[ale] bash commands

Wolf Halton wolf.halton at gmail.com
Mon May 21 08:05:30 EDT 2012


On Mon, May 21, 2012 at 7:29 AM, Matthew <simontek at gmail.com> wrote:

> Atm that is the environment I am in. Some machines I have the root
> password to, some I don't, some I have to ssh 127.0.0.1 as root. My
> PDE I have to wait a bit to get root access, for my job its ironic, I
> have to use my work computer to do it, vs my govt provided one.
>
> On 5/21/12, Jim Kinney <jim.kinney at gmail.com> wrote:
> > In a multi-admin server environment, selinux and auditd can fully track
> who
> > did what. Each admin logs in remotely and then can su to root, do their
> > work and log out. Even though they can use su - to fully change to the
> root
> > user with full environment, auditd tracks every command issued with both
> > effective ID and original ID. So root from Fred is different from root
> from
> > Sally.
> >
> > The addition of rootsh to the system as the only shell for root will
> > provide a full log of keyboard entry and return data. That log can be on
> a
> > remote machine.
> >
> > On Mon, May 21, 2012 at 3:01 AM, Brian Mathis <
> > brian.mathis+ale at betteradmin.com> wrote:
> >
> >> By "desktop" I mean a computer that sits on your desk either at home
> >> or work, as opposed to servers that run in a data center.  I think
> >> most people who don't see the difference between using 'su' vs 'sudo'
> >> think that way because they are only playing with Linux on their home
> >> desktop so it doesn't really matter.  However, in a server environment
> >> where you need to manage resources, it does.
> >>
> >> I don't think anyone is using "desktop" to refer to using a GUI
> >> instead of a shell prompt; at least that doesn't make sense in the
> >> context of this discussion.
> >>
> >>
> >> ❧ Brian Mathis
> >>
> >>
> >> On Mon, May 21, 2012 at 2:48 AM, Matthew <simontek at gmail.com> wrote:
> >> > I don't usually work in a desktop environment. Even though our project
> >> > is using kde, I still do everything from command line.
> >> >
> >> > On 5/21/12, Brian Mathis <brian.mathis+ale at betteradmin.com> wrote:
> >> >> There is an ENORMOUS difference between using "su" and "sudo -i", and
> >> >> it's big enough that any old codgers out there should learn this new
> >> >> trick:
> >> >>
> >> >>     To use 'su' you need the ROOT password.
> >> >>     To use 'sudo', you need YOUR password.
> >> >>
> >> >> In any environment outside of your personal desktop, this is a huge
> >> >> difference.  Securely distributing the root password to any number of
> >> >> sysadmins, keeping track of who has it, and changing it every time
> >> >> someone leaves (and redistributing the changed password) is a
> >> >> nightmare, and it also violates most accepted rules of good security
> >> >> (using shared passwords).
> >> >>
> >> >> If you grant root access through sudo, even if admins use 'sudo -i',
> >> >> you only need to manage the sudoers file and you can forget about the
> >> >> root password issue.  You still need to keep track of the root
> >> >> password, but now you can set it to some long random string and keep
> >> >> it locked in a safe somewhere.  You also get an audit trail of who's
> >> >> logging in and switching to root, even if you don't get a full audit
> >> >> of every command they run.
> >> >>
> >> >>
> >> >> ❧ Brian Mathis
> >> >>
> >> >>
> >> >> On Sun, May 20, 2012 at 9:30 PM, matt <ur.matt at gmail.com> wrote:
> >> >>> Why not just log in as root and stomp around if you're going to use
> >> sudo
> >> >>> -i?
> >> >>>
> >> >>> On Sun, May 20, 2012 at 6:27 PM, matt <ur.matt at gmail.com> wrote:
> >> >>>> sudo -i is definitely bad practice, it completely negates the
> >> >>>> purpose
> >> of
> >> >>>> using sudo in the first place.
> >> >>>>
> >> >>>> On Sun, May 20, 2012 at 6:19 PM, Brian Stanaland
> >> >>>> <brian at stanaland.org
> >> >
> >> >>>> wrote:
> >> >>>>> I use 'sudo su -' which gets you the complete root experience.
> >> >>>>>
> >> >>>>> -- Brian
> >> >>>>>
> >> >>>>> On Sun, May 20, 2012 at 9:10 PM, Mike Harrison <
> cluon at geeklabs.com>
> >> >>>>> wrote:
> >> >>>>>>
> >> >>>>>> On Sun, 20 May 2012, Jim Lynch wrote:
> >> >>>>>> > If that's current thinking, then it's changed.  I've been
> >> >>>>>> > administrating
> >> >>>>>> > Unix systems for about 25 years.  Sudo didn't exist and you
> >> needed to
> >> >>>>>> > su
> >> >>>>>> > in order to do admin tasks.  It was accepted and expected.  You
> >> >>>>>> > couldn't
> >> >>>>>> > install SunOS, HPUX, UNICOS or Irix without it.  I'm afraid
> this
> >> old
> >> >>>>>> > dog
> >> >>>>>> > isn't learning new tricks, I use sudo -s or sudo -i on a
> regular
> >> >>>>>> > basis
> >> >>>>>> > when I don't have su enabled.
> >> >>>>>>
> >> >>>>>> I use sudo -s on my desktop when I need to do root things. Saves
> a
> >> lot
> >> >>>>>> of
> >> >>>>>> time and typing over "sudo foo" for every command. On a desktop,
> >> normal
> >> >>>>>> user system.. it seems to be the "right way". Be a user for user
> >> >>>>>> things,
> >> >>>>>> become almost root for doing admin stuff on my box.
> >> >>>>>>
> >> >>>>>> On a server.. there is only root for most sysadmin tasks. I've
> >> >>>>>> only
> >> >>>>>> been
> >> >>>>>> running Linux since 94.. but have also worked on DG Nova's, SCO
> >> unix,
> >> >>>>>> Slowlaris, etc.. but it seems to be the right way to admin a
> >> >>>>>> server.
> >> >>>>>> If you can't handle SSHing in/logging in as root..  you should
> not
> >> be.
> >> >>>> --
> >> >>>> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours
> >> >>> --
> >> >>> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours
> >> >>
> >> >> _______________________________________________
> >> >> Ale mailing list
> >> >> Ale at ale.org
> >> >> http://mail.ale.org/mailman/listinfo/ale
> >> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> >> http://mail.ale.org/mailman/listinfo
> >> >>
> >> >
> >> > --
> >> > Sent from my mobile device
> >> >
> >> > SimonTek
> >> > 912-398-6704
> >> >
> >> > _______________________________________________
> >> > Ale mailing list
> >> > Ale at ale.org
> >> > http://mail.ale.org/mailman/listinfo/ale
> >> > See JOBS, ANNOUNCE and SCHOOLS lists at
> >> > http://mail.ale.org/mailman/listinfo
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >>
> >
> >
> >
> > --
> > --
> > James P. Kinney III
> >
> > As long as the general population is passive, apathetic, diverted to
> > consumerism or hatred of the vulnerable, then the powerful can do as they
> > please, and those who survive will be left to contemplate the outcome.
> > - *2011 Noam Chomsky
> >
> > http://heretothereideas.blogspot.com/
> > *
> >
>
> --
> Sent from my mobile device
>
> SimonTek
> 912-398-6704
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>


