Sudo bug

[Minbari]

Potential bypass of Runas user restrictions

 

[k.jacker]

Fix already landet in ports yesterday.
Anyway, security/sudo is a bug in itself, so not much of a change IMO.

 

[Minbari]

Fix already landet in ports yesterday.
Anyway, security/sudo is a bug in itself, so not much of a change IMO.

security/doas it's an alternative.

 

[k.jacker]

security/doas it's an alternative.

Yes, I know, thank you.
It's a very good alternative, I used it for some time.
Anyway, I have always been happy with su and don't need anything else.

 

[Crivens]

BTW: obligatory xkcd for this: https://xkcd.com/838/

 

[Deleted member 30996]

Anyway, I have always been happy with su and don't need anything else.

That's always been the way I do things and have never installed security/sudo or security/doas. If I have something that needs to be done as root I do it as root and feel comfortable and competent in doing so. I'm the only usr on my machina anyway.

I did have the "opportunity" to use sudo on TrueOS once. The whole concept seemed foreign and didn't make sense to me.

 

[Maxnix]

BTW: obligatory xkcd for this: https://xkcd.com/838/

Speaking about sudo and Christmas, this, even if legit, I think would put you under "naughty" anyway: https://xkcd.com/149/

 

[k.jacker]

That's always been the way I do things and have never installed security/sudo or security/doas. If I have something that needs to be done as root I do it as root and feel comfortable and competent in doing so. I'm the only usr on my machina anyway.

security/doas would be a very nice tool, if it would support the kernel module, that it is backed by in OpenBSD. As far as I understand, that should give it the ability to "remember" for a while, that you raised your priviliges, like security/sudo does. I actually never used doas in it's full functionality on OpenBSD, I just read about it. It's kernel module is missing in the FreeBSD port, or at least was missing, when I used it 1,5 years ago.

For convience, I made a little wrapper for su, to save me some typing, when I dropped doas. It makes it easier to execute single commands as root, without actually su-ing to root. So instead of su -m root -c 'some command' a simple su -c some command is enough Yeah, I have a light case of ' ' laziness

#!/bin/sh

# This su wrapper simplifies my 2 most common use cases.
# case 1) with -c and at least one more argument executes su -m root -c 'argument(s)'
# case 2) without arguments executes su -m
# case 3) any other combination of arguments is passed to su unchanged

if [ "$1" == "-c" ] && [ $# -ge 2 ]
    then
        # case 1
        shift
        sucommand="/usr/bin/su -m root -c '$@'"
        eval `echo $sucommand`
elif [ $# -eq 0 ]
    then
        # case 2
        /usr/bin/su -m
    else
        # case 3
        /usr/bin/su $@
fi

 

[Deleted member 30996]

I become root to mount a USB drive then invoke x11-fm/xfe from the same terminal to work with files. Editing files or running commands as needed and compiling ports are all done as root. I know both passwords anyway, am the only usr and Admin of my machines so su is all I've ever used. When I'm done I log out and run browsers and such from my usr account.

I had my root password entered twice in DandyOS before I noticed it wanted the usr password. I didn't know it installed sudo by default, once more and I'd have been locked out. What sense does that make if I already know the root password? Yet the user can gain root privileges with the user password.

I know it's not considered good practice to do things as root. Good practice was something I learned on my own mostly from making mistakes and carry over a lot of things I do differently from back then. I never edit /etc/fstab to mount my USB drives and that seems to be standard practice from a recent thread.

 

[funkygoby]

I agree. For me sudo never made sense as a more-secure-than-su.

I understand that you can use sudo to delegate specific admin tasks to simple users. What I do not get is why some people give all privileges without password to their user and then claim that it is safer.

The explanation I see is by using su, you might forget that you are logged as root after q while. Whereas with sudo, you will have to re-enter your password at some point.
Why not just color the prompt (red for root) ?

 

[Deleted member 30996]

If it was me there would be a different password for the sudo group than the root or user password.

What I do not get is why some people give all privileges without password to their user and then claim that it is safer.

It's not.

That's how I learned to use the first computer I touched. I had unlimited access to the company computer, printer, all their floppy disks and the weekend alone to learn to use it. The next logical step seemed to be accessing the data on their floppy disks. That's what you did in Shadowrun and all I knew about computers before then.

The worst thing I did is print off a love poem some girl wrote the guy who took my Weekend Houseparent job when I got promoted to Unit Manager and embarrass him with it. When they upgraded to a new one I set it up and had to show them how to boot it up.