I don't think sudo does what you think it does...



  • For my research group, I administer a couple of linux servers.  Recently, I had to add a new user, and I gave him a password that he would have to change the first time he ssh'ed onto the machine. I told him exactly what will happen: ssh, give current password, see message saying password needs to be changed, give current password again, then give new password twice. And, if he didn't quite catch all of that, all instructions are shown in the terminal. Shouldn't be a problem, right?

    I get an email a little while later telling me that he is having difficulties making it work. He copied and pasted the terminal text and commented it.  Here is what he said:


    someuser@localhost ~]$ ssh newuser@initrode.edu
    newuser@initrode.edu's password:
    You are required to change your password immediately (root enforced)
    WARNING: Your password has expired.
    You must change your password now and login again!
    Changing password for user newuser.
    Changing password for newuser
    (current) UNIX password:     (I tried local user password and superuser word and also the new password here)
    passwd: Authentication token manipulation error
    Connection to initrode.edu closed.


    So, when asked for the current password, he tried every other password he knew EXCEPT the one that I gave him. Plus, WTF makes him think that his local superuser password would mean anything to these servers?

    The clincher is what he said he did next (and was surprised it gave the same error): sudo ssh newuser@initrode.edu
    He also wanted to know why he has to sudo the 'poweroff' command for his computer...



  •  

    Geez, I thought everyone knew sudo made sandwiches

     

     



  • Script kiddie?

    More importantly, one hour plus for the obligatory xkcd reference?  Wake up, people!

     



  • ummm...

    su su sudio?

    Since when does Phil Collins manage Unix servers?


  • Garbage Person

     Actually, it looks like is that this guy got his "how sudo works" lesson from that comic. If you didn't know any better, it would be  easy to come away with the assumption that sudo makes the computer do things it says it won't do.



  • @cconroy said:

    Script kiddie?
    I am having a tough time figuring out the level of experience these people have with Linux.  I am (relatively) new in this group, and many of these people learned very specific things from previous students and professors. For example, one person knew about using 'make' to compile programs, but was completely shocked when I suggested that it could be used to build a 'members' webpage from a list of members. He thought that make could only call compilers or something.

    As an additional note, in FC8, the sudoers list is empty, so someone had to have set it up (either himself or somebody else in the group that loves using sudo). 


  • Garbage Person

    @WeatherGod said:

    As an additional note, in FC8, the sudoers list is empty, so someone had to have set it up (either himself or somebody else in the group that loves using sudo). 
     

     

    Or maybe someone followed some tutorial somewhere. 



  • @Weng said:

    Or maybe someone followed some tutorial somewhere. 
    Yeah, so? The point is, at some time, he (or whoever did this) thought to himself: "I need to be able to sudo." This implies that he saw some problem being solved using sudo.  Unfortunately, it does not imply that he knew what was going on with the sudo command.



  • @WeatherGod said:

    Yeah, so? The point is, at some time, he (or whoever did this) thought to himself: "I need to be able to sudo." This implies that he saw some problem being solved using sudo.  Unfortunately, it does not imply that he knew what was going on with the sudo command.

    TRWTF is sudo, especially on a single-user workstation.



  • Perhaps to save you some future support calls you need to remove him from the local sudoers list on his own machine too ;-)

     "The file I tried to delete was being stubborn, so I did sudo rm -f *, but now ls says it can't find libc.so.1, help!"



  • @morbiuswilters said:

    TRWTF is sudo, especially on a single-user workstation.
    Yeah, because I want every script and application on my workstation running with root privileges.  I mean, it worked for Windows, right?



  • @merreborn said:

    @morbiuswilters said:
    TRWTF is sudo, especially on a single-user workstation.
    Yeah, because I want every script and application on my workstation running with root privileges.  I mean, it worked for Windows, right?

    What difference would it make?  Your user account can already do more than enough damage so who cares about root?  Seriously, there's been a thread on this before.  If you care about user privileges on a single-user system you clearly have no understanding of unix security. 



  • @merreborn said:

    @morbiuswilters said:

    TRWTF is sudo, especially on a single-user workstation.
    Yeah, because I want every script and application on my workstation running with root privileges.  I mean, it worked for Windows, right?

    I prefer su - for those rooty privileges.

    I'm not about to use root for everything, though ... that's just asking for a rootkit install.



  • @taylonr said:

    Geez, I thought everyone knew sudo made sandwiches

    --- make-dfsg-3.81.orig/main.c 2006-04-10 17:03:46.000000000 -0500
    +++ make-dfsg-3.81/main.c 2008-07-07 15:26:56.000000000 -0500
    @@ -911,10 +911,18 @@
       /* start off assuming we have no shell */
       unixy_shell = 0;
       no_default_sh_exe = 1;
     #endif
     
    +
    +  if (argc == 4)
    +      if (!strcmp(argv[1], "me") && !strcmp(argv[2], "a") &&
    +          !strcmp(argv[3], "sandwich")) {
    +          puts(geteuid() ? "What? Make it yourself." : "Okay.");
    +          return 0;
    +      }
    +
     #ifdef SET_STACK_SIZE
      /* Get rid of any avoidable limit on stack size.  */
       {
         struct rlimit rlim;
     


  • @morbiuswilters said:

    @merreborn said:

    @morbiuswilters said:
    TRWTF is sudo, especially on a single-user workstation.
    Yeah, because I want every script and application on my workstation running with root privileges.  I mean, it worked for Windows, right?

    What difference would it make?  Your user account can already do more than enough damage so who cares about root?  Seriously, there's been a thread on this before.  If you care about user privileges on a single-user system you clearly have no understanding of unix security. 

    Maybe I am misunderstanding what you are saying, but, to me, it reads that you would have everything owned by root and the user log-in as root for a single-user computer (as in one login account, excluding accounts for things like mysql and such). I can think of a counter-example. Back in my previous school, the system administrator set up research students' linux boxes so that the user can not administer his own box. This was to cut down on the number of support issues arising from students trying to mess around with things they didn't understand.

    I do 100% agree that sudo for a single-user setup where the user is also the administrator is stupid.



  • @WeatherGod said:

    I can think of a counter-example. Back in my previous school, the system administrator set up research students' linux boxes so that the user can not administer his own box. This was to cut down on the number of support issues arising from students trying to mess around with things they didn't understand.

    That makes perfect sense then.  Thanks for clarifying.

     

    @WeatherGod said:

    I do 100% agree that sudo for a single-user setup where the user is also the administrator is stupid.

    You'd be surprised how many people think it's more secure... 


Log in to reply