On 03/02/2010 08:40 PM, Ray Kohler wrote:
> On Tue, Mar 2, 2010 at 9:24 PM, David C. Rankin
> <drankinatty@xxxxxxxxxxxxxxxxxx> wrote:
>> On 03/01/2010 05:03 PM, Ray Kohler wrote:
>>> What would worry me is things like JavaScript exploits and worms -
>>> things that you download and then run as yourself, whether
>>> intentionally or not. A password prompt will block malware like that,
>>> but with no password, you just go owned in one step.
>>
>> How would this be any different than 'sudo' configured to allow members of the
>> wheel group to sudo w/o a password?
>>
>> Same answer - data prevails - set sudo to require a password? I have run servers
>> for more than a decade with sudo/wheel group access enabled w/o a password - no
>> problems. May have just been lucky :p
>>
>> Ray, all - any different thoughts about sudo w/o a password compared to su? Or
>> same answer, with no password, you just got owned in one step :p
>
> Yes, same answer, you get owned. In fact, even with a password
> required, the "5 minute grace window" for sudo does you in - some bad
> guy just keeps trying to sudo, until you do it legitimately, thereby
> allowing it freely for 5 minutes, and then he's got root.
>
> What I actually do, myself, is to not install sudo at all, and just
> use su. I also uncomment the pam line that requires wheel membership
> to su. In order to make su be a little more comfortable, I do this:
>
> alias su='su -m'
>
> sr ()
> {
> /bin/su -m -c "$*"
> }
>
> I only recommend doing away with sudo if you're the only person who
> has root on the machine. For multiple users needing such access,
> sudo's fine-grained controls are well worth it, and prevent you from
> having to hand out the root password every time it gets changed.
>
Again, thank you Ray!
Thankfully, all my boxes are one root user (me) boxes. So I guess I'm really
trying to save me from myself. I did uncomment the pam require wheel auth to
limit any possible su/sudo access to require members of the wheel group.
Interesting discussion, I've learned a bit more.
--
David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
