Re: Tired of being asked for a password for "su"? Arch has the solution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 03/02/2010 08:40 PM, Ray Kohler wrote:
> On Tue, Mar 2, 2010 at 9:24 PM, David C. Rankin
> <drankinatty@xxxxxxxxxxxxxxxxxx> wrote:
>> On 03/01/2010 05:03 PM, Ray Kohler wrote:
>>> What would worry me is things like JavaScript exploits and worms -
>>> things that you download and then run as yourself, whether
>>> intentionally or not. A password prompt will block malware like that,
>>> but with no password, you just go owned in one step.
>>
>> How would this be any different than 'sudo' configured to allow members of the
>> wheel group to sudo w/o a password?
>>
>> Same answer - data prevails - set sudo to require a password? I have run servers
>> for more than a decade with sudo/wheel group access enabled w/o a password - no
>> problems. May have just been lucky :p
>>
>> Ray, all - any different thoughts about sudo w/o a password compared to su? Or
>> same answer, with no password, you just got owned in one step :p
> 
> Yes, same answer, you get owned. In fact, even with a password
> required, the "5 minute grace window" for sudo does you in - some bad
> guy just keeps trying to sudo, until you do it legitimately, thereby
> allowing it freely for 5 minutes, and then he's got root.
> 
> What I actually do, myself, is to not install sudo at all, and just
> use su. I also uncomment the pam line that requires wheel membership
> to su. In order to make su be a little more comfortable, I do this:
> 
> alias su='su -m'
> 
> sr ()
> {
>     /bin/su -m -c "$*"
> }
> 
> I only recommend doing away with sudo if you're the only person who
> has root on the machine. For multiple users needing such access,
> sudo's fine-grained controls are well worth it, and prevent you from
> having to hand out the root password every time it gets changed.
> 

Again, thank you Ray!

	Thankfully, all my boxes are one root user (me) boxes. So I guess I'm really
trying to save me from myself. I did uncomment the pam require wheel auth to
limit any possible su/sudo access to require members of the wheel group.

	Interesting discussion, I've learned a bit more.

-- 
David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux