HOWTO Setup sudo to Avoid Entering a Password

Share your own howto's etc. Not for support questions!

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby ziggybopbopdoo » 2014-01-28 14:50

TobiSGD wrote:If you use sudo for its main purpose, giving certain users well defined access rights to certain programs,

If the main purpose was well defined access to certain programs by certain users then sudo would of never been designed with the ALL keywords. It's main purpose is simply to allow users to run system commands without having the root password.

there is nothing wrong with using sudo, even on a single user system.
I didn't say there was anything wrong with using sudo on a single user system. Maybe you missed the discussion so far but I have been for sudo if a user wants it. I am even for sudo that doesn't ask for a password. If a user wants the convenience of sudo I would think that at least some of them would want the added convenience of it not bothering them for a password.

What I said was that most single users systems do not need sudo at all. In other words, sudo is not necessary. I could of said that NO single user systems need sudo and it still would of been true.

Now if we are looking at it from a security standpoint then it is never prudent to have packages installed that are not needed. Having packages installed that aren't needed adds attack vectors for no reason. So just installing sudo is a risk, not configuring it to be more secure is a risk, and having it not ask for a password is a risk. A user should be free to pick his own risk level.

Now if a user suggested something risky AND stated it was fine for everyone to do then that would be inaccurate info and should be corrected. But the OP just stated information. In fact he simply posted a perfectly valid configuration. He didn't suggest it was for everyone or even anyone. So to me there was nothing to correct in that regard. I did add that visudo should be used and that it was important to understand the (ALL:ALL) part but I consider those to be additions rather than corrections.


For example, you might use the root account for system administration, but may have set up sudo to allow the normal user to loop-mount ISO images.

But that doesn't mean you need sudo, it simply means you choose to use sudo. And anyway, why on earth would a user want to type sudo to mount a iso image rather than just su'ing to root and mounting an iso image or using su -c to mount it?


If a third party is able to run code on your system without your consent, how would you call that? I would say that you are not the only user of that system in that case.

It isn't without my consent. I consented when I opened my browser and chose to allow it to do what it does. Anything it runs is actually me doing it. It is me running a program whose function is to run scripts, interpret markup, display images, play media, etc.


Hallvor wrote:As long as bad advice gets shot down within reasonable time and within the same thread, I don' t see any problem.

Exactly. and the OP did not even offer any advice to correct. Nobody said to do anything. They only offered a way of doing something. Only those looking a way to do this would be doing it anyway. Those people have already decided to take the risk, better to instruct/guide them in that risk than to leave them to figure it out for themselves.

confuseling wrote:If this thread proves anything, it's that there isn't universal agreement about best practices and acceptable levels of security.

I would hope that every user decides their own acceptable level of security.
ziggybopbopdoo
 
Posts: 107
Joined: 2014-01-25 21:27

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby saulgoode » 2014-01-28 15:02

AN0NYM0US wrote:
TobiSGD wrote:If you use sudo for its main purpose, giving certain users well defined access rights to certain programs,

If the main purpose was well defined access to certain programs by certain users then sudo would of never been designed with the ALL keywords. It's main purpose is simply to allow users to run system commands without having the root password.

The main purpose of sudo was to facilitate the task of administering Unix systems, particularly in larger enterprise environments. Providing well defined, limited access rights to certain programs was part of this -- you might want to give a technician tasked with doing weekly backups access to the tape drives and updating the logs, but not provide him access to the employment records of everybody in the company.

Another (important) part of sudo's utility -- and this is where the ALL and NOPASSWORD keywords come into play -- was in simplifying the task of running an IT staff comprising multiple administrator accounts, without all staff members sharing the same account and password. Sudo makes it quite trivial to add and remove fully-privileged administrators in such a scenario. Nota bene, these were to be dedicated administrator accounts and only intended to be logged into while performing administrative activities.

