Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Need a way around sudo and su, is root really so bad?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sun Jan 27, 2013 7:52 am    Post subject: Reply with quote

PaulBredbury wrote:
mv, PAM is enabled by default in Gentoo. That's how dangerous the devs think it is ;)

Yes, it is the first thing I change after a fresh installation. I think PAM is on by default, because LDAP is on by default: The defaults are obviously chosen for computers which are part of a big net in a company and where it is necessary to have a central user database. There is absolutely no reason to have LDAP login on a single-user ("isolated") desktop and thus no reason for PAM on such a machine.
(Unfortunately, there is one problem with it: With acroread one cannot edit documents for which this is allowed by acrobat, because acroread for some strange reason wants the ldap library in that module - if anybody has an idea how to avoid this, I would be very grateful)
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Sun Jan 27, 2013 9:43 am    Post subject: Reply with quote

PAM is a way to authenticate users without having to setuid programs such that they can read /etc/shadow .

In practice, there are few programs which need to read /etc/shadow but aren't run as root or setuid anyway, such as screen lockers. xlock has a workaround for this, in which you store a password in a read-only file in your home directory for the sole purpose of screen locking.

The problem with acroread is the ldap dependency; I suppose things like this can happen to binary-only or poorly-written programs.

NOTE: Edited for precision 09:59 UTC
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sun Jan 27, 2013 11:45 am    Post subject: Reply with quote

Hypnos wrote:
PAM is a way to authenticate users without having to setuid programs such that they can read /etc/shadow.

Already this makes your system in a way more vulnerable to brute-force attacks (although probably there are again PAM modules to limit this somewhat, I have not checked recently), but actually PAM is much more, of course, with all its plugins.
Quote:
The problem with acroread is the ldap dependency; I suppose things like this can happen to binary-only or poorly-written programs.

Yes, of course, but unfortunately there is no other program to annotate a PDF file under Linux. Or do you know some?
(Okular and AFAIK evince can make annotations, but these can only be viewed with Okular or Evince, respectively, and thus not e.g. be returned to a publisher who uses only acrobat).
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Sun Jan 27, 2013 12:03 pm    Post subject: Reply with quote

mv wrote:
Already this makes your system in a way more vulnerable to brute-force attacks (although probably there are again PAM modules to limit this somewhat, I have not checked recently), but actually PAM is much more, of course, with all its plugins.

Why would brute-force attacks be more effective on a PAM system than a non-PAM system? Doesn't it just come down to password quality?

There is indeed a way using PAM to blunt brute-force attacks. (EDIT: It's in Portage already as sys-auth/pam_abl)

Quote:
Yes, of course, but unfortunately there is no other program to annotate a PDF file under Linux. Or do you know some?

Sadly I do not, which is why I also have acroread installed.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sun Jan 27, 2013 12:31 pm    Post subject: Reply with quote

Hypnos wrote:
Why would brute-force attacks be more effective on a PAM system than a non-PAM system?

Normal login has a severe time delay built in by default. For the PAM library this is not necessarily the case. Of course, it depends on which modules are active and how you configured it. If I understand your reply correctly, a delay is not active in Gentoo's default configuration (I did not install PAM for a long time).
My main point is: PAM is an additional layer and thus increases the possibility to overlook something (either by the user in configuration files, e.g. if I he did not think about the mere possibility of brute-force attacks, or also by the PAM program hidden somewhere in the code itself). So if you do not really need what it offers (e.g. I do not need any screenlocker functionality at home), better do not use it.
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Sun Jan 27, 2013 12:54 pm    Post subject: Reply with quote

Indeed, you can introduce a delay in pam logins using the pam_fail_delay function, and there is a pam_delay module out there as well. I agree with your main point; there is always a balance to be struck between complexity and functionality.

Finally, let me add that x11-terms/tilda makes a nice root console for X11 -- just 'su -' in it and forget it.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
LoTeK
Apprentice
Apprentice


Joined: 26 Jul 2012
Posts: 270

PostPosted: Sun Jan 27, 2013 5:42 pm    Post subject: Reply with quote

I recently thought about adding a "web-user" with very limited privileges (no member of the wheel group, another group as my main user) and with no files in /home/webuser. So I would log in as normal user, start a shell, do su web-user and from this shell I'd start firefox. Would this be more secure or just more complicated?
As I started with linux as a "not-only-consumer" I had the same questions as the original poster, because it's so exhausting to type a 20 character password just to install a program. Although I never bothered reading about su/sudo, the sudo-way was always unappealing to me because one can do root things with the normal password. So since then after logging in as normal user I always start a shell with su (or I log in as root with <ctrl><alt><F2> in another session) and if I have to do "root-things" I do it in this shell. But I always had the feeling that this is also not a very good solution. Is this just a unjustified feeling? Or would it be better to overcome laziness and always log out the root shell and if its needed again to login again?

And for the computer hijacking thing: is there a way to have total control over your computer or is it way to complex even for an expert? I hate the feeling that very very much is going on when I'm starting my computer but I just see a wallpaper :)
How should I understand this network-thing, is it the case that as soon as you are connected to the web, then you'll be seen and automatically many programs try to get access to your system?
_________________
"I want to see gamma rays! I want to hear X-rays! Do you see the absurdity of what I am? I can't even express these things properly because I have to conceptualize complex ideas in this stupid limiting spoken language!"
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Sun Jan 27, 2013 6:13 pm    Post subject: Reply with quote

If you want to thwart your adversaries you must understand the battlefield at least as well as they do. This means understanding computer architecture, or at least heeding the advice of those who do.

As to your questions:

1) Of course if you run network-facing application as a separate user whose account has no critical datafiles it provides a barrier against a compromise of more important things on your machine -- critical data, software. Whether it's worth the complication is up to you.

2) I don't see any problem leaving open a root shell in a terminal, whether a GUI pseudo-terminal or virtual console, as long as you have physical control over the machine.

3) As long your motherboard runs closed-source firmware you are not in complete control of your machine. (discussion)

4) It's a matter of luck whether or not malicious agents will attack the open ports you expose to the Internet. Usually they attack known ports like ssh 22 or www 80 on fixed IPs, imputing that servers listening on those ports are valuable.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
LoTeK
Apprentice
Apprentice


Joined: 26 Jul 2012
Posts: 270

PostPosted: Sun Jan 27, 2013 6:32 pm    Post subject: Reply with quote

Quote:
If you want to thwart your adversaries you must understand the battlefield at least as well as they do. This means understanding computer architecture, or at least heeding the advice of those who do.

very true, but unfortunately there is probably always someone that understands more :)

Quote:
1) Of course if you run network-facing application as a separate user whose account has no critical datafiles it provides a barrier against a compromise of more important things on your machine -- critical data, software. Whether it's worth the complication is up to you.

Then I'll do it because its not much more complicated.

Quote:
3) As long your motherboard runs closed-source firmware you are not in complete control of your machine. (discussion)

I also thought about that (I don't have read the whole discussion yet), therefore I've always recommended the lemote yeelong laptop, when somebody asks what are good laptops, which has open hardware/firmware but unfortunately it's too less powerful.

Quote:
4) It's a matter of luck whether or not malicious agents will attack the open ports you expose to the Internet. Usually they attack known ports like ssh 22 or www 80 on fixed IPs, imputing that servers listening on those ports are valuable.


so obviously one has to close as many ports as possible, and therefore it will be a fight between "total security - no connection at all" and "no security - all ports open"
_________________
"I want to see gamma rays! I want to hear X-rays! Do you see the absurdity of what I am? I can't even express these things properly because I have to conceptualize complex ideas in this stupid limiting spoken language!"


Last edited by LoTeK on Sun Jan 27, 2013 6:40 pm; edited 1 time in total
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sun Jan 27, 2013 6:35 pm    Post subject: Reply with quote

LoTeK wrote:
I recently thought about adding a "web-user" with very limited privileges (no member of the wheel group, another group as my main user) and with no files in /home/webuser. So I would log in as normal user, start a shell, do su web-user and from this shell I'd start firefox. Would this be more secure or just more complicated?

This is what I do. This web-user belongs to the "untrusted" group in hardened-sources and thus can start only programs in directories owned by root.
For exchanging files (e.g. for download/upload), it makes sense to give this user umask 007 and make your normal user a member of that user's group (but not vice versa, of course).
Be aware that you have to pass Xauthority data to that user, since otherwise he cannot start firefox. Of course, this means that he will also be able to do keylogging and perhaps also send keys to other windows, so you must be aware of that (however, "unprivileged permissions" turned out to be too restrictive for "normal" working with firefox).
Quote:
the sudo-way was always unappealing to me because one can do root things with the normal password.

sudo can do everything which su can, just more: It is up to you whether you configure sudo to use the user's password or the destination's user's (i.e. normally root) password.
You can also configure it to use no password at all: If you access the net only with a separate user, this is perhaps reasonable (although there is the danger mentioned below).
Quote:
So since then after logging in as normal user I always start a shell with su (or I log in as root with <ctrl><alt><F2> in another session) and if I have to do "root-things" I do it in this shell. But I always had the feeling that this is also not a very good solution. Is this just a unjustified feeling?

