[ale] SSH attempts

Lightner, Jeff JLightner at water.com
Fri Sep 16 14:21:32 EDT 2011


And of course you have to be careful with sudo.   It amazes me the when people can’t see that granting access to something like “sudo vi” is a bad idea.   Any command that has a shell access sequence (e.g. “:/bin/bash” in vi) gives such users complete root access because the shell is started by the root user since the parent was.






________________________________
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim Kinney
Sent: Friday, September 16, 2011 1:56 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] SSH attempts


But if you lock the root account you're hosed in emergency run level 1.
Instead set securetty to only be local console and use sudo for all else.
On Sep 16, 2011 1:47 PM, "Michael B. Trausch" <mike at trausch.us<mailto:mike at trausch.us>> wrote:
> On Mon, 2011-09-12 at 17:40 -0400, Bob Toxen wrote:
>> Disabling root ssh and requiring one first to ssh in through another
>> account and su'ing or sudo'ing to root is not as effective as the
>> above solutions and may diminish security, in my opinion.
>
> Okay, so I can understand why that would be the case for giving accounts
> access to su (but if you're doing that, then you haven't locked the
> password for the root user anyway), but sudo is a totally different
> animal.
>
> What I do on all my systems these days is this:
>
> * I run "passwd -l root", so that root cannot login by any means
> (because its password is locked).
>
> * I create a group for full system administrators (that is, people
> that can run "sudo -i" or "sudo -s" to the root user account).
>
> * If the system has subadministrators, I configure sudo for that.
> For example, on a system that runs a phone system (say, FreeSWITCH),
> the phone system runs as a certain user. I'll create a group for
> people who are allowed to become that user, and then configure sudo
> to enable people to change their uid to that user so that they can
> administer the phone system. Same goes for a Web administrator or
> DBA. Such people would, therefore, not allowed to become root
> (because they have no need to do so).
>
> * If there are people who have to run single commands as root, I will
> configure sudo to enable them to do so (as long as it's not a command
> that will spawn a subshell or something). All bets are off if it can
> spawn a subshell, of course, but as long as it is a well-behaved
> single-task program, it is usually fine.
>
> The sudo command can be used to create a very fine-grained system where
> people can only gain access to the privileges that they need in order to
> get their work done. It _can_ take a little bit to engineer an
> appropriate configuration, but once that's done, sudo takes care of the
> logging and all of that for you.
>
> There are even ways to make it possible to have fully functional system
> administrators that can do everything _except_ change the sudo
> configuration or certain items like system logs, though that is slightly
> outside of the scope of sudo itself.
>
> All that to say that proper use of sudo significantly enhances system
> security, not the opposite.
>
> --- Mike
>
> --
> A man who reasons deliberately, manages it better after studying Logic
> than he could before, if he is sincere about it and has common sense.
> --- Carveth Read, “Logic”
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org<mailto:Ale at ale.org>
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo






Proud partner. Susan G. Komen for the Cure.

 Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110916/eb6d2c50/attachment-0001.html 


More information about the Ale mailing list