I personally think it entirely accurate to characterize the granting of ALL privileges to an account that is otherwise being used for normal, regular-user computing activities to be a "bastardization" of the original purpose of sudo, and doing so with a NOPASSWORD option to be downright foolhardy.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan
User avatar
saulgoode
 
Posts: 1545
Joined: 2007-10-22 11:34

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby TobiSGD » 2014-01-28 15:54

ziggybopbopdoo wrote:
TobiSGD wrote:If you use sudo for its main purpose, giving certain users well defined access rights to certain programs,

If the main purpose was well defined access to certain programs by certain users then sudo would of never been designed with the ALL keywords. It's main purpose is simply to allow users to run system commands without having the root password.

Funnily, this argument works in the same way the other way around, and even better. If the main purpose of sudo would have been to simply allow users to run system commands without having the root password the original authors simply would have omitted to implement all the complicated stuff about restricting access to certain programs. They would have simply implemented the ALL option and were done.
User avatar
TobiSGD
 
Posts: 859
Joined: 2010-05-08 22:27
Location: Hannover, Germany

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby ziggybopbopdoo » 2014-01-28 16:24

saulgoode wrote:The main purpose of sudo...

I consider the purpose of a tool to be the core function of the tool, what the tool actually does, the action it performs.

How someone uses a tool and/or what they use the tool for is simply use case scenarios. Any function beyond the core function has to do with configuration and options.

But I misspoke, I should of said it's main purpose (function) is to allow users to run commands as another user. I used a use case to represent the basic function and it was a poor choice as it also represents more function than the main one.

saulgoode wrote:The main purpose of sudo was to facilitate the task of administering Unix systems, particularly in larger enterprise environments.

That describes how someone might use the tool.

Providing well defined, limited access rights to certain programs was part of this -- you might want to give a technician tasked with doing weekly backups access to the tape drives and updating the logs, but not provide him access to the employment records of everybody in the company.

Another way.

Another (important) part of sudo's utility -- and this is where the ALL and NOPASSWORD keywords come into play -- was in simplifying the task of running an IT staff comprising multiple administrator accounts, without all staff members sharing the same account and password. Sudo makes it quite trivial to add and remove fully-privileged administrators in such a scenario. Nota bene, these were to be dedicated administrator accounts and only intended to be logged into while performing administrative activities.

Another.

I personally think it entirely accurate to characterize the granting of ALL privileges to an account that is otherwise being used for normal, regular-user computing activities to be a "bastardization" of the original purpose of sudo, and doing so with a NOPASSWORD option to be downright foolhardy.


I am glad we agree regarding the risk of the NOPASSWD option. As I stated earlier I consider installing sudo to be somewhat foolhardy(risky), not configuring it to be more secure than it is by default to be foolhardy(risky), and using the NOPASSWD option to be foolhardy(risky). I guess I am the more security concious user here. To do any of those increases risk. To not do the second one is as risky as the third since you would be unaware of any dangerous defaults and it would, at least after use of sudo, be operating as if the NOPASSWD option had been used until the timeout expired.

That being said I have no issue with anyone assuming any of these risks. It isn't my place to do so. Now if they were to recommend/suggest/encourage someone else to take a risk, then I would feel free to recommend/suggest/encourage otherwise.

Now you are speaking of ORIGINAL purpose? Was that a slip of the keyboard or did you mean to differentiate that from your earlier use of the phrase "main purpose"?

How can it be bastardization if the feature/option is programmed by the developer? When you configure other utilites do you also consider that to be bastardization as well? When you use options that are programmed into software are you bastardizing it as well? Because that is all this is about is options and configurations. The developer/contributer programmed it this way. You are saying that using a programs options is bastardization?

To me the only way to truly bastardize software would be to modify source in order to change it so that it does something different that what was programmed originally. In that way you would be corrupting, debaseing, changing the purpose and that would be bastardization.



TobiSGD wrote:Funnily, this argument works in the same way the other way around, and even better. If the main purpose of sudo would have been to simply allow users to run system commands without having the root password the original authors simply would have omitted to implement all the complicated stuff about restricting access to certain programs. They would have simply implemented the ALL option and were done.

As previously mentioned, I misspoke. I should of said it's main purpose (function) is to allow users to run commands as another user. In the heatof the moment I used a use case to represent the basic function and it was a poor choice as it also represents more function than the main one.
ziggybopbopdoo
 
Posts: 107
Joined: 2014-01-25 21:27

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby ziggybopbopdoo » 2014-01-29 18:56


TO SUMMARIZE:


If you are reckless in regards to security then you might as well do this.

If you care about the security of your system you would never do this.



Big round of applause to all participants and awards to those with good arguements!
ziggybopbopdoo
 
Posts: 107
Joined: 2014-01-25 21:27

Postby emorgan33 » 2014-02-09 03:55

So a quick question for you guys: am I leaving a gigantic security hole open for my system by using an account with administrator rights all of the time?

Sent from my C5155 using Tapatalk
User avatar
emorgan33
 
Posts: 6
Joined: 2014-02-07 04:57

Re:

Postby dilberts_left_nut » 2014-02-09 04:02

emorgan33 wrote:So a quick question for you guys: am I leaving a gigantic security hole open for my system by using an account with administrator rights all of the time?

Yes.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5020
Joined: 2009-10-05 07:54
Location: enzed

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby dzz » 2014-02-09 09:15

why on earth would a user want to type sudo to mount a iso image

Maybe because that user did not know "fuseiso" does just that without needing root at all!
dzz
 
Posts: 257
Joined: 2007-02-05 20:39
Location: Devon, England

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby bchat » 2014-04-04 19:38

I just noticed the discussion here and it is very good. Maybe I should have stated that I wouldn't recommend this setup in a production/enterprise environment. I use this setup on computers that I own personally and do with them as I choose. If I wanted to be forced to use a computer in a particular way that someone else decided on regardless of whether it is practical or not, I would use a Windows 8 machine. If using Linux meant giving up my freedom, I would not use it.

This is what it comes down to for me:

Typing in a password every time I run a root command is a wasteful use of my time. It's annoying. More annoying than Windows' security pop-ups for Administrator access. I don't want to be annoyed when I use my Linux machine. It defeats the purpose.

If you really want your computer to be secure, then you should unplug the power cord from the wall. With the power cord unplugged, no unauthorized person or program can access it. It is perfectly secure. On the other hand, if you actually want to be able to USE your computer, you're going to have to make some compromises in terms of security.

Even if you use a password with sudo, someone else could learn it by watching you type it. So to get around that problem, you should really use a keyboard that doesn't have any letters printed on the keyboard, so no one can see what letters your typing. But, then someone could have memorized the key positions, so actually you should really get an invisible keyboard. THEN your computer will be truly secure.

Perhaps you can see how ridiculous this can get. At some point you have to make a compromise between security and usability. This is mine: I am not going to constantly type my password into my computer every time I run a command. You can if you want to.

Also, I do want to use sudo because it helps me recognize when I'm typing a dangerous command.
PowerBook G4 15" Aluminum / 1.5 GHz PowerPC 7447a (32-bit) CPU with AltiVec Velocity Engine / 1 GB RAM / ATI Mobility Radeon 9700 (4X AGP) 64 MB
Debian Wheezy 7.8 ONLY / Gnome 3.4.2 Fallback Mode
$50 complete system cost
User avatar
bchat
 
Posts: 10
Joined: 2013-12-18 00:25
Location: Ohio, USA

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby confuseling » 2014-04-04 20:16

bchat wrote:I just noticed the discussion here and it is very good. Maybe I should have stated that I wouldn't recommend this setup in a production/enterprise environment. I use this setup on computers that I own personally and do with them as I choose. If I wanted to be forced to use a computer in a particular way that someone else decided on regardless of whether it is practical or not, I would use a Windows 8 machine. If using Linux meant giving up my freedom, I would not use it.


This argument is empty.

When you buy a drill with a fuse in, do you remove it and replace it with a bit of wire?

Why should anyone impinge on your freedom to run whatever current you feel like through your tools?

bchat wrote:This is what it comes down to for me:

Typing in a password every time I run a root command is a wasteful use of my time. It's annoying. More annoying than Windows' security pop-ups for Administrator access. I don't want to be annoyed when I use my Linux machine. It defeats the purpose.


I probably update my system once a week or so... I install things irregularly too - maybe again once a week on average? How many times can you possibly be typing your password?
The Forum's search box is terrible. Use site specific search, e.g.
https://www.google.com/search?q=site%3A ... terms+here
confuseling
 
Posts: 2143
Joined: 2009-10-21 01:03

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby bchat » 2014-04-05 02:18

confuseling wrote:This argument is empty.

When you buy a drill with a fuse in, do you remove it and replace it with a bit of wire?

Why should anyone impinge on your freedom to run whatever current you feel like through your tools?


I'm not really sure what you're saying. But, replacing a fuse with wire would cause the tool not to work. My system still works after my change. Although I'm open to a sudo script attack, I guess. That's a risk I'm willing to take.

confuseling wrote:I probably update my system once a week or so... I install things irregularly too - maybe again once a week on average? How many times can you possibly be typing your password?


When I'm trying to figure out how to get things to work like, sudo, sound, battery indicator, suspend/resume and all the various things that don't work on Linux by default I am constantly running commands that require root access. Just looking at /var/log/messages requires root access.

If I could get the time delay feature with sudo to work, maybe I would not have to turn off the password completely. But, I usually find that either the time delay feature doesn't work at all or it is set to a time that is too short to be useful.

Also I install and uninstall programs all the time to try them out. There are so many programs to experiment with.
PowerBook G4 15" Aluminum / 1.5 GHz PowerPC 7447a (32-bit) CPU with AltiVec Velocity Engine / 1 GB RAM / ATI Mobility Radeon 9700 (4X AGP) 64 MB
Debian Wheezy 7.8 ONLY / Gnome 3.4.2 Fallback Mode
$50 complete system cost
User avatar
bchat
 
Posts: 10
Joined: 2013-12-18 00:25
Location: Ohio, USA

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby dasein » 2014-04-05 02:29

The OP's machine is his to bork as he pleases, of course. But please, if yours is an otherwise innocent encounter with this thread, do not, for the love of J "Bob" Dobbs, do what he's done, nor even consider what he is advocating. It's an Astonishingly Bad Idea.

This whole thread really should be titled "How to Emulate the Windows XP Security Model in Linux"
User avatar
dasein
 
Posts: 7775
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby Randicus » 2014-04-05 03:34

bchat wrote:If using Linux meant giving up my freedom, I would not use it.

Yes. You are free to do whatever you want with your computer, good or bad.

Typing in a password every time I run a root command is a wasteful use of my time. It's annoying.

Why must you enter the password every time you run a command? I enter the password once, enter the commands, then log out of the root account. If you must enter the password with every command, my guess is you use Butnut-style sudo abuse.

I am not going to constantly type my password into my computer every time I run a command. You can if you want to.

No need to. See above.

Also, I do want to use sudo because it helps me recognize when I'm typing a dangerous command.

That is one of the most ridiculous arguments for sudo abuse I have seen. You recognise a command as dangerous if you use sudo, but not if you the root account? Good grief.
Randicus
 
Posts: 2664
Joined: 2011-05-08 09:11

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby bchat » 2014-04-05 04:43

:-p
PowerBook G4 15" Aluminum / 1.5 GHz PowerPC 7447a (32-bit) CPU with AltiVec Velocity Engine / 1 GB RAM / ATI Mobility Radeon 9700 (4X AGP) 64 MB
Debian Wheezy 7.8 ONLY / Gnome 3.4.2 Fallback Mode
$50 complete system cost
User avatar
bchat
 
Posts: 10
Joined: 2013-12-18 00:25
Location: Ohio, USA

Re: HOWTO Setup sudo to Avoid Entering a Password

Postby Linadian » 2014-04-19 09:57

Although I am comfortable in the command line, I do have sudo and gksudo installed, some GUI programs require it, for a reason, root is a nice place to visit occasionally, but nobody should 'live' there full time, that's just nuts, that's one of the things I like about Debian, it's old school locked down. I bet you tell (computer illiterate) Windows users to shutoff UAC too, lol. :lol: :P
Linux Registered User 533946
User avatar
Linadian
 
Posts: 490
Joined: 2013-12-20 15:25
Location: In a systemd free distro

PreviousNext

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable