7:52 a.m.
Hello,
I have a strange issue: my machine was updated via cron last noght. I rebooted this
morning and several attempts, including rebooting into the older kernel do not seem to
work in granting me sudo access.
~$ sudo dnf update
[sudo] password for maitra:
maitra is not in the sudoers file. This incident will be reported.
The password is correct because otherwise I would get the notificaiton that it is not so
so that is not the issue.
Short of reinstalling, how do I get around this? Note that I do not have root account, so
I am not sure about what to do.
Many thanks and best wishes,
Ranjan
--
Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt.
Please respond to the mailing list if appropriate. For those needing to send personal or
professional e-mail, please use appropriate addresses.
____________________________________________________________
FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop!
Check it out at http://www.inbox.com/earth
8:19 a.m.
On 02/09/2016 07:52 AM, Ranjan Maitra wrote:
Hello,
I have a strange issue: my machine was updated via cron last noght. I rebooted this
morning and several attempts, including rebooting into the older kernel do not seem to
work in granting me sudo access.
~$ sudo dnf update
[sudo] password for maitra:
maitra is not in the sudoers file. This incident will be reported.
The password is correct because otherwise I would get the notificaiton that it is not so
so that is not the issue.
Short of reinstalling, how do I get around this? Note that I do not have root account, so
I am not sure about what to do.
Many thanks and best wishes,
Ranjan
The error explains it:
maitra is not in the sudoers file. This incident will be reported.
run visudo
is "wheel" enabled for sudo and is maitra in the wheel group?
--
-- Steve
8:29 a.m.
On Tue, 9 Feb 2016 08:19:24 -0600 SternData <subscribed-lists(a)sterndata.com> wrote:
On 02/09/2016 07:52 AM, Ranjan Maitra wrote:
> Hello,
>
> I have a strange issue: my machine was updated via cron last noght. I rebooted this
morning and several attempts, including rebooting into the older kernel do not seem to
work in granting me sudo access.
>
> ~$ sudo dnf update
> [sudo] password for maitra:
> maitra is not in the sudoers file. This incident will be reported.
>
> The password is correct because otherwise I would get the notificaiton that it is
not so so that is not the issue.
>
> Short of reinstalling, how do I get around this? Note that I do not have root
account, so I am not sure about what to do.
>
> Many thanks and best wishes,
> Ranjan
>
The error explains it:
maitra is not in the sudoers file. This incident will be reported.
It does?
run visudo
is "wheel" enabled for sudo and is maitra in the wheel group?
But I seem to have lost sudo privileges after the update. How do I run visudo without
being a superuser? I do not appear to have access to /etc/sudoers as a result.
Ranjan
____________________________________________________________
FREE ONLINE PHOTOSHARING - Share your photos online with your friends and family!
Visit http://www.inbox.com/photosharing to find out more!
8:50 a.m.
On 02/09/2016 08:29 AM, Ranjan Maitra wrote:
On Tue, 9 Feb 2016 08:19:24 -0600 SternData
<subscribed-lists(a)sterndata.com> wrote:
> On 02/09/2016 07:52 AM, Ranjan Maitra wrote:
>> Hello,
>>
>> I have a strange issue: my machine was updated via cron last noght. I rebooted
this morning and several attempts, including rebooting into the older kernel do not seem
to work in granting me sudo access.
>>
>> ~$ sudo dnf update
>> [sudo] password for maitra:
>> maitra is not in the sudoers file. This incident will be reported.
>>
>> The password is correct because otherwise I would get the notificaiton that it is
not so so that is not the issue.
>>
>> Short of reinstalling, how do I get around this? Note that I do not have root
account, so I am not sure about what to do.
>>
>> Many thanks and best wishes,
>> Ranjan
>>
>
> The error explains it:
>
> maitra is not in the sudoers file. This incident will be reported.
It does?
> run visudo
>
> is "wheel" enabled for sudo and is maitra in the wheel group?
But I seem to have lost sudo privileges after the update. How do I run visudo without
being a superuser? I do not appear to have access to /etc/sudoers as a result.
Ranjan
You'll need to find that scrap of paper on which you wrote the password
for "root" and put away someplace safe. :-)
--
-- Steve
11:02 a.m.
To the OP of this thread:
Why not
boot a live CD or DVD
Once booted,
su - root
mkdir /fedora
mount /dev/sd ?? /fedora (?? are something like a0 or a1 ...etc ...
the name of your hard drive boot partition)
chroot /fedora
passwd root
now you can enter a new password.
HTH
11:09 a.m.
Thanks to all who replied! As a security feature, I chose not have a root account on the
machine (of course, I never expected my sudo access to disappear) and have not had it on
any of my machines ever since Fedora allowed that possiblity (circa
Fedora-low-teens-or-before).
The proposed solution below is what I was looking for.
Thank you!
Best wishes,
Ranjan
TOn Tue, 9 Feb 2016 10:02:31 -0700 jd1008 <jd1008(a)gmail.com> wrote:
To the OP of this thread:
Why not
boot a live CD or DVD
Once booted,
su - root
mkdir /fedora
mount /dev/sd ?? /fedora (?? are something like a0 or a1 ...etc ...
the name of your hard drive boot partition)
chroot /fedora
passwd root
now you can enter a new password.
HTH
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
--
Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt.
Please respond to the mailing list if appropriate. For those needing to send personal or
professional e-mail, please use appropriate addresses.
____________________________________________________________
FREE ONLINE PHOTOSHARING - Share your photos online with your friends and family!
Visit http://www.inbox.com/photosharing to find out more!
11:13 a.m.
On 02/09/2016 09:09 AM, Ranjan Maitra wrote:
Thanks to all who replied! As a security feature, I chose not have a
root account on the machine (of course, I never expected my sudo access to disappear) and
have not had it on any of my machines ever since Fedora allowed that possiblity (circa
Fedora-low-teens-or-before).
...and now you know why that's a Bad Idea.
9:24 a.m.
On Tue, Feb 9, 2016 at 6:02 PM, jd1008 <jd1008(a)gmail.com> wrote:
To the OP of this thread:
Why not
boot a live CD or DVD
Once booted,
su - root
mkdir /fedora
mount /dev/sd ?? /fedora (?? are something like a0 or a1 ...etc ... the
name of your hard drive boot partition)
chroot /fedora
passwd root
root's presumably disabled on the OP's box so rather than change this
setup, the OP should run "visudo -f /etc/sudoers.d/maitra" after
"chroot /fedora" (or "systemd-nspawn -D /fedora") to create the
following line in "/etc/sudoers.d/maitra":
maitra ALL=(ALL) ALL
9:45 a.m.
On Wed, 10 Feb 2016 16:24:44 +0100 Tom H <tomh0665(a)gmail.com> wrote:
On Tue, Feb 9, 2016 at 6:02 PM, jd1008 <jd1008(a)gmail.com>
wrote:
>
> To the OP of this thread:
>
> Why not
>
> boot a live CD or DVD
>
> Once booted,
> su - root
>
> mkdir /fedora
> mount /dev/sd ?? /fedora (?? are something like a0 or a1 ...etc ... the
> name of your hard drive boot partition)
>
> chroot /fedora
>
> passwd root
root's presumably disabled on the OP's box so rather than change this
setup, the OP should run "visudo -f /etc/sudoers.d/maitra" after
"chroot /fedora" (or "systemd-nspawn -D /fedora") to create the
following line in "/etc/sudoers.d/maitra":
maitra ALL=(ALL) ALL
Thanks! This is exactly what I did.
Best wishes,
Ranjan
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
--
Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt.
Please respond to the mailing list if appropriate. For those needing to send personal or
professional e-mail, please use appropriate addresses.
____________________________________________________________
FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop!
Check it out at http://www.inbox.com/marineaquarium
1:28 p.m.
