View previous topic :: View next topic |
Author |
Message |
blain3 n00b
Joined: 02 Dec 2012 Posts: 30 Location: Southern Pensylvania
|
Posted: Thu Jan 24, 2013 2:53 am Post subject: Need a way around sudo and su, is root really so bad? |
|
|
K before tearing me apart, I have been looking, and found tons of irrelevant and outdated information on this topic. I'm not a Linux genius, when i have time ill delete and reinstall Gentoo but these are mostly projects to understand and learn with. I always have a stable install but I'm running into a problem with typing my root password every time I want to do just about anything it seems. File editing, bash scripting / programing (I'm learning), things like this among others require sudo, su and that junk so ill end up using su in a few terminals and have them ready. How can i create a user that can edit files and change settings, mount drives, and so on. I do a lot of this kind of stuff, I learn from it. Now is there a way to enable a user to do most of this?, or should i just either a) add my user to root group b) work around the no root logins to desktop managers, or ?. Now i know plenty of kids i go to college with who don't use antivirus software past their norton expiring and on top of that most don't bother using passwords. My root password is almost 20 letters. I'm also not working for a company, and using a laptop to boot. Is it really so bad to use root for someone like myself? If its a you might break things argument, I don't mind, I'm used to it. _________________ #uname -s -m -i -p -v -o -n
Linux
x86_64
GenuineIntel
Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
#1 SMP PREEMPT Mon Nov 19 11:17:39 UTC 2012
GNU/Linux
xobtihs |
|
Back to top |
|
|
BillWho Veteran
Joined: 03 Mar 2012 Posts: 1600 Location: US
|
Posted: Thu Jan 24, 2013 3:04 am Post subject: |
|
|
blain3,
I get lazy sometimes so I un-commented this in sudoers
## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
and added an alias alias sb='sudo bash' in .bashrc
I'm the only one that uses this laptop...so I'll live with the consequences if I do something wrong _________________ Good luck
Since installing gentoo, my life has become one long emerge |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Thu Jan 24, 2013 3:25 am Post subject: |
|
|
The purpose of account security in a multi-user system is to contain the damage a user might do to his own account.
What does this mean for a Linux system with one user? Well, if all your executables are owned by root, it means that anything malicious that might happen in your account (e.g. an attack through your web browser) happens only to your data files, not the programs you run -- this lessens the risk of a virus or worm, but still compromises your data.
Anyway, so what's wrong with keeping an su pseudo-terminal or root virtual console open for doing root's business? _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
Ottre Tux's lil' helper
Joined: 23 Dec 2012 Posts: 129
|
Posted: Thu Jan 24, 2013 5:56 am Post subject: Re: Need a way around sudo and su, is root really so bad? |
|
|
blain3 wrote: | [snip]
How can i create a user that can edit files and change settings, mount drives, and so on.
[snip]
|
There are text editors that can open a root terminal in the background, so you type your password once and then edit protected files without having to log in and out. Emacs does this with tramp-mode.
Mounting a drive is a privilege because the OS has no way of detecting the hardware read/write status of a device. You must pass the correct options to the mount command. And that makes it a task for the root user.
Whether or not everyone can access the drive (-o gid=100,dmask=007,fmask=117) is a different issue. |
|
Back to top |
|
|
Mad Merlin Veteran
Joined: 09 May 2005 Posts: 1155
|
Posted: Thu Jan 24, 2013 8:25 pm Post subject: Re: Need a way around sudo and su, is root really so bad? |
|
|
blain3 wrote: | File editing, bash scripting / programing (I'm learning), things like this among others require sudo, su and that junk so ill end up using su in a few terminals and have them ready. How can i create a user that can edit files and change settings, mount drives, and so on. |
None of that requires root privileges, with the possible exception of editing system config files, which you probably don't do that often. It's likely that you've got tons of files in your home directory now owned by root because you've been using root all the time, let's fix that first:
Code: |
chown -R blain3:users /home/blain3
|
As for mounting drives, if they're not one-off mounts, you can put them in your /etc/fstab with user in the options list and then your regular user will be able to mount them. _________________ Game! - Where the stick is mightier than the sword! |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Thu Jan 24, 2013 9:21 pm Post subject: |
|
|
a simple mount should not be dangerous, or?
a new line in /etc/sudoers:
yourname ALL = (root) NOPASSWD: /usr/bin/mount |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Thu Jan 24, 2013 11:47 pm Post subject: Re: Need a way around sudo and su, is root really so bad? |
|
|
No need to install sudo, PAM is sufficent to become root conveniently. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Fri Jan 25, 2013 7:52 am Post subject: |
|
|
ulenrich wrote: | a simple mount should not be dangerous, or?
a new line in /etc/sudoers:
yourname ALL = (root) NOPASSWD: /usr/bin/mount |
Very bad idea: This opens your system to all sorts of exploits. Starting from simple "bind"ing of files/dirs up to loop mounting with offsets and all kind of file systems; any bets, this is sufficient to install a rootkit. mount already is SUID root, and the save operations are (or can be) allowed. If you really need it only allow exactly those mount commands which you need. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Fri Jan 25, 2013 8:04 am Post subject: Re: Need a way around sudo and su, is root really so bad? |
|
|
PaulBredbury wrote: | No need to install sudo, PAM is sufficent to become root conveniently. |
"No need to write 7 symbols on a paper - a computer with a full-blown text setting system with an attached printer could do this for you as well".
Seriously, if you do not really absolutely need some advanced PAM features (and I cannot think of any reason on a normal desktop unless you have a special hardware device which you want to use for authentification), it is much more secure to not install it: No need to introduce an unnecessary complexity layer.
I would recommend the OP to install a user who is allowed ALL in sudoers. Then use either "sudo -s" or write wrapper scripts for the commands which you really frequently use (about 20 or so will likely be sufficient; no need to waste RAM in every shell with aliases).
I would also recommend to make sure in iptables that this user cannot access "outgoing" internet so that not by accident you start a browser or another internet connection with it.
For browsers etc, I would recommend similar sudo wrappers with a specially "untrusted" user with even more reduced permission (e.g. if you use hardened-sources there are very convenient ways to limit such users even from executing their own binaries). |
|
Back to top |
|
|
cwr Veteran
Joined: 17 Dec 2005 Posts: 1969
|
Posted: Fri Jan 25, 2013 3:57 pm Post subject: |
|
|
Unless I'm running emerge to install software I tend not to need root - it might be
worth digging around to see which directories root (or bin) own that need to be
owned by the user. In my case it's just two directory trees, /home/XXX and
/home/projects and with these owned by my standard login (XXX) I seldom
need to switch to root. When I do I just use "su -", but there are a couple of
commands in /etc/sudoers, one to shut down the machine and one to mount and
unmount a CD.
Will
(Running as root is in fact risky, too risky for me, and I have a pretty complete
set of backups. I can't remember when I last blew stuff away uninintenionally,
but I have wiped filesystems by mistake in the past. Run as an ordinary user,
and set your system up accordingly.) |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Fri Jan 25, 2013 5:01 pm Post subject: |
|
|
cwr wrote: | Unless I'm running emerge to install software I tend not to need root |
eix-sync, eix-update, emerge, etc-update, burning CDs, (re)starting certain init-scripts (e.g. net.* on a laptop), genlop, cleaning logfiles, editing config's, scripts for cleaning/comparing config's, gcc-config, eselect, some mount commands, scripts for compiiling/installing the kernel ... I have a list of almost 40 commands which I need more or less regularly for administration but which would be dangerous to allow usage for all users without a password. Not to speak about certain cases when a file needs to be chown'ed to be shifted from an untrusted account to a trusted account (the converse is not necessary since trusted users can just become members of untrusted groups). |
|
Back to top |
|
|
wcg Guru
Joined: 06 Jan 2009 Posts: 588
|
Posted: Fri Jan 25, 2013 9:57 pm Post subject: |
|
|
A way around sudo and su is to switch virtual consoles (alt-F[digit])
[edit:] ctrl-alt-F[digit] if you are in an X session[/edit]
and simply login as root. Do not connect to the www or other
online resources from the root console (except maybe "emerge --rsync",
and I do not know that you actually need to be root to do that),
and remember to logout from that console before you leave the room,
so that someone else cannot sit down at your console and be logged
in as root.
I use these aliases in root's .bashrc (adjust if you use a different
login shell than bash):
Code: |
alias rm="rm --preserve-root"
alias chown="chown --no-dereference --preserve-root"
alias chgrp="chgrp --no-dereference"
alias chmod="chmod --preserve-root"
export rm chown chgrp chmod
|
(Helps mitigate the impact of distractions, lack of sleep, and symbolic link
virtual land mines.) _________________ TIA
Last edited by wcg on Sat Jan 26, 2013 5:35 am; edited 1 time in total |
|
Back to top |
|
|
blain3 n00b
Joined: 02 Dec 2012 Posts: 30 Location: Southern Pensylvania
|
Posted: Fri Jan 25, 2013 11:06 pm Post subject: |
|
|
well, and sorry for taking so long to reply but school is taking a lot of time. As for editing config files yes i do a LOT of this. I'm the kid who broke all his toys open to see whats inside I guess, and I'll get distracted but yeah, I want to install a system that I'll actually not intentionally disfigure, and this is my new laptop with the SSD and I'm getting there, with the newer hardware its a pain, networking, even worse considering my year and a half old laptop (10x slower) took me maybe a few hours to get a working xfce Gentoo install. So while i work on this crap I figured I would ask. I mean if someone actually got into my system? I'd just repartition it from my second OS, which is lately Arch. I'll definitely look into these suggestions, and I understand that running root isn't something new users should do as I went through that, and still do, I just didn't know how much of a risk it was, unseen variables i hadn't thought of? that kind of thing, and advice is always a good thing, and respected here above others. thanks guys for the input. _________________ #uname -s -m -i -p -v -o -n
Linux
x86_64
GenuineIntel
Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
#1 SMP PREEMPT Mon Nov 19 11:17:39 UTC 2012
GNU/Linux
xobtihs |
|
Back to top |
|
|
blain3 n00b
Joined: 02 Dec 2012 Posts: 30 Location: Southern Pensylvania
|
Posted: Sat Jan 26, 2013 7:35 am Post subject: |
|
|
huh.. well I decided to use pentoo's repo, which had in the past never let me past command on boot on this new laptop. Well I must say being stubborn has me pretty happy rite now. Anyway by default with this i run everything as root. Honestly I'll not say or advise anyone else.. especially new to Linux or even Gentoo / Arch type distro's but I just simply cant live without the freedom. Now when i finish college or if I do any type of corporate work, Obviously I would never be so careless. Yet rite now, with the desire to learn the system and programing this works for me. I am going to keep all suggestions in mind meanwhile though. Now I just need to back up my data I suppose and hope my SSD holds out for a few years or so. thanks again guys, I think I'd rather just deal with anything negative from this, I'm using a hardened kernel, firewall, almost 20 character root pw so.. ill back it all up on my 2nd HDD just in case. _________________ #uname -s -m -i -p -v -o -n
Linux
x86_64
GenuineIntel
Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
#1 SMP PREEMPT Mon Nov 19 11:17:39 UTC 2012
GNU/Linux
xobtihs |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Sat Jan 26, 2013 10:25 am Post subject: |
|
|
blain3 wrote: | I'm using a hardened kernel, firewall, almost 20 character root pw so.. ill back it all up on my 2nd HDD just in case. |
If you use a browser as root, all these things are completely superfluous - if you klick a site which tries to attack your machine by any browser exploit, it will just install its rootkit without any difficulties. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Sat Jan 26, 2013 10:30 am Post subject: |
|
|
wcg wrote: | Code: |
alias rm="rm --preserve-root"
alias chown="chown --no-dereference --preserve-root"
alias chgrp="chgrp --no-dereference"
alias chmod="chmod --preserve-root"
export rm chown chgrp chmod
|
| The -h switches I found convenient, too. However, I am not getting why you do the rest: --preserve-root is the default and thus superfluous, and exporting aliases has no effect unless you have a very strange setup. I recommend to use zsh instead of bash also as root, because it has some further sanity checks built in. (However, if you do this, make sure to use only config's for which you really understand the consequences so that you will not get tricked if e.g. you cd to /tmp and a user has setup there some /tmp/.git to trick e.g. a "convenient" prompt script). |
|
Back to top |
|
|
wcg Guru
Joined: 06 Jan 2009 Posts: 588
|
Posted: Sat Jan 26, 2013 3:40 pm Post subject: |
|
|
I use command line options explicitly that are the default
in aliases in case the default changes out from under me
after a package update. If an option like --preserve-root is
specified explicitly, it does not matter whether that is
the default or not. (It only matters that the way it actually
works matches the documentation.)
bash's export command is not needed with aliases for
the alias to have the same value in subshells of the
shell instance where the alias was assigned a value? _________________ TIA |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Sat Jan 26, 2013 9:32 pm Post subject: |
|
|
wcg wrote: | bash's export command is not needed with aliases for
the alias to have the same value in subshells |
First of all, bash's export command exports variables (and since a few versions also functions if you use export -f; at least 4.2_p37 cannot yet export aliases, and I doubt that this will ever be implemented). So you "export" command actually only marks 4 variables (which probably are all unset in your case) as "to be exported".
Concerning the scope, it is the same as with shell-variables which are not exported: They are inherited by subshells, but if you modify them in the subshell the modifications are not "pulled back", of course. Of course, aliases are also not inherited by external programs (like scripts starting a new instance of bash or with sudo, but in scripts aliases are inactive by default anyway). |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Sat Jan 26, 2013 10:25 pm Post subject: |
|
|
You password is kind of irrelevant here. As pointed out above, now all the stuff you are running can destroy you system. Particularly with internet browsing, you have no defense. Iptables is completely bypassed in this case since you are the one initiating internet contact.
Running as root really is that bad. If you really don't care about local attacks, then just do as BilWho said and give yourself passwordless sudo. Another side effect is that most applications are not meant to run as root. Doing so can have unforeseen consequences, such as malfunctioning programs. There are also a large number of GLSAs that have exploits with the "privilege of the process", in other words you would give them root access.
You can't run Linux like windows. These levels of security are in place for a very good reason: the system itself is resistant to attack. You are literally stripping away all that security for the sake of convenience. Iptables and Hardened sources will not protect you. PaX changes the memory adreeses to prevent _applications_ from being used to attack you due to predictable memory locations. It does nothing to prevent applications from following instructions from the web to attack you or to carry out their programmed function to attack you. In short, it does not stop malicious code that directly implements its attack. Iptables also only filters internet traffic based on very simple logic: "if the user started this, its okay, if not drop it" type of stuff. It does not check content at all.
A computer connected to the net can last about 10 minutes without virus protection. Without yours, how long do you think you will make it? _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
blain3 n00b
Joined: 02 Dec 2012 Posts: 30 Location: Southern Pensylvania
|
Posted: Sun Jan 27, 2013 12:24 am Post subject: |
|
|
So the fact that I've literally been doing this with either BT5, Pentoo/Gentoo for Months now and have yet to have my email hacked (happened with win 7). Things like clamav, firewall, and *99% of the time* I'm using no scripting plugins, add blocking plugins, foxyproxy, ghost, etc.. That, or I tend to use Links / Seamonkey and sometimes opera. I mean as for viruses? Never had one that i know. No data that cannot be replaced is on my system normally, its all on my external backup. I guess my argument is this: if i install ubuntu > 11.10 im getting un-asked for spyware integrated into my system. Use google chrome? id cut my fingers off before I would give google even more access then they already have on the general public. Now don't take this as me dismissing your arguments, because until now, no one has given me so much as a clear reason. Now for the sudo thing, really pita for me so if i add a user and say put him in the root group, would this be better? or say put him in groups needed to use emerge, edit sys files, save over config files in Geany.. I have no SSH setup, or RDesktop, for that matter. If i do add a user with slightly escalated priv's to possibly use vmware to create a bridge network or some such to hide my main computer, at least while at home? _________________ #uname -s -m -i -p -v -o -n
Linux
x86_64
GenuineIntel
Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
#1 SMP PREEMPT Mon Nov 19 11:17:39 UTC 2012
GNU/Linux
xobtihs |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sun Jan 27, 2013 1:00 am Post subject: |
|
|
mv, PAM is enabled by default in Gentoo. That's how dangerous the devs think it is
blain3, just set up PAM or sudo so that typing in a one-character command switches you to root. It's really that simple. Please note that these threads about "I wanna be root all of the time" are always by beginners. I switch between my normal user and root often, and don't need to ludicrously compromise security to do it. In fact, I run AppArmor too, to protect Internet-facing apps such as firefox, evolution, webserver, skype, instant-messaging, chrony.