Our general practice is to use sudo and do a few things under the timer.
There are install sessions that require changing to user env of 3 different
users, all essentially system users, to whose accts, I have the passwords,
but it is far quicker to sudo su - or sudo -i and then su - into the other
two accts from root, which requires no password to get into the accounts.
The system user passwords, and also the system root user passwords can then
be different from machine to machine, and my work is not slowed down while
I get the notebooks with all passwords to search for this or that machine
and user.
Those notebooks would be the holy skeleton keys for the entire network (and
a huge security vulnerability), but are in a safe buried under 20 feet of
concrete, as all any of the admins have to have is their own password to do
any of the admin tasks they are permitted to do on any of the machines.
Sudo can be very granular, allowing some but not all admin tasks.  This
isn't all that apparent for new users of Ubuntu (which has root login
disabled by default in the gui Runlevel 5 login screen (GDM)).

-Wolf

PS In the most recent Ubuntu release, the automated update-manager
behaviour is to allow updates and safe-upgrades without a password entry,
but you still need a password to run aptitude or the Ubuntu software center
application.

-- 
This Apt Has Super Cow Powers - http://sourcefreedom.com
Open-Source Software in Libraries - http://FOSS4Lib.org
Advancing Libraries Together - http://LYRASIS.org
Apache Open Office Developer wolfhalton at apache.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120521/09adc71a/attachment-0001.html 


More information about the Ale mailing list