On Wed, Feb 10, 2016 at 4:45 PM, Ranjan Maitra
<maitra.mbox.ignored(a)inbox.com> wrote:
On Wed, 10 Feb 2016 16:24:44 +0100 Tom H <tomh0665(a)gmail.com>
wrote:
>
> root's presumably disabled on the OP's box so rather than change this
> setup, the OP should run "visudo -f /etc/sudoers.d/maitra" after
> "chroot /fedora" (or "systemd-nspawn -D /fedora") to create the
> following line in "/etc/sudoers.d/maitra":
>
> maitra ALL=(ALL) ALL
Thanks! This is exactly what I did.
You're welcome.
I hope that you can now figure out why sudo stopped working for maitra.
1:42 p.m.
On 02/10/2016 11:28 AM, Tom H wrote:
On Wed, Feb 10, 2016 at 4:45 PM, Ranjan Maitra
<maitra.mbox.ignored(a)inbox.com> wrote:
> On Wed, 10 Feb 2016 16:24:44 +0100 Tom H <tomh0665(a)gmail.com> wrote:
>>
>> root's presumably disabled on the OP's box so rather than change this
>> setup, the OP should run "visudo -f /etc/sudoers.d/maitra" after
>> "chroot /fedora" (or "systemd-nspawn -D /fedora") to create
the
>> following line in "/etc/sudoers.d/maitra":
>>
>> maitra ALL=(ALL) ALL
>
> Thanks! This is exactly what I did.
You're welcome.
I hope that you can now figure out why sudo stopped working for maitra.
Look at the dnf logs and look for ".rpmnew" files as well.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks(a)alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- I won't rise to the occasion, but I'll slide over to it. -
----------------------------------------------------------------------
11:17 a.m.
On 02/10/2016 08:24 AM, Tom H wrote:
On Tue, Feb 9, 2016 at 6:02 PM, jd1008 <jd1008(a)gmail.com>
wrote:
> To the OP of this thread:
>
> Why not
>
> boot a live CD or DVD
>
> Once booted,
> su - root
>
> mkdir /fedora
> mount /dev/sd ?? /fedora (?? are something like a0 or a1 ...etc ... the
> name of your hard drive boot partition)
>
> chroot /fedora
>
> passwd root
root's presumably disabled on the OP's box so rather than change this
setup, the OP should run "visudo -f /etc/sudoers.d/maitra" after
"chroot /fedora" (or "systemd-nspawn -D /fedora") to create the
following line in "/etc/sudoers.d/maitra":
maitra ALL=(ALL) ALL
The problem with allowing the user to be effectively root (via
sudoers)
is that
ubiquotous browser. I have zero faith in browsers. No, not 0, but
-infinity .
A malefic website can and does user JS to fork out processes that can sudo
whatever they want.
This is why broswers should be set to suid some user other than the
logged-in user,
and having no privileges outside it's own directory. This would be like
a jail.
Many of you already know how to set up such a jail.
11:53 a.m.
On 02/10/2016 10:27 AM, Patrick O'Callaghan wrote:
On Wed, 2016-02-10 at 10:17 -0700, jd1008 wrote:
> A malefic website can and does user JS to fork out processes that can
> sudo whatever they want.
Are you sure? If so, please give a reference.
poc
Some years ago, the reference came directly from google website analysis
(obtained via the noscript add-on).
to paraphrase what I read then (as I am sorry I did not keep that link),
stated
.... it installs malware without the user's knowledge or permission ....
I will strive to locate that analysis and share it with th list.
Unless of course, it has been sanitized or removed - because google
re-analyzes websites
once every 90 days.
3:45 p.m.
On Wed, 2016-02-10 at 10:53 -0700, jd1008 wrote:
On 02/10/2016 10:27 AM, Patrick O'Callaghan wrote:
> On Wed, 2016-02-10 at 10:17 -0700, jd1008 wrote:
> > A malefic website can and does user JS to fork out processes that
> > can
> > sudo whatever they want.
