On 12/5/05, Rony Bill ronbillypop@yahoo.co.uk wrote:
My only query is that if root access is not allowed for security, still anyone can simply sudo and gain access. How is the system protected from outside. If anyone can hack into the user account, can he then sudo and play ball? How secure is this sudo?
A question.
Say someone cracks into my system by using a user's password. So now obviously, the cracker has the password that will be asked when he executes sudo something as that user. Doesn't he have full access to the system?
Mrugesh
An extension to my own question.
Say I have a single user Ubuntu system. Now it seems that I'll be able to do anything with sudo, without having to su (That's the point of sudo, isn't it? Not requiring the root password..). So how much does the concept of group membership and ACLs apply here?
For example, will I be able to run a game if I'm not in the games group? Or will I be able to use the sound device if I'm not in the audio group? Will I be able to manipulate a file or directory via sudo, even if the ACLs (minimal and/or extended) don't allow me to?
As you can see, I'm confused as to how sudo would apply to the entire system, rather than just one or two commands that I would specify in the sudoers file. I asked Sanket for his /etc/sudoers file once, when he was on Ubuntu 5.04 I think. It was empty. So am I to understand that this sudo thing is hardcoded into the Ubuntu system?
Mrugesh
Sometime on Tue, Dec 06, 2005 at 11:04:20AM +0530, Mrugesh Karnik said:
rather than just one or two commands that I would specify in the sudoers file. I asked Sanket for his /etc/sudoers file once, when he was on Ubuntu 5.04 I think. It was empty. So am I to understand that this sudo thing is hardcoded into the Ubuntu system?
Sudo cannot be hard coded, can it? Ubuntu does have this line in its sudoers file.
%admin ALL=(ALL) ALL
It says, all members of group admin are allowed to run sudo.
I really dont know why people bypass this and set password for root. There's "gksudo" available which can give access to admin utilities from gui password prompt.
Anurag
On Tuesday 06 December 2005 13:36, Anurag wrote:
Sudo cannot be hard coded, can it? Ubuntu does have this line in its sudoers file.
True... That is what I have been wondering.
%admin ALL=(ALL) ALL
It says, all members of group admin are allowed to run sudo.
That line was absent from Sanket's sudoers file. Probably that's why he needed to su all the time.
Hmmm. Another question.
Can one lock out the root account so as to not allow root logins and only use sudo? Will this work?
Mrugesh
On 12/6/05, Mrugesh Karnik mrugeshkarnik@gmail.com wrote:
%admin ALL=(ALL) ALL
It says, all members of group admin are allowed to run sudo.
That line was absent from Sanket's sudoers file. Probably that's why he needed to su all the time.
How do you remember so much about my sudoers file? :-s
I never had to su anytime. It was because I had moved on from Fedora to Ubuntu that I was not used to sudo and preferred to use su. But now I am, thanks to the bash auto completion feature. :D -- Regards, Sanket Medhi.
Mrugesh Karnik wrote:
Hmmm. Another question.
Can one lock out the root account so as to not allow root logins and only use sudo? Will this work?
How safe is this ;)
sudo rm -rf /
The point I am trying to understand is why are all the doors locked secure and a small window is kept open to simply walk in?
Regards,
Rony.
Will SELinux help? What is SELinux? Can anyone explain is simpleST terms, for a dummy. even relating it to WWE or cartoons?
Simplest explaination anyone?
Because I tried to understand it in the SELinux FAQ, but its too much boring to read.
revant
(रेवंत) Revant Nandgaonkar wrote:
Will SELinux help? What is SELinux? Can anyone explain is simpleST terms, for a dummy. even relating it to WWE or cartoons?
Simplest explaination anyone?
Because I tried to understand it in the SELinux FAQ, but its too much boring to read.
revant
Have you seen this web site? http://selinux.sourceforge.net/
Sometime on Tue, Dec 06, 2005 at 09:42:03PM +0530, Rony Bill said:
The point I am trying to understand is why are all the doors locked secure and a small window is kept open to simply walk in?
The point is to keep as many doors closed as possible. If someone's username is there in sudoers file, that means the administrator must have thought something about it
/me remembers powering off a server over an ssh link while logged in as normal user `` $ sudo poweroff'' and that too when i wanted to poweroff my desktop :)
Anurag
Anurag wrote:
The point is to keep as many doors closed as possible. If someone's username is there in sudoers file, that means the administrator must have thought something about it
So in a real life situation, the admin should create a user account for himself and add this to the sudo file. All other users have different accounts and none of them are included in the sudo file. Right? :) and for single desktop usage, two user accounts should be created, one previlaged and one not. No root.
Regards,
Rony.
On 12/6/05, Rony Bill ronybill@gmail.com wrote:
So in a real life situation, the admin should create a user account for himself and add this to the sudo file.
No! The root account is created automatically when installing. In order that the root user does not have to log in as root for everything, a normal account is created with the username of your choice during the installation itself. Unless, when logged in as this user, you change the password for the root user, this user can use sudo without a password.
All other users have different
accounts and none of them are included in the sudo file. Right? :) and for single desktop usage, two user accounts should be created, one previlaged and one not. No root.
No again! Only one account needs to be created, irrespective of the previleges. -- Regards, Sanket Medhi.
On Tuesday 06 December 2005 16:25, Anurag wrote:
/me remembers powering off a server over an ssh link while logged in as normal user `` $ sudo poweroff'' and that too when i wanted to poweroff my desktop :)
Haha. So I am not alone :P Actually it has happened more than once with me especially because I have a "linuxbox" and a "linuxtop" :P
On 12/6/05, Mrugesh Karnik mrugeshkarnik@gmail.com wrote:
A question.
Say someone cracks into my system by using a user's password. So now obviously, the cracker has the password that will be asked when he
executes
sudo something as that user. Doesn't he have full access to the system?
Mrugesh
An extension to my own question.
Say I have a single user Ubuntu system. Now it seems that I'll be able to do anything with sudo, without having to su (That's the point of sudo, isn't it? Not requiring the root password..). So how much does the concept of group membership and ACLs apply here?
For example, will I be able to run a game if I'm not in the games group? Or will I be able to use the sound device if I'm not in the audio group? Will I be able to manipulate a file or directory via sudo, even if the ACLs (minimal and/or extended) don't allow me to?
As you can see, I'm confused as to how sudo would apply to the entire system, rather than just one or two commands that I would specify in the sudoers file. I asked Sanket for his /etc/sudoers file once, when he was on Ubuntu 5.04 I think. It was empty. So am I to understand that this sudo thing is hardcoded into the Ubuntu system?
The only answer to your question(s) is that in Ubuntu the user created during setup and the root user have to have different passwords. This is done by using passwd root just after a fresh installation. You will then be asked for the root password whenever you use sudo. -- Regards, Sanket Medhi.
On Tuesday 06 December 2005 14:06, Sanket Medhi wrote:
The only answer to your question(s) is that in Ubuntu the user created during setup and the root user have to have different passwords. This is done by using passwd root just after a fresh installation. You will then be asked for the root password whenever you use sudo. -- Regards, Sanket Medhi.
Quite frankly, that is NOT the answer I'm looking for. I'm talking about a 'normal' Ubuntu system where one doesn't have to su.
Mrugesh
-
(रेवंत) Revan t Nandgaonkar -
Anurag -
Clinton Goveas -
Dinesh Joshi -
Mrugesh Karnik -
Rony Bill -
Sanket Medhi