your home dir, you don't need either one wink


After removing NOPASSWD from /etc/sudoers.d/g_wheel I also had to remove sudo in /etc/oblogout.conf

shutdown = systemctl poweroff
restart = systemctl reboot

to poweroff/reboot

Ah Thanks. I have been using the terminal to shutdown/

Offline

#20 2012-12-17 15:20:34

rrcyance
Member
Registered: 2012-12-09
Posts: 6

Re: Question about sudo and about grub

oliver wrote:
rob.til wrote:

Second are software/design errors exploited by maleware with a little help from social engineering

sudo caches the password by x minutes by default.  All malware has to do is test every 119 or 179 seconds whether it can run without a password and you're compromised.  If you're that paranoid, just don't use sudo.

What do you think sudo is protecting you from?

So then if I'm really paranoid (and I do tend to be) I should just use su?

Offline

#21 2012-12-17 15:33:59

oliver
Administrator
Registered: 2010-11-04
Posts: 2,209

Re: Question about sudo and about grub

rrcyance wrote:

So then if I'm really paranoid (and I do tend to be) I should just use su?


I can't say I know for sure.

Personally, I can see the benefit of sudo in a true multi-user system where you don't want to share the root password but for a single-user system I'm yet to be convinced it's anything more than a convenience tool.

Whether no sudo is safer than a properly configured sudoers file with the root account locked is debatable.

If you're referring to the standard configs, then no sudo is safer (but then again, a twelve digit password is safer than an eleven digit one but that doesn't mean your eleven digit one is *insecure*)

Also, don't think I'm a security expert, these are just the ramblings of regular user - I don't claim any special knowledge.

What I do know is any time you increase security, there is a trade-off in convenience.

Offline

#22 2012-12-17 15:43:00

rob.til
Member
Registered: 2011-02-12
Posts: 41

Re: Question about sudo and about grub

sudo caches the password by x minutes by default.  All malware has to do is test every 119 or 179 seconds whether it can run without a password and you're compromised.

That would produce a lot of failed sudo log entries which could be noticed either in real time or after the facts
- at least, you can verify an intrusion instead of having only valid entries for sudo usage.

... just the ramblings of a 'regular user' - I don't claim any special knowledge.

Offline

#23 2012-12-17 17:14:22

handy
Member
Registered: 2011-11-03
Posts: 505

Re: Question about sudo and about grub

From the FreeBSD forum by phoenix a mod over there:

The big difference between 'login as root', 'su to root', 'sudo -s to root', and 'sudo specific commands only' is logging.

A straight login as root puts one entry in the auth.log. Nothing you do after that is logged.

A su to root also adds a single entry to the auth.log. Nothing you do after that is logged.

'sudo -s' is no better than 'su -' other than the log entry is more verbose.

However, if you disable root logins via the network, disable the use of su, and limit sudo access to only those commands specific users need, then you get a very nice audit trail. Every invocation of sudo logs the date/time, user calling sudo, command, and user command ran as.

Properly configured and used, sudo is a great security tool following the principle of least privilege.

And the fewer people who know the actual root password, the better. smile

Offline

#24 2012-12-17 17:58:48

rob.til
Member
Registered: 2011-02-12
Posts: 41

Re: Question about sudo and about grub

But log files might be tampered with, you might argue... Not with systemd/journalctl (hopefully) any more.

What I've really wanted to show is 'best practice' whether it be at home or at work -
a consistent usage/behavior across your digital systems for professionals and novices alike.

Not sudo is the problem but 'ALL=(ALL) ALL' giving users unlimited access to everything.
This is a shortcut for home usage but a no go for corporate environments
- but still allows for a consistent usage - demanding a password, adding a log entry

95% of sudo usage I'm doing is 'pacman -S..' followed by 'packer -S..' - at times, I do an 'edit /etc/...'

Having a (sudo) tool for merging/deleting .pacnew and some dedicated executables
would covering 98% of system maintenance - the rest could be done as root.

Offline

#25 2012-12-18 00:20:42

Mr Green
Administrator
Registered: 2010-11-07
Posts: 6,920

Re: Question about sudo and about grub

Personally I would like to see ArchBang use a password live, but as it creates more problems than it solves so it may never happen. Once you install ArchBang sudo again does not require a password. Then its left down to the user to either remove this ability or add commands they wish to run without a password.


Comments, suggestions please feel free to contact me mrgreen(at)archbang(dot)org

Offline

#26 2012-12-20 12:41:29

rob.til
Member
Registered: 2011-02-12
Posts: 41

Re: Question about sudo and about grub

Personally I would like to see ArchBang use a password live, but as it creates more problems than it solves

I've seen other live systems requiring a password for administrative usage
- but hiding the password somewhere in the docs. If you've physical access to a machine,
it doesn't make sense to hide passwords on live systems.

Just make sure the password is shown in several places,
eg no auto login with the user/password shown in the welcome screen
and adding the password to the list shown by conky.

Benefits are a educational and a consistent usage/behavior for live / installed systems.

Last edited by rob.til (2012-12-20 12:43:14)

Offline

Board footer

Powered by FluxBB