In a separate linux console, it is not a problem at all. Within an X session in which you start e.g. also firefox with the unprivileged user, that user - once he has the Xautority data - can access your root console and e.g. emulate that you typed some keys there. Theoretically, he might also control the screen to some extend so that you cannot see this.
Quote:
And for the computer hijacking thing: is there a way to have total control over your computer or is it way to complex even for an expert?

With sane starting systems (not with crazy interacting daemons like systemd+*kit) it is not hard to have a very good control over your system. However, if a rootkit is installed already and thus programs do not do exactly what they are supposed to, you are lost without booting from a safe medium and comparing checksums or something similar.
For instance, if the netstat utility I mention below was replaced by a rootkit, it will certainly not display an installed troyan listening on some port.
Quote:
How should I understand this network-thing, is it the case that as soon as you are connected to the web, then you'll be seen and automatically many programs try to get access to your system?

You can be seen, but unless the kernel's network stack is buggy, your machine cannot be accessed. Only daemons listening on ports can be seen. You can run
Code:
netstat -tulpe
to see which daemons are listening: Everything listed there whose "Local Adress" does not start with "localhost:" is dangerous and should be either switched off completely or configured in such a way that it listens only to "localhost" (unless you really want that this service can be accessed from everywhere in the world). In order to avoid opening such a port by mistake you can configure iptables to block this, but iptables has a rather high learning curve. For the starters you can use some simple script like "firewall-mv" (from the mv overlay), but make sure to read and understand the configuration options, first. There are certainly also other iptables generators out there, but I have no experience with these.
Back to top
View user's profile Send private message
LoTeK
Apprentice
Apprentice


Joined: 26 Jul 2012
Posts: 270

PostPosted: Sun Jan 27, 2013 9:35 pm    Post subject: Reply with quote

Quote:
This web-user belongs to the "untrusted" group in hardened-sources and thus can start only programs in directories owned by root.

I have a hardened kernel / hardened profile, do I have to install for example RSBAC to get this "untrusted" group? Why is it good that this user can only start programs from root owned directories? So they would be started in a "root-environment", or do I oversee something?

Quote:
This web-user belongs to the "untrusted" group in hardened-sources and thus can start only programs in directories owned by root.

Cool, thanks, I didn't know that. Maybe a stupid question, but why is "sudo" not used by everyone? (except for the uninformed).
_________________
"I want to see gamma rays! I want to hear X-rays! Do you see the absurdity of what I am? I can't even express these things properly because I have to conceptualize complex ideas in this stupid limiting spoken language!"
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sun Jan 27, 2013 11:05 pm    Post subject: Reply with quote

LoTeK wrote:
Quote:
This web-user belongs to the "untrusted" group in hardened-sources and thus can start only programs in directories owned by root.

I have a hardened kernel / hardened profile, do I have to install for example RSBAC to get this "untrusted" group?

No: Security options -> grsecurity -> Customize configuration -> Executable Protections -> TPE. Actually, I realize now that all users except my "main" users are untrusted.
Quote:
Why is it good that this user can only start programs from root owned directories?

The user cannot start his own binaries (e.g. if he downloaded one from the net or compiled one) but only binaries installed by root. It is not too safe, but a measurement against some of the most common exploits of privilege escalation bugs.
Quote:
Maybe a stupid question, but why is "sudo" not used by everyone? (except for the uninformed).

I think, it is default for most distributions, meanwhile. However, it is not part of the classical unix toolchain but a relatively young tool (compared to the shadow system). Moreover, whether it is useful depends on the setup, of course: E.g. if you have PAM installed anyway, this might be a more reasonable solution for some applications. As mentioned earlier, perhaps most gentoo systems are servers or a part of a company network (or perhaps at least the devs guess so).
Back to top
View user's profile Send private message
blain3
n00b
n00b


Joined: 02 Dec 2012
Posts: 30
Location: Southern Pensylvania

PostPosted: Tue Jan 29, 2013 2:18 am    Post subject: Reply with quote

I must say, that searching on this topic off and on for a while now, I have never seen so much information piled into a single thread. For now, until i understand more of this i think i will just make a default user and use my root when im not connected to the internet as its easier for some things, or possibly just use su. I guess i can deal with typing out my password. Also i must say, i can find this answer all over, but never have i seen so many arguments, backed up and logicaly thought through and explained. Much more information that I had expected.
_________________
#uname -s -m -i -p -v -o -n
Linux
x86_64
GenuineIntel
Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
#1 SMP PREEMPT Mon Nov 19 11:17:39 UTC 2012
GNU/Linux
xobtihs
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum