What are these for?

Reindl Harald h.reindl at thelounge.net
Thu Nov 22 20:18:18 UTC 2012 


Am 22.11.2012 18:07, schrieb lee:
>> man crontab
>> man grep
>> man echo
>>
>> any output from a application / script started via crond
>> goes into a mail to root
> 
> It goes to the user who created the crontab.  

the user to parse sensitive logs is usually root

> What messages would I want to see?

that is up to you

i as exmaple want to see any failed systemd-unit
and any php-notice/warning/error and wrote scripts
to grep them and remeber what is already mailed

i doubt there is a generic and ready "fits you" solution
but that is the strength of a linux-system
you can do whatever you need

>> but you refuse to understand the main difference having
>> things permanently running as root or only request root
>> pwd if it is really needed AND you can refuse to permit
> 
> No, I'm seeing the difference and ask myself how relevant that is.

on sunny days it does not matter

if things are going wrong it may make the difference between
"nothing bad happened" and "you are comprimised", if you are
compromised it is a really hard job to setup a clean system
and not restore manipulated scripts / configs from your backups

> With su, I have bash running as root in one of the windows in tmux and
> everything I do from there runs as root.  I'm not giving away the
> password other than to su and there aren't any hidden things that might
> or might not happen in the background.
> 
> In both cases, "bad" software could do harm.  So what's the relevant
> difference?

policykit requests root pwd only when needed

it is up to you to think if there is a reason
and the request is expected - if you start it
directly as root ANYTHING runs with full permissions

>>> So yes, it decreases security instead of increasing it.
>>
>> NO how do you come to that conclusion?
> 
> It gets users used to just enter their password whenever they are asked
> for it.

these types of users are idiots and nothing can help
them - polkit is for them who are THINKING before
typing the password why it would be needed and if
i do not seee a reason i refsure to give permissions
and try to read manpages to understand why i should
grant it

>> it is about you if you enter root password in a randomly popping up
>> window
> 
> Yes, and once users are used to do that, they just do it.

as said: these types of users are helpless

the intention of a OS trying to make things
as secure as posiible is to help and protect users
with their own brain - the rest is helpless

>>> What difference does it make which password is supplied when with the
>>> password things can be done that are relevant for security?  Why should
>>> I give my password again when I'm already logged in and the system knows
>>> who I am?
>>
>> what about drive-by-attacks?
> 
> I don't know what you mean by that.

any code which runs as root can do anything
any code with whatever security leak can be
attacke dwith input data - if the code has as less
permissions as possible it is much harder to trigger
buffer overflows and such things to modify the system
for later attacks to other components

example?

* system executes code by buffer overflow
* this code may use another security hole which is only local exploitable
* if some of this running with root permissions the attacker opens a backdoor
* over htis backdoor the machine is controlled and wide opened

google: rootkit

>> what about leave the room for a minute and forget lock the screen?
> 
> If I had to lock the screen, I would

a very very naive point of view which may work
99 out of 100% and the ONE perecent installs you
a backdoor you maybe not recognize over weeks

>> what about malware trying things with your current permissions
> 
> It can do that in any case.

hahahaha, sorry but this is naive

malware will nearly everytime try to gain root access and
modify something - if there is a root-pwd request without
knowing what of your actions could have been triggering
this you may get alarmed

many may not but they are helpless and such things are
to help the users which are not ignorant

>> ANY security relevant task has to be confirmed with
>> a password independent if you are logged in or not
> 
> Starting/running a web browser is a security relevant task.  "Web
> browser" is only a place holder.  Fill in other software that might be
> security relevant.

bullshit

the webbrowser is not a security relevant task for itself
but opening a webpage and get a request to enter the root-pwd
may be a VERY good sign that your browser has a security hole

> I'm running the web browser as a different user so it doesn't have
> access to my data. 

this may suit you
but it can not suit me as web-developer

>> users entering their password EVERWHERE have already lost
>> ANY security fight - sorry, but this argumentation is invalid
>> because ORDINARY user tasks do NOT request a password
> 
> Your logic is flawed.  It doesn't matter that some things don't require
> entering a password.  (On a side note: Starting a web browser or
> starting emacs would require a password because a web browser is a
> security risk and because emacs could display and modify files that
> nobody but their owner is supposed to see or to modify.

your logic is flowed

starting a webbrowser or emacs would NORMALLY NOT require a password

> What matters is that getting users used to enter their password
> everywhere decreases security. 

users enter their password EVERYWHERE are idiots and can
not be protected at all - "this machine has no brain use your own"

> How much do ordinary users know about
> things like that, and how much do they care? 

if they do not care they are still lost
LINUX is for people WHO CARE

> When their computer tells
> them "I need your password to do this or that" and when they're used to
> it, they will just enter it to get on with whatever they are doing. 

as said: these users are helpless at all

> recently did it on a Mac when I put vlc on it, and I didn't have any way
> to find out if I actually should enter the password or better not, so I
> just entered it to get on with it. 

so YOU are acting terrible wrong
if i do not why i will not enter my password

> IIRC it didn't even tell me what it
> was needed for. 

so why the hell do you enter it?

> What choice do you have?  

NOT ENTER the password

> Reverse-engineer macos to
> try to figure out what's going on?

ask someone who understands more or be happy that
whatever did not get permisions for a unknown reason

> You say users entering their passwords just like that have already lost
> all security.  Then why get them used to do exactly that?  You can't say
> it would increase security and you'd have to agree that it decreases
> security.

WTF

if ANYTHING TRIES to do something out of my users
privileges i WANT and NEED to know it and NO i do
NOT enter blindely my password

> There's even a fairy tale along these lines:  It's about someone alerting
> his people about dangerous wolves coming, just for the fun of scaring
> the ppl up.  He does that a couple times, and when the wolves are
> actually coming, nobody believes him anymore and the wolves kill all the
> sheep.

the only thing i agree is taht most people do
not understand anything about secuirty and
computers

but this is no argumentation to refuse users which does
POWERFUL tools to increase THEIR secuirty because they
are knowing what they are doing and not blindly neter
passwords

> Anyway, let's assume I wanted to use polkit.  I need at least bash, ls,
> cp, less, yum, find and emacs to work with that --- and some others that
> don't come to mind atm.  Are these going to be bloated up to support
> polkit?  Do you seriously want me to enter my password every time though
> it would be useless anyway?

jesus christ 99.999% of a users task does NOT
need enter a password all the time

> Do you really think it would be a good idea to have files which are
> edited by root only mixed in with the other 56 buffers I have currently
> in my emacs session?  I wouldn't want to do that; root has his own 34
> buffers in his own emacs, kept nicely seperate.  I might have to enter a
> password to switch buffers or even to see the buffer menu ...

NOBODY prevents you from doing so
you can open as many root-shells as you like
what exactly is your problem?

> I'd rather get the problem with the sound for the second user fixed and
> disable polkit.  That actually *would* inrease security.

????

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20121122/3a646791/attachment.sig>

More information about the users mailing list