> Are you sure? If so, please give a reference.
>
> poc
Some years ago, the reference came directly from google website
analysis
(obtained via the noscript add-on).
to paraphrase what I read then (as I am sorry I did not keep that
link),
stated
.... it installs malware without the user's knowledge or permission
....
I will strive to locate that analysis and share it with th list.
Unless of course, it has been sanitized or removed - because google
re-analyzes websites
once every 90 days.
I suspect you're thinking of a bug in some earlier version of JS (or
Java). Normally these things are supposed to run in a sandbox precisely
to prevent this. That's probably the main reason Google has just
announced they'll be blocking Flash content in the near future, as it's
notorious for this kind of problem.
poc
5:22 p.m.
On 02/10/2016 02:45 PM, Patrick O'Callaghan wrote:
On Wed, 2016-02-10 at 10:53 -0700, jd1008 wrote:
> On 02/10/2016 10:27 AM, Patrick O'Callaghan wrote:
>> On Wed, 2016-02-10 at 10:17 -0700, jd1008 wrote:
>>> A malefic website can and does user JS to fork out processes that
>>> can
>>> sudo whatever they want.
>> Are you sure? If so, please give a reference.
>>
>> poc
> Some years ago, the reference came directly from google website
> analysis
> (obtained via the noscript add-on).
> to paraphrase what I read then (as I am sorry I did not keep that
> link),
> stated
> .... it installs malware without the user's knowledge or permission
> ....
>
> I will strive to locate that analysis and share it with th list.
>
> Unless of course, it has been sanitized or removed - because google
> re-analyzes websites
> once every 90 days.
I suspect you're thinking of a bug in some earlier version of JS (or
Java). Normally these things are supposed to run in a sandbox precisely
to prevent this. That's probably the main reason Google has just
announced they'll be blocking Flash content in the near future, as it's
notorious for this kind of problem.
poc
I am sorry to burst the bubble that was perpetrated by Sun Microsystems.
I worked at Sun Microsystems as a contractor and talked to a very senior
developer at Menlo Park. I knew this developer from working with him in
a previous company. Under my oath never to reveal his name, he clued me in
that the fictitious "sandbox" was the entire system. Sun was clever to
use the
term sandbox as a subterfuge for the silicon of the chips.
This "sandbox=entire system" was confirmed to me in an email from another
very senior developer who is still on this list, but will not expose his
name.
He confirmed that the sandbox is the entirety of the system.
Reason why some people will go to email flame wars on this issue is because
either it is their penny at stake, or they are obeying their superiors.
12:48 a.m.
Allegedly, on or about 10 February 2016, jd1008 sent:
I am sorry to burst the bubble that was perpetrated by Sun
Microsystems. I worked at Sun Microsystems as a contractor and talked
to a very senior developer at Menlo Park. I knew this developer from
working with him in a previous company. Under my oath never to reveal
his name, he clued me in that the fictitious "sandbox" was the entire
system.
I'd go along with that, I never believed the sandbox thing. After all,
you can upload any file of your choosing through a Java thing in a
website, and it could save a file to anywhere you selected. That's
hardly sandboxed.
And, if you went through the Java preferences, on those browsers that
gave you an extensive interface. You could select all sorts of breakout
allowances, many of which were preset to allowed.
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
Next time your service provider asks you to reboot your equipment, ask
them to reboot theirs, first.
3:42 a.m.
On 11 February 2016 at 06:48, Tim <ignored_mailbox(a)yahoo.com.au> wrote:
Allegedly, on or about 10 February 2016, jd1008 sent:
> I am sorry to burst the bubble that was perpetrated by Sun
> Microsystems. I worked at Sun Microsystems as a contractor and talked
> to a very senior developer at Menlo Park. I knew this developer from
> working with him in a previous company. Under my oath never to reveal
> his name, he clued me in that the fictitious "sandbox" was the entire
> system.
I'd go along with that, I never believed the sandbox thing. After all,
you can upload any file of your choosing through a Java thing in a
website, and it could save a file to anywhere you selected. That's
hardly sandboxed.
And, if you went through the Java preferences, on those browsers that
gave you an extensive interface. You could select all sorts of breakout
allowances, many of which were preset to allowed.
Just to bring things back to reality though. The claim was that
*javascript* could execute sudo commands and has full access to the system
(no sandbox) and that has nothing to do with java applets/applications
whatsoever.
3:58 a.m.
On Thu, 2016-02-11 at 09:42 +0000, James Hogarth wrote:
On 11 February 2016 at 06:48, Tim
<ignored_mailbox(a)yahoo.com.au>
wrote:
> Allegedly, on or about 10 February 2016, jd1008 sent:
> > I am sorry to burst the bubble that was perpetrated by Sun
> > Microsystems. I worked at Sun Microsystems as a contractor and
> > talked
> > to a very senior developer at Menlo Park. I knew this developer
> > from
> > working with him in a previous company. Under my oath never to
> > reveal
> > his name, he clued me in that the fictitious "sandbox" was the
> > entire
> > system.
>
> I'd go along with that, I never believed the sandbox thing. After
> all,
> you can upload any file of your choosing through a Java thing in a
> website, and it could save a file to anywhere you selected. That's
> hardly sandboxed.
>
> And, if you went through the Java preferences, on those browsers
> that
> gave you an extensive interface. You could select all sorts of
> breakout
> allowances, many of which were preset to allowed.
>
>
Just to bring things back to reality though. The claim was that
*javascript* could execute sudo commands and has full access to the
system
(no sandbox) and that has nothing to do with java
applets/applications
whatsoever.
Exactly. I regret even mentioning Java and starting this hare.
poc
12:29 p.m.
On 02/11/2016 02:42 AM, James Hogarth wrote:
On 11 February 2016 at 06:48, Tim <ignored_mailbox(a)yahoo.com.au
<mailto:ignored_mailbox@yahoo.com.au>> wrote:
Allegedly, on or about 10 February 2016, jd1008 sent:
> I am sorry to burst the bubble that was perpetrated by Sun
> Microsystems. I worked at Sun Microsystems as a contractor and
talked
> to a very senior developer at Menlo Park. I knew this developer from
> working with him in a previous company. Under my oath never to
reveal
> his name, he clued me in that the fictitious "sandbox" was the
entire
> system.
I'd go along with that, I never believed the sandbox thing. After
all,
you can upload any file of your choosing through a Java thing in a
website, and it could save a file to anywhere you selected. That's
hardly sandboxed.
And, if you went through the Java preferences, on those browsers that
gave you an extensive interface. You could select all sorts of
breakout
allowances, many of which were preset to allowed.
Just to bring things back to reality though. The claim was that
*javascript* could execute sudo commands and has full access to the
system (no sandbox) and that has nothing to do with java
applets/applications whatsoever.
False!
JS, when obediently executed by the browser, can write into any
directory writable by
the logged in user who is using the browser.
Similarly, it can also delete files from any directory writable by the
same user.
Perhaps you are simply unaware of all the aspects of Java and JS.
Have you perused and analyzed the entirety of the code and libraries
that the browser is built from? That Java and JS are built from? I
seriously DOUBT it.
The sheer size of that code makes it so time consuming to comb through
it thoroughly,
it (the code size) is the perfect place to hide security breaches from
the user. Couple that
with the fact that the sources and tools that build Java and JS are very
different to
the sources and tools on your system.
Are you aware that when you download the full browser source codes to
build on your system,
you will run into issues of library incompatibilities and tools versions
incompatibilities?
I have tried many times over the past 10 to 15 years.
Let us suppose that, after you downloaded all the sources (including the
system's libs and tools sources),
and you spend 5 years tracking down security holes and removing them,
and built the browser and javascript libs
free of such holes; then what? The next dnf update will overwrite all
that and replace it with infected software.
So, you see, it is a daunting enterprise to disinfect the system from
very well hidden security holes.
Couple all that with something called "code obfuscation"!!! It will be
well nigh impossible to read the code
and find the security holes.
6:41 a.m.
On 10 February 2016 at 23:22, jd1008 <jd1008(a)gmail.com> wrote:
I am sorry to burst the bubble that was perpetrated by Sun
Microsystems.
I worked at Sun Microsystems as a contractor and talked to a very senior
developer at Menlo Park. I knew this developer from working with him in
a previous company. Under my oath never to reveal his name, he clued me in
that the fictitious "sandbox" was the entire system. Sun was clever to use
the
term sandbox as a subterfuge for the silicon of the chips.
This "sandbox=entire system" was confirmed to me in an email from another
very senior developer who is still on this list, but will not expose his
name.
He confirmed that the sandbox is the entirety of the system.
Reason why some people will go to email flame wars on this issue is because
either it is their penny at stake, or they are obeying their superiors.
Without details as to what language and vm it refers to unfortunately
this is not a very useful anecdote. The plugin sandbox that firefox or
edge use is not the same as a javascript sandbox in netscape (was
there one?), or a java sandbox.
--
imalone
http://ibmalone.blogspot.co.uk
12:33 p.m.
On 02/11/2016 05:41 AM, Ian Malone wrote:
On 10 February 2016 at 23:22, jd1008 <jd1008(a)gmail.com> wrote:
>
> I am sorry to burst the bubble that was perpetrated by Sun Microsystems.
> I worked at Sun Microsystems as a contractor and talked to a very senior
> developer at Menlo Park. I knew this developer from working with him in
> a previous company. Under my oath never to reveal his name, he clued me in
> that the fictitious "sandbox" was the entire system. Sun was clever to use
> the
> term sandbox as a subterfuge for the silicon of the chips.
> This "sandbox=entire system" was confirmed to me in an email from another
> very senior developer who is still on this list, but will not expose his
> name.
> He confirmed that the sandbox is the entirety of the system.
> Reason why some people will go to email flame wars on this issue is because
> either it is their penny at stake, or they are obeying their superiors.
Without details as to what language and vm it refers to unfortunately
this is not a very useful anecdote. The plugin sandbox that firefox or
edge use is not the same as a javascript sandbox in netscape (was
there one?), or a java sandbox.
So, you keep sanctioning and spreading and
supporting the illusion of
security?
Such a sad position to adopt.
1:07 p.m.
On 11 February 2016 at 18:33, jd1008 <jd1008(a)gmail.com> wrote:
On 02/11/2016 05:41 AM, Ian Malone wrote:
>
> On 10 February 2016 at 23:22, jd1008 <jd1008(a)gmail.com> wrote:
>>
>>
>> I am sorry to burst the bubble that was perpetrated by Sun Microsystems.
>> I worked at Sun Microsystems as a contractor and talked to a very senior
>> developer at Menlo Park. I knew this developer from working with him in
>> a previous company. Under my oath never to reveal his name, he clued me
>> in
>> that the fictitious "sandbox" was the entire system. Sun was clever to
>> use
>> the
>> term sandbox as a subterfuge for the silicon of the chips.
>> This "sandbox=entire system" was confirmed to me in an email from
another
>> very senior developer who is still on this list, but will not expose his
>> name.
>> He confirmed that the sandbox is the entirety of the system.
>> Reason why some people will go to email flame wars on this issue is
>> because
>> either it is their penny at stake, or they are obeying their superiors.
>
> Without details as to what language and vm it refers to unfortunately
> this is not a very useful anecdote. The plugin sandbox that firefox or
> edge use is not the same as a javascript sandbox in netscape (was
> there one?), or a java sandbox.
So, you keep sanctioning and spreading and supporting the illusion of
security?
Such a sad position to adopt.
I'm afraid your only viable solution is to never connect to the internet again.
--
imalone
http://ibmalone.blogspot.co.uk
1:31 p.m.
