Re: [tlug] Root - NO KDE

[Josh Glover <jmglov@example.com>]

Jonathan Byrne wrote:
> Josh Glover (jmglov@example.com) wrote:
> 
> 
>>I did not claim it was a magic bullet.
> 
> 
> You didn't, but James may be unaware of its downside; people
> who don't know there's anything wrong with sudo may view it
> as a magic bullet.

Ah, you are right. That is a danger.

>>  is a better tool than su - for administration of a box so that you do 
>>not inadvertantly (or intentionally) have root shells hanging around.
> 
> 
> I find su to be far more effective, and I'd be surprised indeed to
> find that most sysadmins (including you) don't use it regularly.

In my circle of sysadmins, sudo is pretty popular. Of course, most of 
them are BSD-heads. That may make a difference, since sudo is, AFAIK, a 
tool from BSD roots.

>>And James is correct about the utility of sudo to provide non-root users 
>>the ability to do limited things as root, as necessary.
> 
> 
> That's a good place to stop and think about what he's allowing 
> those users to do.  To make a (admittedly broad) generalization,
> things that require you to be root in order to do them are
> usually like that for a reason, not because somebody felt like
> adding extra steps to a process.

True. However, there are situations, as you admit below, where you want 
to allow a user to do something *very* specific with a command, such as 
mounting and unmounting only the CDROM drive. Here, I would say that 
sudo is a better choice than having a suid mount or a suid wrapper to 
mount. YMMV, of course.

>>There are *no* magic bullets, Jonathon, but I disagree with you about 
>>avoiding sudo. Everything has a history of exploits. Should we stop 
>>using Apache because of last week's fiasco?
> 
> 
> Apples and oranges, Jash.

You are probably right, Janathan (sic). ;)

 > The things we should try to avoid are ones that *unncessarily* add
 > levels of risk [1].

Agreed.

> Before using sudo, an admin
> should ask "OK, do I really want this person to be able to do this
> at all? Why or why not?"  If she considers it carefully and the
> answer is still "yes", then maybe there's no choice.

This is exactly the process that I follow when allowing users such access.

>>Should we stop using 
>>Sendmail because of its less than optimal security history? (Yes! ;)
> 
> 
> No, we should stop using Sendmail because of it's hideous .cf file ;-)

Agreed again! :)

> Better still, let's ask "Should you stop using Outlook/Express because
> of their security histories?"  Again, I would say "yes," because those
> bad security histories are going on now.  If today's Sendmail was the
> same as 1992's Sendmail, I would say "Yeah, *RUN* don't walk to your
> nearest FTP site for Exim or Postfix."

This is a great way of saying it: "because those bad security histories 
are going on now." I need to start using that in my arguments with the 
Director of IT about M$ products! ;)

I would argue, however, that this is *not* the situation with sudo.

>>I would argue that instead, we should be trying to find new exploits and 
>>fixing them. I have read some of the sudo code, and it has survived the 
>>OpenBSOD (sorry, couldn't resist) audit.
> 
> 
> Snort.  Yeah, so did Apache :-))

True. But both Apache and OpenBSD have had great security histories. You 
and I both know that "secure code" is a myth. The best you can do is 
design with security in mind, audit, test, and patch quickly when 
vulnerabilities are found (as they almost surely will be). Apache has 
not had very many vulnerabilities over the years, and they move fast to 
fix them when they are found. Hence my faith in Apache. Note that it is 
not a *blind* faith, however. That is why God created Bugtraq and 
vuln-dev! ;)

>>So that is my opinion. I am curious as to what elicited such a strong 
>>statement from you? What do you not like about sudo, specifically?
> 
> 
> It gives (partial) root privs to people maybe shouldn't have them,
> and it opens potential exploits that would not otherwise be there.
> It's the same reason we don't make binaries SUID root unless there's
> a pretty good reason why they need to be.

I agree. But your last phrase is why I do, in fact, use sudo for my 
users. There's a pretty good reason why they need it.

And I use sudo myself for administration because I like to minimise the 
amount of time that I am root. I do not like to have root shells hanging 
out. I also like the command logging features of sudo.

> I do not, however, think my statement was as strong as you apparently
> took it to be.

That is possible.

> No stronger than your statement that sudo is good.  I think it's bad,
 > and will stand by that.

That is fair enough. I just wanted to hear your reasons, to see if I had 
not considered something that I should have. You have good points, but 
they are ones that I have considered, and I think that my usage of sudo 
would meet even your criteria. So I stand by my sudo policies, as well.

> [1] Of course, we all (except maybe Chris ;-)  have some skeletons in
>     our software closets, but we should at least try to keep extra ones
>     from getting in.

True dat. I try to burn the skeletons as I can, and keep the closet 
doors locked to keep new ones out. ;)


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.