We don't want your PC to be vulnerable, because we don't want to receive viagra spam emails from it when it gets taken over by a Chinese botnet, thanks
I'd also recommend reading this. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Sun Jan 27, 2013 3:50 am Post subject: |
|
|
<rant> The basic point here is you can't hide your browser from the net. You use the net and therefore request all those pop ups and spyware. It does not matter how heavily you guard your system. Quite frankly, hardened Gentoo and iptables guard against the TV form of hacking, ie freckled teenage computer genius who breaks into you system remotely. By simply restricting you SSH daemon you can dramatically reduce this risk. Of course, by "restrict" I really mean "use correctly", ie disallow root logins and use public key authentication whenever possible. This type of attack is really not a threat to a normal desktop.
Quote: | So the fact that I've literally been doing this with either BT5, Pentoo/Gentoo for Months now and have yet to have my email hacked (happened with win 7). |
You don't necessarily know if you have been compromised. A good fraction of malware is not meant to reveal itself. Quote: | I'm using no scripting plugins, add blocking plugins, foxyproxy, ghost, etc.. | Good, but foxyproxy has nothing to do with malware. It simply redirects your internet. Ad blockers are also nice for eliminating the p0rn pop ups, but again they don't necessarily stop malware. If by no scripting plugins you mean disabled flash support, javascript that that is a step in the right direction but is again absolutely no guarantee. The site itself can be a threat. Quote: | I mean as for viruses? Never had one that i know. | The exist for linux. The eases way to remain blissfully ignorant of this is not to use root for everyday use. Quote: | No data that cannot be replaced is on my system normally, its all on my external backup. | This is actually bigger than just you. If your box is compromised it can affect hundreds of people. Not all attacks are about vandalism. I would actually say those are the minority. See Jaglover's post. Quote: | Use google chrome? | Chrome, maybe. Chromium is open source, so it gets vetted. Either way, its safer than running as root. Lets face it. No one really cares about you. All they want is your credit card number. Quote: | Now for the sudo thing, really pita for me so if i add a user and say put him in the root group, would this be better? | Making a second root user? Not really.
Basically, using root breaks the security model. I would assume that was a reason for choosing Linux. If you just want to play with config files as root, then add this one liner to you sudoers file: Code: | %wheel ALL=(ALL) NOPASSWD: /usr/bin/vim | and then add this to your .bashrc Code: | alias vim="sudo vim" | or similar. That way you can do everything you want to as root without being bothered but without breaking the security model.
Alternatively, let me offer you this piece of advice: if you are running everything as root you may as well disable you firewall and switch back to gentoo-sources. You have already negated the entire security system. Basically you are tying to use a screw driver as a hammer. It may work for a while, but it is not the right tool for the job. Besides allowing for ill-placed keystrokes to do damage, you entire system is open to the net and/or to buggy applications.
To sum up: you should not run as root because doing so negates the security design of the system. Its akin to using windows without installing virus software.<\rant>
EDIT: Link to information about linux malware Note one of the greatest strengths is the lack of root access.
EDIT2: Think of the root account as a chest that contains all the good stuff and the root password as the key. If you leave it open all the time the key is irreverent. Having that 20 character key is a complete waste. The chest is never locked. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
wcg Guru
Joined: 06 Jan 2009 Posts: 588
|
Posted: Sun Jan 27, 2013 6:46 am Post subject: |
|
|
Quote: | at least 4.2_p37 cannot yet export aliases, |
Thanks for the insight into bash's export command, aliases,
and subshells. _________________ TIA |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Sun Jan 27, 2013 7:40 am Post subject: |
|
|
The Doctor wrote: | Quote: | So the fact that I've literally been doing this with either BT5, Pentoo/Gentoo for Months now and have yet to have my email hacked (happened with win 7). |
You don't necessarily know if you have been compromised. A good fraction of malware is not meant to reveal itself. |
This is the main point: Most hackers want to have a bot net which they can use to send spam mails. If you are a victim of such an attack, the only thing you can realize (if you are not an expert and examine the harddisk carefully from a boot CD) is that you lose a few percent of computer time and a few percentage of your internet bandwidth (and only in some less frequent cases when your machine e.g. takes part in a child porn ring also some harddisk space); of course, all this is well hidden and cannot be seen with the compromised tools which the hackers most likely installed with their root kit.
Quote: | The site itself can be a threat. |
Note that even reliable organizations can have been hacked - it is not so rare as one might think. Usually, they repair their hacks when they realize it (after some hours/days) and if they commercial, they usually do not want to make popular that they had been hacked. Recall that even organizations driven by linux specialists (debian, kernel) and with (hopefully) careful security policy have been victims of such attacks. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|