On Wed, Feb 10, 2016 at 6:17 PM, jd1008 <jd1008(a)gmail.com> wrote:
On 02/10/2016 08:24 AM, Tom H wrote:
>
> root's presumably disabled on the OP's box so rather than change this
> setup, the OP should run "visudo -f /etc/sudoers.d/maitra" after
> "chroot /fedora" (or "systemd-nspawn -D /fedora") to create the
> following line in "/etc/sudoers.d/maitra":
>
> maitra ALL=(ALL) ALL
The problem with allowing the user to be effectively root (via sudoers) is
that
ubiquotous browser. I have zero faith in browsers. No, not 0, but -infinity
.
A malefic website can and does user JS to fork out processes that can sudo
whatever they want.
This is why broswers should be set to suid some user other than the
logged-in user,
and having no privileges outside it's own directory. This would be like a
jail.
Many of you already know how to set up such a jail.
Your malefic JS will still need the user's password to run "sudo
some_command".
3:10 p.m.
On Tue, 2016-02-09 at 08:48 -0800, Joe Zeff wrote:
On 02/09/2016 06:50 AM, SternData wrote:
> You'll need to find that scrap of paper on which you wrote the
> password
> for "root" and put away someplace safe. :-)
And once you have it, you won't need to bother with sudo any more.
SUdo is useful even when you do have root. I use it all the time
because I don't like actually logging in as root if I can avoid it. I
know you can use "su -c bla bla" but sudo is quicker and easier to
remember.
poc
4:15 p.m.
On 02/09/2016 01:10 PM, Patrick O'Callaghan wrote:
SUdo is useful even when you do have root. I use it all the time
because I don't like actually logging in as root if I can avoid it. I
know you can use "su -c bla bla" but sudo is quicker and easier to
remember.
I, OTOH, find su -c quite satisfactory, TYVM. The only reason I have
sudo installed is that there are some install scripts that use it. Of
course, back when I first started using Linux at home, almost 20 years
ago, RedHat didn't come with sudo so I never got in the habit of using
it. I knew about it because I had to telnet to various Unix/Linux
servers (all inside the corporate firewall) at work, and worked with
shell scripts that used sudo, but that's it.
And, as far as security goes, all you need to do is disable Telnet and
configure ssh to disallow direct root login. That way, even if somebody
manages to crack your password and get shell access via ssh, they can't
use sudo to do any major damage. (I'm never in wheel, and my username
isn't in /etc/sudoers, just to be safe.) Paranoid? Not really, it's
just that I see no reason to have sudo set up if I'm not using it.
4:24 p.m.
On Tue, 2016-02-09 at 14:15 -0800, Joe Zeff wrote:
On 02/09/2016 01:10 PM, Patrick O'Callaghan wrote:
> SUdo is useful even when you do have root. I use it all the time
> because I don't like actually logging in as root if I can avoid it.
> I
> know you can use "su -c bla bla" but sudo is quicker and easier to
> remember.
I, OTOH, find su -c quite satisfactory, TYVM. The only reason I
have
sudo installed is that there are some install scripts that use
it. Of
course, back when I first started using Linux at home, almost 20
years
ago, RedHat didn't come with sudo so I never got in the habit of
using
it. I knew about it because I had to telnet to various Unix/Linux
servers (all inside the corporate firewall) at work, and worked with
shell scripts that used sudo, but that's it.
I'm surprised that RH didn't come with sudo. I was using it on Solaris
long before Linux was even a thing.
And, as far as security goes, all you need to do is disable Telnet
and
configure ssh to disallow direct root login.
Of course, SOP. I also use fail2ban so in fact the baddies don't even
get as far as the SSH login.
That way, even if somebody
manages to crack your password and get shell access via ssh, they
can't
use sudo to do any major damage. (I'm never in wheel, and my
username
isn't in /etc/sudoers, just to be safe.) Paranoid? Not really,
it's
just that I see no reason to have sudo set up if I'm not using it.
My password is long, but I do find sudo useful. To each his own.
poc
6:53 a.m.
Joe Zeff wrote:
I, OTOH, find su -c quite satisfactory, TYVM.
Surely this takes substantially more time than sudo?
Presumably you have to give the argument in quotes,
and then give the password?
And doesn't it give an alternative way for the hacker
to get the superuser password, eg by key-logging?
So is it even safer in the end?
--
Timothy Murphy
gayleard /at/ eircom.net
School of Mathematics, Trinity College, Dublin
7:02 a.m.
On Wed, 2016-02-10 at 12:53 +0000, Timothy Murphy wrote:
Joe Zeff wrote:
> I, OTOH, find su -c quite satisfactory, TYVM.
Surely this takes substantially more time than sudo?
Presumably you have to give the argument in quotes,
and then give the password?
My thinking exactly.
And doesn't it give an alternative way for the hacker
to get the superuser password, eg by key-logging?
So is it even safer in the end?
If there's a keylogger, all bets are off anyway, so I wouldn't give
much weight to this as an argument.
poc
10:48 a.m.
On 02/10/2016 04:53 AM, Timothy Murphy wrote:
Surely this takes substantially more time than sudo?
Presumably you have to give the argument in quotes,
and then give the password?
So? Time is not everything, and being retired, I have all that I need.
And doesn't it give an alternative way for the hacker
to get the superuser password, eg by key-logging?
So is it even safer in the end?
If the hacker's gotten through my firewall and installed a key logger,
it's already too late.
11:05 a.m.
On Wed, 2016-02-10 at 08:48 -0800, Joe Zeff wrote:
On 02/10/2016 04:53 AM, Timothy Murphy wrote:
> Surely this takes substantially more time than sudo?
> Presumably you have to give the argument in quotes,
> and then give the password?
>
So? Time is not everything, and being retired, I have all that I
need.
Also retired, for what it's worth. All the same I prefer to type less
rather than more :-)
poc
12:49 a.m.
Allegedly, on or about 10 February 2016, Patrick O'Callaghan sent:
I prefer to type less rather than more :-)
Groan...
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
This email has been brought to you by beetwix. Mmm, spewy! Get some into
you today.
6:07 p.m.
On Thu, 11 Feb 2016 17:19:34 +1030
Tim <ignored_mailbox(a)yahoo.com.au> wrote:
Allegedly, on or about 10 February 2016, Patrick O'Callaghan
sent:
> I prefer to type less rather than more :-)
Groan...
Thanks for the hint. I missed it the first time through, and got a
chuckle out of it this time.
10:13 p.m.
On 02/10/2016 08:48 AM, Joe Zeff wrote:
On 02/10/2016 04:53 AM, Timothy Murphy wrote:
> Surely this takes substantially more time than sudo?
> Presumably you have to give the argument in quotes,
> and then give the password?
>
So? Time is not everything, and being retired, I have all that I need.
> And doesn't it give an alternative way for the hacker
> to get the superuser password, eg by key-logging?
> So is it even safer in the end?
If the hacker's gotten through my firewall and installed a key logger,
it's already too late.
I am a little late in the discussion. Is your username
in the wheel group?
--
Joseph Loo
jloo(a)acm.org
10:44 a.m.
On 02/09/2016 05:52 AM, Ranjan Maitra wrote:
Short of reinstalling, how do I get around this? Note that I do not
have root account, so I am not sure about what to do.
Is this a home box, or work? If it's home, why don't you have root? If
it's work, it may be easiest to talk to whoever does have the root
password and ask them to do what's needed. (I never use sudo, so I
don't know.)
2996
days inactive
2999
days old
39 comments
13 participants
participants (13)
-
Ian Malone -
James Hogarth -
JD -
Joe Zeff -
Joseph Loo -
Patrick O'Callaghan -
Ranjan Maitra -
Rick Stevens -
stan -
SternData -
Tim -
Timothy Murphy -
Tom H